From nobody Sun Apr 03 11:16:14 2022 X-Original-To: dev-commits-ports-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 3551C1A50F34; Sun, 3 Apr 2022 11:16:16 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4KWWYp6hnrz4tbP; Sun, 3 Apr 2022 11:16:14 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1648984575; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=TlvX8o2q1Gv6+cIdGBAHSWvKQQ+iNryre/p8F1wo0Yo=; b=ZQORBYJAz0P4ahvSux9N0l+G2AtOqkse/0DfnGI53zaCLU6LAKs9DAQprB+Hpeq0AYYG3n NynOJF7tJNMG6fgJ8Mm1Am5iUQ26Id2/pvMJBS+CM03y9VSdgPpW7H7eDS8CyY620rc/cL Pyp+pypkni6Z1fV7Ur+UxiL90bpao/uQDIQVSQZxk41G+h+AYaClymUkEiHpveuX60ZFdd BJI7rpMGPhmISNrvJfT+xzgdf0dZeOGxUoSfCmXnNr+mly2sJDrMtN9rfk9vnhbiigRCAQ jy/OgMzUXjH2iQzN2yAK7lpXu9kPGT4RUzSJKxogPrgYlZlJ4n1/8oDYX1bUqg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 49A4C1C800; Sun, 3 Apr 2022 11:16:14 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 233BGEAP059289; Sun, 3 Apr 2022 11:16:14 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 233BGEl6059288; Sun, 3 Apr 2022 11:16:14 GMT (envelope-from git) Date: Sun, 3 Apr 2022 11:16:14 GMT Message-Id: <202204031116.233BGEl6059288@gitrepo.freebsd.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org From: Matthias Andree Subject: git: 9e9b4f9da908 - main - dns/dnsmasq-devel: fix CVE-2022-0934 DHCPv6 vuln List-Id: Commit messages for all branches of the ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-ports-all@freebsd.org X-BeenThere: dev-commits-ports-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: mandree X-Git-Repository: ports X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 9e9b4f9da908464b4e995a39755b94869aaf0ecc Auto-Submitted: auto-generated ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1648984575; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=TlvX8o2q1Gv6+cIdGBAHSWvKQQ+iNryre/p8F1wo0Yo=; b=rDkBFoGSj4mg8EvSI02s0wcMvypUK3X0RGSof/m3rZc1g+poOaMDx83c7n4gj0J2j2RIHP pRk+T61+LWuBAVvbaH6iOtyBqE4IWm4YN3biyxBDZ18XSUB1ICcABRJTRLAhY0ZjkSTX3N Y3U5OMDCIOFaY/JVWB2Xvx/EfgQK/PUbmJ2qpv3lgD929nwGpLRpZtkkS4H/ThRPlmHh41 0MIeYyRvPMBLz7mmyib69cnV+ly5zT4x6ouzzRoOJOEyl94+CGerdKtQd8pDRauJi7ibyw kKobB9GiO7eswWZQgAC0uNM0vIHrhCg5dPeOWHmkfelWyn6GaIbWvv3AITV9qg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1648984575; a=rsa-sha256; cv=none; b=lulCuIGxHeqljodLrp4fjlXlfON4jJuUy+e1CQKsv/FwoKzZC31kYx1reeuEQFFu8kqAF8 pIE0sZs/sglQYmgE6p41qxoSxVSoJJ6iky9LduVfbHaF6o1IQxoIgv4+zerDfSeQ6WO5EW Xi37YdP3M6ExQNc3+kjWPVyogwsQaO5Te16MR9vfw4NWUOVdPl5+KhnN4Ru3g4EqGfCSk/ fanYWpHVejveDX6R7jcS4xhgo23GvJCSvMFDk+dELkonK+t+DfvxwWXYpArF0b9437CZmA txoMC8tFE8gD4OLRV87dbRK/KZjKQakYeDOahmjC9Af/IauiDvi1jBmj9yr9Mw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N The branch main has been updated by mandree: URL: https://cgit.FreeBSD.org/ports/commit/?id=9e9b4f9da908464b4e995a39755b94869aaf0ecc commit 9e9b4f9da908464b4e995a39755b94869aaf0ecc Author: Matthias Andree AuthorDate: 2022-04-03 11:12:30 +0000 Commit: Matthias Andree CommitDate: 2022-04-03 11:15:58 +0000 dns/dnsmasq-devel: fix CVE-2022-0934 DHCPv6 vuln Security: 3f321a5a-b33b-11ec-80c2-1bb2c6a00592 Security: CVE-2022-0934 MFH: 2022Q2 --- dns/dnsmasq-devel/Makefile | 2 +- dns/dnsmasq-devel/files/patch-CVE-2022-0934 | 175 ++++++++++++++++++++++++++++ 2 files changed, 176 insertions(+), 1 deletion(-) diff --git a/dns/dnsmasq-devel/Makefile b/dns/dnsmasq-devel/Makefile index 800a000c2274..c0762595e608 100644 --- a/dns/dnsmasq-devel/Makefile +++ b/dns/dnsmasq-devel/Makefile @@ -3,7 +3,7 @@ PORTNAME= dnsmasq DISTVERSION= 2.87test8 # Leave the PORTREVISION in even if 0 to avoid accidental PORTEPOCH bumps: -PORTREVISION= 0 +PORTREVISION= 1 PORTEPOCH= 4 # attn - different between -devel and dnsmasq ports! CATEGORIES= dns #MASTER_SITES= https://www.thekelleys.org.uk/dnsmasq/release-candidates/ \ diff --git a/dns/dnsmasq-devel/files/patch-CVE-2022-0934 b/dns/dnsmasq-devel/files/patch-CVE-2022-0934 new file mode 100644 index 000000000000..c063e15b2e34 --- /dev/null +++ b/dns/dnsmasq-devel/files/patch-CVE-2022-0934 @@ -0,0 +1,175 @@ +From dcc62a514092c8afeab4e502db9e65f03c2e1d47 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= +Date: Tue, 22 Feb 2022 00:45:01 +0100 +Subject: [PATCH] Change message type by dedicated function + +Long-term pointer to beginning of message does not work well. I case +outpacket is reallocated in any new_opt6() section, original outmsgtypep +pointer becomes invalid. Instead of using that pointer use dedicated +function, which will change just the first byte of the message. + +This makes sure correct beginning of packet is always used. +--- + src/dnsmasq.h | 1 + + src/outpacket.c | 11 +++++++++++ + src/rfc3315.c | 29 ++++++++++++++--------------- + 3 files changed, 26 insertions(+), 15 deletions(-) + +diff --git a/src/dnsmasq.h b/src/dnsmasq.h +index 51a1aa6..c1c75c1 100644 +--- a/src/dnsmasq.h ++++ b/src/dnsmasq.h +@@ -1736,6 +1736,7 @@ void put_opt6_long(unsigned int val); + void put_opt6_short(unsigned int val); + void put_opt6_char(unsigned int val); + void put_opt6_string(char *s); ++void put_msgtype6(unsigned int val); + #endif + + /* radv.c */ +diff --git a/src/outpacket.c b/src/outpacket.c +index abb3a3a..f322811 100644 +--- a/src/outpacket.c ++++ b/src/outpacket.c +@@ -115,4 +115,15 @@ void put_opt6_string(char *s) + put_opt6(s, strlen(s)); + } + ++void put_msgtype6(unsigned int val) ++{ ++ if (outpacket_counter == 0) ++ put_opt6_char(val); ++ else ++ { ++ unsigned char *p = daemon->outpacket.iov_base; ++ *p = val; ++ } ++} ++ + #endif +diff --git a/src/rfc3315.c b/src/rfc3315.c +index cee8382..baeb51e 100644 +--- a/src/rfc3315.c ++++ b/src/rfc3315.c +@@ -110,7 +110,6 @@ static int dhcp6_maybe_relay(struct state *state, void *inbuff, size_t sz, + void *end = inbuff + sz; + void *opts = inbuff + 34; + int msg_type = *((unsigned char *)inbuff); +- unsigned char *outmsgtypep; + void *opt; + struct dhcp_vendor *vendor; + +@@ -192,9 +191,9 @@ static int dhcp6_maybe_relay(struct state *state, void *inbuff, size_t sz, + return 0; + + /* copy header stuff into reply message and set type to reply */ +- if (!(outmsgtypep = put_opt6(inbuff, 34))) ++ if (!put_opt6(inbuff, 34)) + return 0; +- *outmsgtypep = DHCP6RELAYREPL; ++ put_msgtype6(DHCP6RELAYREPL); + + /* look for relay options and set tags if found. */ + for (vendor = daemon->dhcp_vendors; vendor; vendor = vendor->next) +@@ -267,7 +266,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ + struct dhcp_netid *tagif; + struct dhcp_config *config = NULL; + struct dhcp_netid known_id, iface_id, v6_id; +- unsigned char *outmsgtypep; ++ unsigned char *xid; + struct dhcp_vendor *vendor; + struct dhcp_context *context_tmp; + struct dhcp_mac *mac_opt; +@@ -297,10 +296,10 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ + state->tags = &v6_id; + + /* copy over transaction-id, and save pointer to message type */ +- if (!(outmsgtypep = put_opt6(inbuff, 4))) ++ if (!(xid = put_opt6(inbuff, 4))) + return 0; + start_opts = save_counter(-1); +- state->xid = outmsgtypep[3] | outmsgtypep[2] << 8 | outmsgtypep[1] << 16; ++ state->xid = xid[3] | xid[2] << 8 | xid[1] << 16; + + /* We're going to be linking tags from all context we use. + mark them as unused so we don't link one twice and break the list */ +@@ -347,7 +346,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ + (msg_type == DHCP6REQUEST || msg_type == DHCP6RENEW || msg_type == DHCP6RELEASE || msg_type == DHCP6DECLINE)) + + { +- *outmsgtypep = DHCP6REPLY; ++ put_msgtype6(DHCP6REPLY); + o1 = new_opt6(OPTION6_STATUS_CODE); + put_opt6_short(DHCP6USEMULTI); + put_opt6_string("Use multicast"); +@@ -619,11 +618,11 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ + struct dhcp_netid *solicit_tags; + struct dhcp_context *c; + +- *outmsgtypep = DHCP6ADVERTISE; ++ put_msgtype6(DHCP6ADVERTISE); + + if (opt6_find(state->packet_options, state->end, OPTION6_RAPID_COMMIT, 0)) + { +- *outmsgtypep = DHCP6REPLY; ++ put_msgtype6(DHCP6REPLY); + state->lease_allocate = 1; + o = new_opt6(OPTION6_RAPID_COMMIT); + end_opt6(o); +@@ -809,7 +808,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ + int start = save_counter(-1); + + /* set reply message type */ +- *outmsgtypep = DHCP6REPLY; ++ put_msgtype6(DHCP6REPLY); + state->lease_allocate = 1; + + log6_quiet(state, "DHCPREQUEST", NULL, ignore ? _("ignored") : NULL); +@@ -924,7 +923,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ + int address_assigned = 0; + + /* set reply message type */ +- *outmsgtypep = DHCP6REPLY; ++ put_msgtype6(DHCP6REPLY); + + log6_quiet(state, msg_type == DHCP6RENEW ? "DHCPRENEW" : "DHCPREBIND", NULL, NULL); + +@@ -1057,7 +1056,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ + int good_addr = 0; + + /* set reply message type */ +- *outmsgtypep = DHCP6REPLY; ++ put_msgtype6(DHCP6REPLY); + + log6_quiet(state, "DHCPCONFIRM", NULL, NULL); + +@@ -1121,7 +1120,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ + log6_quiet(state, "DHCPINFORMATION-REQUEST", NULL, ignore ? _("ignored") : state->hostname); + if (ignore) + return 0; +- *outmsgtypep = DHCP6REPLY; ++ put_msgtype6(DHCP6REPLY); + tagif = add_options(state, 1); + break; + } +@@ -1130,7 +1129,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ + case DHCP6RELEASE: + { + /* set reply message type */ +- *outmsgtypep = DHCP6REPLY; ++ put_msgtype6(DHCP6REPLY); + + log6_quiet(state, "DHCPRELEASE", NULL, NULL); + +@@ -1195,7 +1194,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ + case DHCP6DECLINE: + { + /* set reply message type */ +- *outmsgtypep = DHCP6REPLY; ++ put_msgtype6(DHCP6REPLY); + + log6_quiet(state, "DHCPDECLINE", NULL, NULL); + +-- +2.34.1 +