Ubuntu
dnsmasq package

dnsmasq might be vulnerable to recent DNS spoofing issue

  1. Gutsy (7.10)
  2. Bug #247598
Bug #247598 reported by Thierry Carrez
256
Affects Status Importance Assigned to Milestone
dnsmasq (Debian)
Fix Released
Unknown
dnsmasq (Ubuntu)
Fix Released
Undecided
Unassigned
Dapper
Won't Fix
Undecided
Unassigned
Feisty
Won't Fix
Undecided
Unassigned
Gutsy
Won't Fix
Undecided
Unassigned
Hardy
Fix Released
Undecided
Unassigned

Bug Description

Binary package hint: dnsmasq

We received the following information from Simon Kelley (dnsmasq developer) :

-------------
You've probably noticed the great publicity over the latest putative DNS exploit.

http://www.kb.cert.org/vuls/id/800113

CERT is sure that dnsmasq is vulnerable, so I've released version 2.43 which adds query port randomisation and a better random number generator. I'm assured this is enough to close the hole. (the exact nature of which is not known to me.)

I'm not sure what Ubuntu's procedures are for stable security updates, but a backport to 2.41 in Hardy should be no problem. (Debian security have done it back to 2.35 in Etch)

I'm attaching a diff giving the changes related to this in 2.43. This is marginally out-of-date: once applied, edit the new function random_sock() to call fix_fd() on the socket file descriptor. Check the released 2.43 code for details.
-------------

It's difficult to assess if dnsmasq is really vulnerable without more knowledge on the vulnerability (the only info I have is that dnsmasq doesn't recurse, and Dan said "if it recurses, patch it"), better safe than sorry, I suppose.

CVE References

Revision history for this message
Thierry Carrez (ttx) wrote :
Bug Watch Updater (bug-watch-updater)
Changed in dnsmasq:
status: Unknown → Fix Released
Revision history for this message
Thierry Carrez (ttx) wrote :

Debdiff for the security update in hardy

This is based on Simon's patch but applied over 2.41 (minus the version change in config.h, plus the fix_fd call in network.c). Not heavily tested.

Revision history for this message
Thierry Carrez (ttx) wrote :

Merge from latest Debian unstable version, for fixing this in intrepid.
Remaining changes:
- TearDown spec recommendations in debian/postinst and debian/init
- debian/control: Updated maintainer to match DebianMaintainerField

Revision history for this message
Thierry Carrez (ttx) wrote :

The same without the merge-o-matic whack-my-changelog-whitespaces feature

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package dnsmasq - 2.43-1ubuntu1

---------------
dnsmasq (2.43-1ubuntu1) intrepid; urgency=low

  * Merge from debian unstable (LP: #247598), remaining changes:
     - TearDown spec recommendations in debian/postinst and debian/init
     - debian/control: Updated maintainer to match DebianMaintainerField

dnsmasq (2.43-1) unstable; urgency=high

   * New upstream.
   * Implement source-port randomisation and better random
     number generator as defence against CVE-2008-1447 (closes: #490123)

 -- Thierry Carrez <email address hidden> Mon, 14 Jul 2008 12:48:30 -0400

Changed in dnsmasq:
status: New → Fix Released
Revision history for this message
Thierry Carrez (ttx) wrote :

New debdiff with an additional check recommended by upstream :
"In the function nl_routechange() at the end of src/netlink.c, a check needs to be added to ensure that daemon->srv_save->sfd is non-NULL. This avoids a segfault. If it is NULL, just returning from the function is fine."

I checked that the resulting dnsmasq build still works as a DHCP and DNS cache, and the extra patch looks non-disruptive, you should nevertheless double-check it.

Jamie Strandboge (jdstrand)
Changed in dnsmasq:
status: New → In Progress
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

http://www.ubuntu.com/usn/usn-627-1

Changed in dnsmasq:
status: In Progress → Fix Released
Daniel T Chen (crimsun)
Changed in dnsmasq:
status: New → Confirmed
status: New → Confirmed
status: New → Confirmed
Revision history for this message
Hew (hew) wrote :

Ubuntu Feisty Fawn is no longer supported, so a SRU will not be issued for this release. Marking Feisty as Won't Fix.

Changed in dnsmasq:
status: Confirmed → Won't Fix
Revision history for this message
Sergio Zanchetta (primes2h) wrote :

The 18 month support period for Gutsy Gibbon 7.10 has reached its end of life -
http://www.ubuntu.com/news/ubuntu-7.10-eol . As a result, we are closing the
Gutsy task.

Changed in dnsmasq (Ubuntu Gutsy):
status: Confirmed → Won't Fix
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Since the package referred to in this bug is in universe or multiverse, it is community maintained. It is clear that Ubuntu 6.06 is not going to get an update for this almost 3 year old bug, so I am marking the task as "Won't Fix". Please feel free to reopen if you would like to post a debdiff to fix the bug. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

Changed in dnsmasq (Ubuntu Dapper):
status: Confirmed → Won't Fix
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.