diff -u dnsmasq-2.68/debian/changelog dnsmasq-2.68/debian/changelog --- dnsmasq-2.68/debian/changelog +++ dnsmasq-2.68/debian/changelog @@ -1,3 +1,21 @@ +dnsmasq (2.68-1ubuntu0.1ppa1) trusty; urgency=medium + + * Cherry-pick from 2.73: + - Correctly sanitise DNS header bits in answer when recreating query for + retry. + + -- Colin Watson Mon, 08 Feb 2016 15:46:48 +0000 + +dnsmasq (2.68-1ubuntu0.1) trusty-security; urgency=medium + + * SECURITY UPDATE: denial of service and memory disclosure via malformed + DNS requests + - src/rfc1035.c: properly handle skip_questions return value. + - ad4a8ff7d9097008d7623df8543df435bfddeac8 + - CVE-2015-3294 + + -- Marc Deslauriers Fri, 01 May 2015 10:37:08 -0400 + dnsmasq (2.68-1) unstable; urgency=low * New upstream. (closes: #730553) diff -u dnsmasq-2.68/debian/control dnsmasq-2.68/debian/control --- dnsmasq-2.68/debian/control +++ dnsmasq-2.68/debian/control @@ -2,7 +2,8 @@ Section: net Priority: optional Build-depends: gettext, libnetfilter-conntrack-dev [linux-any], libidn11-dev, libdbus-1-dev (>=0.61) -Maintainer: Simon Kelley +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Simon Kelley Standards-Version: 3.9.3 Package: dnsmasq only in patch2: unchanged: --- dnsmasq-2.68.orig/src/dns-protocol.h +++ dnsmasq-2.68/src/dns-protocol.h @@ -66,15 +66,15 @@ u16 qdcount,ancount,nscount,arcount; }; -#define HB3_QR 0x80 +#define HB3_QR 0x80 /* Query */ #define HB3_OPCODE 0x78 -#define HB3_AA 0x04 -#define HB3_TC 0x02 -#define HB3_RD 0x01 +#define HB3_AA 0x04 /* Authoritative Answer */ +#define HB3_TC 0x02 /* TrunCated */ +#define HB3_RD 0x01 /* Recursion Desired */ -#define HB4_RA 0x80 -#define HB4_AD 0x20 -#define HB4_CD 0x10 +#define HB4_RA 0x80 /* Recursion Available */ +#define HB4_AD 0x20 /* Authenticated Data */ +#define HB4_CD 0x10 /* Checking Disabled */ #define HB4_RCODE 0x0f #define OPCODE(x) (((x)->hb3 & HB3_OPCODE) >> 3) only in patch2: unchanged: --- dnsmasq-2.68.orig/src/forward.c +++ dnsmasq-2.68/src/forward.c @@ -613,7 +613,8 @@ header->arcount = htons(0); if ((nn = resize_packet(header, (size_t)n, pheader, plen))) { - header->hb3 &= ~(HB3_QR | HB3_TC); + header->hb3 &= ~(HB3_QR | HB3_AA | HB3_TC); + header->hb4 &= ~(HB4_RA | HB4_RCODE); forward_query(-1, NULL, NULL, 0, header, nn, now, forward); return; } only in patch2: unchanged: --- dnsmasq-2.68.orig/src/rfc1035.c +++ dnsmasq-2.68/src/rfc1035.c @@ -1172,7 +1172,10 @@ size_t setup_reply(struct dns_header *header, size_t qlen, struct all_addr *addrp, unsigned int flags, unsigned long ttl) { - unsigned char *p = skip_questions(header, qlen); + unsigned char *p; + + if (!(p = skip_questions(header, qlen))) + return 0; /* clear authoritative and truncated flags, set QR flag */ header->hb3 = (header->hb3 & ~(HB3_AA | HB3_TC)) | HB3_QR; @@ -1188,7 +1191,7 @@ SET_RCODE(header, NOERROR); /* empty domain */ else if (flags == F_NXDOMAIN) SET_RCODE(header, NXDOMAIN); - else if (p && flags == F_IPV4) + else if (flags == F_IPV4) { /* we know the address */ SET_RCODE(header, NOERROR); header->ancount = htons(1); @@ -1196,7 +1199,7 @@ add_resource_record(header, NULL, NULL, sizeof(struct dns_header), &p, ttl, NULL, T_A, C_IN, "4", addrp); } #ifdef HAVE_IPV6 - else if (p && flags == F_IPV6) + else if (flags == F_IPV6) { SET_RCODE(header, NOERROR); header->ancount = htons(1);