From 3816471496036661b2032d5424d0496231b04ca7 Mon Sep 17 00:00:00 2001 From: Daniel Lang Date: Thu, 4 May 2023 10:33:32 +0200 Subject: [PATCH] package/dnsmasq: fix CVE-2023-28450 Adds the upstream patch that fixes the CVE. No new release so far. Signed-off-by: Daniel Lang Signed-off-by: Peter Korsgaard --- ...default-maximum-dns-udp-package-size.patch | 64 +++++++++++++++++++ package/dnsmasq/dnsmasq.mk | 3 + 2 files changed, 67 insertions(+) create mode 100644 package/dnsmasq/0001-set-default-maximum-dns-udp-package-size.patch diff --git a/package/dnsmasq/0001-set-default-maximum-dns-udp-package-size.patch b/package/dnsmasq/0001-set-default-maximum-dns-udp-package-size.patch new file mode 100644 index 0000000000..4dd17ec069 --- /dev/null +++ b/package/dnsmasq/0001-set-default-maximum-dns-udp-package-size.patch @@ -0,0 +1,64 @@ +From eb92fb32b746f2104b0f370b5b295bb8dd4bd5e5 Mon Sep 17 00:00:00 2001 +From: Simon Kelley +Date: Tue, 7 Mar 2023 22:07:46 +0000 +Subject: [PATCH] Set the default maximum DNS UDP packet size to 1232. +Upstream: https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=eb92fb32b746f2104b0f370b5b295bb8dd4bd5e5 + +http://www.dnsflagday.net/2020/ refers. + +Thanks to Xiang Li for the prompt. + +[dalang@gmx.at: backport from upstream] +Signed-off-by: Daniel Lang +--- + CHANGELOG | 9 ++++++++ + man/dnsmasq.8 | 3 ++- + src/config.h | 2 +- + 3 files changed, 12 insertions(+), 2 deletions(-) + +diff --git a/CHANGELOG b/CHANGELOG +index 3af20cf..52d8678 100644 +--- a/CHANGELOG ++++ b/CHANGELOG +@@ -1,3 +1,12 @@ version 2.90 ++version 2.90 ++ Set the default maximum DNS UDP packet sice to 1232. This ++ has been the recommended value since 2020 because it's the ++ largest value that avoid fragmentation, and fragmentation ++ is just not reliable on the modern internet, especially ++ for IPv6. It's still possible to override this with ++ --edns-packet-max for special circumstances. ++ ++ + version 2.89 + Fix bug introduced in 2.88 (commit fe91134b) which can result + in corruption of the DNS cache internal data structures and +diff --git a/man/dnsmasq.8 b/man/dnsmasq.8 +index 41e2e04..5acb935 100644 +--- a/man/dnsmasq.8 ++++ b/man/dnsmasq.8 +@@ -183,7 +183,8 @@ to zero completely disables DNS function, leaving only DHCP and/or TFTP. + .TP + .B \-P, --edns-packet-max= + Specify the largest EDNS.0 UDP packet which is supported by the DNS +-forwarder. Defaults to 4096, which is the RFC5625-recommended size. ++forwarder. Defaults to 1232, which is the recommended size following the ++DNS flag day in 2020. Only increase if you know what you are doing. + .TP + .B \-Q, --query-port= + Send outbound DNS queries from, and listen for their replies on, the +diff --git a/src/config.h b/src/config.h +index 1e7b30f..37b374e 100644 +--- a/src/config.h ++++ b/src/config.h +@@ -19,7 +19,7 @@ + #define CHILD_LIFETIME 150 /* secs 'till terminated (RFC1035 suggests > 120s) */ + #define TCP_MAX_QUERIES 100 /* Maximum number of queries per incoming TCP connection */ + #define TCP_BACKLOG 32 /* kernel backlog limit for TCP connections */ +-#define EDNS_PKTSZ 4096 /* default max EDNS.0 UDP packet from RFC5625 */ ++#define EDNS_PKTSZ 1232 /* default max EDNS.0 UDP packet from from /dnsflagday.net/2020 */ + #define SAFE_PKTSZ 1232 /* "go anywhere" UDP packet size, see https://dnsflagday.net/2020/ */ + #define KEYBLOCK_LEN 40 /* choose to minimise fragmentation when storing DNSSEC keys */ + #define DNSSEC_WORK 50 /* Max number of queries to validate one question */ +-- +2.20.1 diff --git a/package/dnsmasq/dnsmasq.mk b/package/dnsmasq/dnsmasq.mk index 58c5390433..9c05857f22 100644 --- a/package/dnsmasq/dnsmasq.mk +++ b/package/dnsmasq/dnsmasq.mk @@ -17,6 +17,9 @@ DNSMASQ_LICENSE_FILES = COPYING COPYING-v3 DNSMASQ_CPE_ID_VENDOR = thekelleys DNSMASQ_SELINUX_MODULES = dnsmasq +# 0001-set-default-maximum-dns-udp-package-size.patch +DNSMASQ_IGNORE_CVES += CVE-2023-28450 + DNSMASQ_I18N = $(if $(BR2_SYSTEM_ENABLE_NLS),-i18n) ifneq ($(BR2_PACKAGE_DNSMASQ_DHCP),y)