GNU bug report logs - #47674
dnsmasq is vulnerable to CVE-2021-3448

Previous Next

Package: guix;

Reported by: Nicolò Balzarotti <anothersms <at> gmail.com>

Date: Fri, 9 Apr 2021 15:11:01 UTC

Severity: normal

Tags: security

Done: Leo Famulari <leo <at> famulari.name>

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 47674 in the body.
You can then email your comments to 47674 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to bug-guix <at> gnu.org:
bug#47674; Package guix. (Fri, 09 Apr 2021 15:11:01 GMT) Full text and rfc822 format available.

Acknowledgement sent to Nicolò Balzarotti <anothersms <at> gmail.com>:
New bug report received and forwarded. Copy sent to bug-guix <at> gnu.org. (Fri, 09 Apr 2021 15:11:01 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Nicolò Balzarotti <anothersms <at> gmail.com>
To: bug-guix <at> gnu.org
Subject: dnsmasq is vulnerable to CVE-2021-3448
Date: Fri, 09 Apr 2021 17:10:43 +0200
[Message part 1 (text/plain, inline)]
CVE-2021-3448

A flaw was found in dnsmasq in versions before 2.85. When configured to
use a specific server for a given network interface, dnsmasq uses a
fixed port while forwarding queries. An attacker on the network, able to
find the outgoing port used by dnsmasq, only needs to guess the random
transmission ID to forge a reply and get it accepted by dnsmasq. This
flaw makes a DNS Cache Poisoning attack much easier. The highest threat
from this vulnerability is to data integrity.

guix ships dnsmasq <at> 2.84. guix refresh shows version 2.85 is available,
and there are 43 dependent packages so this can go directly to master.

All dependent packages (refresh -l) build fine except for
python2-libvirt <at> 7.2.0, which is failing also on master
(libvirt-python requires Python >= 3.5 to build).  Since it's a python2
package and no other packages depends on it, can we just drop it?

Thanks, Nicolò

[0001-gnu-dnsmasq-Update-to-2.85.patch (text/x-patch, attachment)]

Added tag(s) security. Request was from Nicolò Balzarotti <anothersms <at> gmail.com> to control <at> debbugs.gnu.org. (Fri, 09 Apr 2021 15:13:01 GMT) Full text and rfc822 format available.

Information forwarded to bug-guix <at> gnu.org:
bug#47674; Package guix. (Fri, 09 Apr 2021 19:34:01 GMT) Full text and rfc822 format available.

Message #10 received at 47674 <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: Nicolò Balzarotti <anothersms <at> gmail.com>
Cc: 47674 <at> debbugs.gnu.org
Subject: Re: bug#47674: dnsmasq is vulnerable to CVE-2021-3448
Date: Fri, 9 Apr 2021 15:33:22 -0400
[Message part 1 (text/plain, inline)]
On Fri, Apr 09, 2021 at 05:10:43PM +0200, Nicolò Balzarotti wrote:
> CVE-2021-3448
> 
> A flaw was found in dnsmasq in versions before 2.85. When configured to
> use a specific server for a given network interface, dnsmasq uses a
> fixed port while forwarding queries. An attacker on the network, able to
> find the outgoing port used by dnsmasq, only needs to guess the random
> transmission ID to forge a reply and get it accepted by dnsmasq. This
> flaw makes a DNS Cache Poisoning attack much easier. The highest threat
> from this vulnerability is to data integrity.
> 
> guix ships dnsmasq <at> 2.84. guix refresh shows version 2.85 is available,
> and there are 43 dependent packages so this can go directly to master.
> 
> All dependent packages (refresh -l) build fine except for
> python2-libvirt <at> 7.2.0, which is failing also on master
> (libvirt-python requires Python >= 3.5 to build).  Since it's a python2
> package and no other packages depends on it, can we just drop it?

Yes, sounds good.
[signature.asc (application/pgp-signature, inline)]

Reply sent to Leo Famulari <leo <at> famulari.name>:
You have taken responsibility. (Fri, 09 Apr 2021 19:35:02 GMT) Full text and rfc822 format available.

Notification sent to Nicolò Balzarotti <anothersms <at> gmail.com>:
bug acknowledged by developer. (Fri, 09 Apr 2021 19:35:02 GMT) Full text and rfc822 format available.

Message #15 received at 47674-done <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: Nicolò Balzarotti <anothersms <at> gmail.com>
Cc: 47674-done <at> debbugs.gnu.org
Subject: Re: bug#47674: dnsmasq is vulnerable to CVE-2021-3448
Date: Fri, 9 Apr 2021 15:34:34 -0400
On Fri, Apr 09, 2021 at 05:10:43PM +0200, Nicolò Balzarotti wrote:
> From a0932442c6c72d1e1a2a0f400f8afa487251189d Mon Sep 17 00:00:00 2001
> From: nixo <nicolo <at> nixo.xyz>
> Date: Fri, 9 Apr 2021 16:19:03 +0200
> Subject: [PATCH] gnu: dnsmasq: Update to 2.85.
> 
> * gnu/packages/dns.scm (dnsmasq): Update to 2.85.

Looks like this change was already done with commit
c8d809f9a49c2b4ec5500c2685e96168dcd9afa9




Information forwarded to bug-guix <at> gnu.org:
bug#47674; Package guix. (Fri, 09 Apr 2021 19:39:02 GMT) Full text and rfc822 format available.

Message #18 received at 47674 <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: Nicolò Balzarotti <anothersms <at> gmail.com>
Cc: 47674 <at> debbugs.gnu.org
Subject: Re: bug#47674: dnsmasq is vulnerable to CVE-2021-3448
Date: Fri, 9 Apr 2021 15:38:05 -0400
On Fri, Apr 09, 2021 at 05:10:43PM +0200, Nicolò Balzarotti wrote:
> All dependent packages (refresh -l) build fine except for
> python2-libvirt <at> 7.2.0, which is failing also on master
> (libvirt-python requires Python >= 3.5 to build).  Since it's a python2
> package and no other packages depends on it, can we just drop it?

I notice that python2-libvirt builds okay on staging:

https://ci.guix.gnu.org/search?query=python2-libvirt&border-high-id=134835




Information forwarded to bug-guix <at> gnu.org:
bug#47674; Package guix. (Fri, 09 Apr 2021 19:48:01 GMT) Full text and rfc822 format available.

Message #21 received at 47674 <at> debbugs.gnu.org (full text, mbox):

From: Nicolò Balzarotti <anothersms <at> gmail.com>
To: Leo Famulari <leo <at> famulari.name>
Cc: 47674 <at> debbugs.gnu.org
Subject: Re: bug#47674: dnsmasq is vulnerable to CVE-2021-3448
Date: Fri, 09 Apr 2021 21:47:13 +0200
Leo Famulari <leo <at> famulari.name> writes:

> On Fri, Apr 09, 2021 at 05:10:43PM +0200, Nicolò Balzarotti wrote:
>> All dependent packages (refresh -l) build fine except for
>> python2-libvirt <at> 7.2.0, which is failing also on master
>> (libvirt-python requires Python >= 3.5 to build).  Since it's a python2
>> package and no other packages depends on it, can we just drop it?
>
> I notice that python2-libvirt builds okay on staging:
>
> https://ci.guix.gnu.org/search?query=python2-libvirt&border-high-id=134835

Staging has an older version (5.8 vs 7.2, which has been released in
november 2019 [fn:1] though), and it got updated a few days ago
(28cc447fc5bd0a219ad54836a343826cc34d9bd7) if I'm not wrong, so it should
fail on staging too.  Am I wrong?


[fn:1] https://pypi.org/project/libvirt-python/#history




Information forwarded to bug-guix <at> gnu.org:
bug#47674; Package guix. (Fri, 09 Apr 2021 20:08:01 GMT) Full text and rfc822 format available.

Message #24 received at 47674 <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: Nicolò Balzarotti <anothersms <at> gmail.com>
Cc: 47674 <at> debbugs.gnu.org
Subject: Re: bug#47674: dnsmasq is vulnerable to CVE-2021-3448
Date: Fri, 9 Apr 2021 16:07:07 -0400
On Fri, Apr 09, 2021 at 09:47:13PM +0200, Nicolò Balzarotti wrote:
> Staging has an older version (5.8 vs 7.2, which has been released in
> november 2019 [fn:1] though), and it got updated a few days ago
> (28cc447fc5bd0a219ad54836a343826cc34d9bd7) if I'm not wrong, so it should
> fail on staging too.  Am I wrong?

Ah, could be. The new staging builds haven't been performed yet.




Information forwarded to bug-guix <at> gnu.org:
bug#47674; Package guix. (Sat, 10 Apr 2021 21:40:01 GMT) Full text and rfc822 format available.

Message #27 received at 47674 <at> debbugs.gnu.org (full text, mbox):

From: Nicolò Balzarotti <anothersms <at> gmail.com>
To: Leo Famulari <leo <at> famulari.name>
Cc: 47674 <at> debbugs.gnu.org
Subject: Re: bug#47674: dnsmasq is vulnerable to CVE-2021-3448
Date: Sat, 10 Apr 2021 23:39:37 +0200
Leo Famulari <leo <at> famulari.name> writes:

> On Fri, Apr 09, 2021 at 09:47:13PM +0200, Nicolò Balzarotti wrote:
>> Staging has an older version (5.8 vs 7.2, which has been released in
>> november 2019 [fn:1] though), and it got updated a few days ago
>> (28cc447fc5bd0a219ad54836a343826cc34d9bd7) if I'm not wrong, so it should
>> fail on staging too.  Am I wrong?
>
> Ah, could be. The new staging builds haven't been performed yet.
Failed both i686 and x86_64 on staging




Information forwarded to bug-guix <at> gnu.org:
bug#47674; Package guix. (Sat, 10 Apr 2021 22:06:01 GMT) Full text and rfc822 format available.

Message #30 received at 47674 <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: Nicolò Balzarotti <anothersms <at> gmail.com>
Cc: 47674 <at> debbugs.gnu.org
Subject: Re: bug#47674: dnsmasq is vulnerable to CVE-2021-3448
Date: Sat, 10 Apr 2021 18:05:06 -0400
On Fri, Apr 09, 2021 at 04:07:07PM -0400, Leo Famulari wrote:
> On Fri, Apr 09, 2021 at 09:47:13PM +0200, Nicolò Balzarotti wrote:
> > Staging has an older version (5.8 vs 7.2, which has been released in
> > november 2019 [fn:1] though), and it got updated a few days ago
> > (28cc447fc5bd0a219ad54836a343826cc34d9bd7) if I'm not wrong, so it should
> > fail on staging too.  Am I wrong?
> 
> Ah, could be. The new staging builds haven't been performed yet.

Thanks for following up. Sure, I think it's fine to remove a package
if it does not build and has no dependents.




Information forwarded to bug-guix <at> gnu.org:
bug#47674; Package guix. (Sat, 10 Apr 2021 22:28:01 GMT) Full text and rfc822 format available.

Message #33 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Tobias Geerinckx-Rice <me <at> tobias.gr>
To: Nicolò Balzarotti <anothersms <at> gmail.com>
Cc: bug-guix <at> gnu.org, 47674 <at> debbugs.gnu.org
Subject: Re: bug#47674: dnsmasq is vulnerable to CVE-2021-3448
Date: Sun, 11 Apr 2021 00:27:47 +0200
[Message part 1 (text/plain, inline)]
Nicolò,

Nicolò Balzarotti writes:
> gnu/packages/dns.scm (dnsmasq): Update to 2.85.

I see you managed to aim this beautifully between me searching the 
issue tracker for ‘dnsmasq’ and me actually pushing an update, so 
well done I guess.

(Also: sorry for the duplicated effort, and thanks for keeping an 
eye on the securities. :-)

Kind regards,

T G-R
[signature.asc (application/pgp-signature, inline)]

Information forwarded to bug-guix <at> gnu.org:
bug#47674; Package guix. (Sat, 10 Apr 2021 22:28:02 GMT) Full text and rfc822 format available.

bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Sun, 09 May 2021 11:24:08 GMT) Full text and rfc822 format available.

This bug report was last modified 2 years and 324 days ago.

Previous Next


GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.