From nobody Sun Apr 3 11:26:44 2022 X-Original-To: dev-commits-ports-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id D1FF41A53704; Sun, 3 Apr 2022 11:26:44 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4KWWnw4Wc1z3Bq3; Sun, 3 Apr 2022 11:26:44 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1648985204; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=+tWJW2yeFsEsvdai5GsvGtXlk2nbS7y4dciZ5xedi6c=; b=QHxo9VOFblQOmH/9qZJRmyG2AFdnfYeuTRr9uQiKKMhAmm1F49PHkDABmBC8xoBEN5uR+P arVlJZZZxo56plsr+UkIQdqR7bw5m3Ig05rPZ4+KCC3fJ//08TRyHDuFbJTKzcwJTQk0ss U4Rj7OZOtAnCx2fLFtuVkZPszF+IPbnPtiF4o6eHbHUfX28V5Uge08LkNRY9tAWlt+Vrwu 3q4PWqpZgpjlSNDek8hQexl86aLSbWEB8A+IPDXrHdB7kasrFnOvzD61hEoLNY1YH11uCK MFIrkHCyQOP+72/GeznUSbW/ivwvHR2wWecBVUvgxQP4AxaTdFTz5Ka2yPH7sg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 769EC1C562; Sun, 3 Apr 2022 11:26:44 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 233BQim6072828; Sun, 3 Apr 2022 11:26:44 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 233BQiO4072827; Sun, 3 Apr 2022 11:26:44 GMT (envelope-from git) Date: Sun, 3 Apr 2022 11:26:44 GMT Message-Id: <202204031126.233BQiO4072827@gitrepo.freebsd.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-branches@FreeBSD.org From: Matthias Andree Subject: git: 4134e7699792 - 2022Q2 - dns/dnsmasq-devel: fix CVE-2022-0934 DHCPv6 vuln List-Id: Commit messages for all branches of the ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-ports-all@freebsd.org X-BeenThere: dev-commits-ports-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: mandree X-Git-Repository: ports X-Git-Refname: refs/heads/2022Q2 X-Git-Reftype: branch X-Git-Commit: 4134e76997927031dbc50de849ca8abe13fff22c Auto-Submitted: auto-generated ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1648985204; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=+tWJW2yeFsEsvdai5GsvGtXlk2nbS7y4dciZ5xedi6c=; b=RxBAd30Tf9PJR3l3Em7xRO1Inz84WH9ig9xDX+bU1eZlmyEsDLlnSkd8leqtBnnzAwn3wr uKinQ+SRIIcDulX3s1meoXWChKv7V/AMM/Dq18A5kY48wVmoCqb4BD4QSUoPojSYQEZBnY WH7m0QkFr5I+eEDd3rdOvI3Smkm0jZgpmJrMn9o5kcd2c1ZeaRH2sTMdbd1v/jmyGatkm+ pq1DkMmKl+ot4zDhO1SrofUbFtq+VHyMPLriRm9AufvMHvFKfdcD787ZIqeNbIvZiqxeTX CPh3XAejp6kWrG882bxZTzneDa1HSy8LudaXIOVN2HhyrDFCfooOb9DdKK3Ubw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1648985204; a=rsa-sha256; cv=none; b=FMsVYLia0N0kS/nPEA0npaDzFB+Fp1lGDNcRqkKD1u0wCfnZ6+Dz2+C3qWBT7JPLOfNEFo Xwtb1q9lsHhgBAZEda9FP1p8qsQ4/Pr4dmOl7iGqwnB7JyJonQj6NMX57B5LmOCYRwS6C2 aHGhBXeq7WdidwRzHjI2cXQq06zobhrJR9jCV/j9YyE+bi1RlmAI2NO78VJz1mBYeujqWB rT++oh4jOPGZ1WAIQoM4AEw+QFPdber9cJT49Ixzh1x7LBEht1E0AkPo642gqXSIddqpPI JGZsc+6ap0Q7t/DqOyEhssKSOPMaDr0VpfAXf90+qArgs21JYAoksux3gKtnuw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N The branch 2022Q2 has been updated by mandree: URL: https://cgit.FreeBSD.org/ports/commit/?id=4134e76997927031dbc50de849ca8abe13fff22c commit 4134e76997927031dbc50de849ca8abe13fff22c Author: Matthias Andree AuthorDate: 2022-04-03 11:12:30 +0000 Commit: Matthias Andree CommitDate: 2022-04-03 11:26:40 +0000 dns/dnsmasq-devel: fix CVE-2022-0934 DHCPv6 vuln Security: 3f321a5a-b33b-11ec-80c2-1bb2c6a00592 Security: CVE-2022-0934 MFH: 2022Q2 (cherry picked from commit 9e9b4f9da908464b4e995a39755b94869aaf0ecc) --- dns/dnsmasq-devel/Makefile | 2 +- dns/dnsmasq-devel/files/patch-CVE-2022-0934 | 175 ++++++++++++++++++++++++++++ 2 files changed, 176 insertions(+), 1 deletion(-) diff --git a/dns/dnsmasq-devel/Makefile b/dns/dnsmasq-devel/Makefile index 800a000c2274..c0762595e608 100644 --- a/dns/dnsmasq-devel/Makefile +++ b/dns/dnsmasq-devel/Makefile @@ -3,7 +3,7 @@ PORTNAME= dnsmasq DISTVERSION= 2.87test8 # Leave the PORTREVISION in even if 0 to avoid accidental PORTEPOCH bumps: -PORTREVISION= 0 +PORTREVISION= 1 PORTEPOCH= 4 # attn - different between -devel and dnsmasq ports! CATEGORIES= dns #MASTER_SITES= https://www.thekelleys.org.uk/dnsmasq/release-candidates/ \ diff --git a/dns/dnsmasq-devel/files/patch-CVE-2022-0934 b/dns/dnsmasq-devel/files/patch-CVE-2022-0934 new file mode 100644 index 000000000000..c063e15b2e34 --- /dev/null +++ b/dns/dnsmasq-devel/files/patch-CVE-2022-0934 @@ -0,0 +1,175 @@ +From dcc62a514092c8afeab4e502db9e65f03c2e1d47 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= +Date: Tue, 22 Feb 2022 00:45:01 +0100 +Subject: [PATCH] Change message type by dedicated function + +Long-term pointer to beginning of message does not work well. I case +outpacket is reallocated in any new_opt6() section, original outmsgtypep +pointer becomes invalid. Instead of using that pointer use dedicated +function, which will change just the first byte of the message. + +This makes sure correct beginning of packet is always used. +--- + src/dnsmasq.h | 1 + + src/outpacket.c | 11 +++++++++++ + src/rfc3315.c | 29 ++++++++++++++--------------- + 3 files changed, 26 insertions(+), 15 deletions(-) + +diff --git a/src/dnsmasq.h b/src/dnsmasq.h +index 51a1aa6..c1c75c1 100644 +--- a/src/dnsmasq.h ++++ b/src/dnsmasq.h +@@ -1736,6 +1736,7 @@ void put_opt6_long(unsigned int val); + void put_opt6_short(unsigned int val); + void put_opt6_char(unsigned int val); + void put_opt6_string(char *s); ++void put_msgtype6(unsigned int val); + #endif + + /* radv.c */ +diff --git a/src/outpacket.c b/src/outpacket.c +index abb3a3a..f322811 100644 +--- a/src/outpacket.c ++++ b/src/outpacket.c +@@ -115,4 +115,15 @@ void put_opt6_string(char *s) + put_opt6(s, strlen(s)); + } + ++void put_msgtype6(unsigned int val) ++{ ++ if (outpacket_counter == 0) ++ put_opt6_char(val); ++ else ++ { ++ unsigned char *p = daemon->outpacket.iov_base; ++ *p = val; ++ } ++} ++ + #endif +diff --git a/src/rfc3315.c b/src/rfc3315.c +index cee8382..baeb51e 100644 +--- a/src/rfc3315.c ++++ b/src/rfc3315.c +@@ -110,7 +110,6 @@ static int dhcp6_maybe_relay(struct state *state, void *inbuff, size_t sz, + void *end = inbuff + sz; + void *opts = inbuff + 34; + int msg_type = *((unsigned char *)inbuff); +- unsigned char *outmsgtypep; + void *opt; + struct dhcp_vendor *vendor; + +@@ -192,9 +191,9 @@ static int dhcp6_maybe_relay(struct state *state, void *inbuff, size_t sz, + return 0; + + /* copy header stuff into reply message and set type to reply */ +- if (!(outmsgtypep = put_opt6(inbuff, 34))) ++ if (!put_opt6(inbuff, 34)) + return 0; +- *outmsgtypep = DHCP6RELAYREPL; ++ put_msgtype6(DHCP6RELAYREPL); + + /* look for relay options and set tags if found. */ + for (vendor = daemon->dhcp_vendors; vendor; vendor = vendor->next) +@@ -267,7 +266,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ + struct dhcp_netid *tagif; + struct dhcp_config *config = NULL; + struct dhcp_netid known_id, iface_id, v6_id; +- unsigned char *outmsgtypep; ++ unsigned char *xid; + struct dhcp_vendor *vendor; + struct dhcp_context *context_tmp; + struct dhcp_mac *mac_opt; +@@ -297,10 +296,10 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ + state->tags = &v6_id; + + /* copy over transaction-id, and save pointer to message type */ +- if (!(outmsgtypep = put_opt6(inbuff, 4))) ++ if (!(xid = put_opt6(inbuff, 4))) + return 0; + start_opts = save_counter(-1); +- state->xid = outmsgtypep[3] | outmsgtypep[2] << 8 | outmsgtypep[1] << 16; ++ state->xid = xid[3] | xid[2] << 8 | xid[1] << 16; + + /* We're going to be linking tags from all context we use. + mark them as unused so we don't link one twice and break the list */ +@@ -347,7 +346,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ + (msg_type == DHCP6REQUEST || msg_type == DHCP6RENEW || msg_type == DHCP6RELEASE || msg_type == DHCP6DECLINE)) + + { +- *outmsgtypep = DHCP6REPLY; ++ put_msgtype6(DHCP6REPLY); + o1 = new_opt6(OPTION6_STATUS_CODE); + put_opt6_short(DHCP6USEMULTI); + put_opt6_string("Use multicast"); +@@ -619,11 +618,11 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ + struct dhcp_netid *solicit_tags; + struct dhcp_context *c; + +- *outmsgtypep = DHCP6ADVERTISE; ++ put_msgtype6(DHCP6ADVERTISE); + + if (opt6_find(state->packet_options, state->end, OPTION6_RAPID_COMMIT, 0)) + { +- *outmsgtypep = DHCP6REPLY; ++ put_msgtype6(DHCP6REPLY); + state->lease_allocate = 1; + o = new_opt6(OPTION6_RAPID_COMMIT); + end_opt6(o); +@@ -809,7 +808,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ + int start = save_counter(-1); + + /* set reply message type */ +- *outmsgtypep = DHCP6REPLY; ++ put_msgtype6(DHCP6REPLY); + state->lease_allocate = 1; + + log6_quiet(state, "DHCPREQUEST", NULL, ignore ? _("ignored") : NULL); +@@ -924,7 +923,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ + int address_assigned = 0; + + /* set reply message type */ +- *outmsgtypep = DHCP6REPLY; ++ put_msgtype6(DHCP6REPLY); + + log6_quiet(state, msg_type == DHCP6RENEW ? "DHCPRENEW" : "DHCPREBIND", NULL, NULL); + +@@ -1057,7 +1056,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ + int good_addr = 0; + + /* set reply message type */ +- *outmsgtypep = DHCP6REPLY; ++ put_msgtype6(DHCP6REPLY); + + log6_quiet(state, "DHCPCONFIRM", NULL, NULL); + +@@ -1121,7 +1120,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ + log6_quiet(state, "DHCPINFORMATION-REQUEST", NULL, ignore ? _("ignored") : state->hostname); + if (ignore) + return 0; +- *outmsgtypep = DHCP6REPLY; ++ put_msgtype6(DHCP6REPLY); + tagif = add_options(state, 1); + break; + } +@@ -1130,7 +1129,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ + case DHCP6RELEASE: + { + /* set reply message type */ +- *outmsgtypep = DHCP6REPLY; ++ put_msgtype6(DHCP6REPLY); + + log6_quiet(state, "DHCPRELEASE", NULL, NULL); + +@@ -1195,7 +1194,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ + case DHCP6DECLINE: + { + /* set reply message type */ +- *outmsgtypep = DHCP6REPLY; ++ put_msgtype6(DHCP6REPLY); + + log6_quiet(state, "DHCPDECLINE", NULL, NULL); + +-- +2.34.1 +