diff options
Diffstat (limited to 'meta-networking/recipes-support/dnsmasq/files/CVE-2020-25685-2.patch')
-rw-r--r-- | meta-networking/recipes-support/dnsmasq/files/CVE-2020-25685-2.patch | 175 |
1 files changed, 175 insertions, 0 deletions
diff --git a/meta-networking/recipes-support/dnsmasq/files/CVE-2020-25685-2.patch b/meta-networking/recipes-support/dnsmasq/files/CVE-2020-25685-2.patch new file mode 100644 index 0000000000..302c42ccca --- /dev/null +++ b/meta-networking/recipes-support/dnsmasq/files/CVE-2020-25685-2.patch @@ -0,0 +1,175 @@ +From 2024f9729713fd657d65e64c2e4e471baa0a3e5b Mon Sep 17 00:00:00 2001 +From: =?utf8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com> +Date: Wed, 25 Nov 2020 17:18:55 +0100 +Subject: [PATCH] Support hash function from nettle (only) + +Unlike COPTS=-DHAVE_DNSSEC, allow usage of just sha256 function from +nettle, but keep DNSSEC disabled at build time. Skips use of internal +hash implementation without support for validation built-in. + +Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com> +--- + Makefile | 8 +++++--- + bld/pkg-wrapper | 41 ++++++++++++++++++++++------------------- + src/config.h | 8 ++++++++ + src/crypto.c | 7 +++++++ + src/dnsmasq.h | 2 +- + src/hash_questions.c | 2 +- + 6 files changed, 44 insertions(+), 24 deletions(-) + +CVE: CVE-2020-25685 +Upstream-Status: Backport [https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=patch;h=2024f9729713fd657d65e64c2e4e471baa0a3e5b] +Comment: Refreshed a hunk from pkg-wrapper and second hunk from Makefile + +Index: dnsmasq-2.81/Makefile +=================================================================== +--- dnsmasq-2.81.orig/Makefile ++++ dnsmasq-2.81/Makefile +@@ -53,7 +53,7 @@ top?=$(CURDIR) + + dbus_cflags = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DBUS $(PKG_CONFIG) --cflags dbus-1` + dbus_libs = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DBUS $(PKG_CONFIG) --libs dbus-1` +-ubus_libs = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_UBUS "" --copy -lubox -lubus` ++ubus_libs = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_UBUS "" --copy '-lubox -lubus'` + idn_cflags = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_IDN $(PKG_CONFIG) --cflags libidn` + idn_libs = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_IDN $(PKG_CONFIG) --libs libidn` + idn2_cflags = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_LIBIDN2 $(PKG_CONFIG) --cflags libidn2` +@@ -62,8 +62,10 @@ ct_cflags = `echo $(COPTS) | $(top)/ + ct_libs = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_CONNTRACK $(PKG_CONFIG) --libs libnetfilter_conntrack` + lua_cflags = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_LUASCRIPT $(PKG_CONFIG) --cflags lua` + lua_libs = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_LUASCRIPT $(PKG_CONFIG) --libs lua` +-nettle_cflags = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DNSSEC $(PKG_CONFIG) --cflags nettle hogweed` +-nettle_libs = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DNSSEC $(PKG_CONFIG) --libs nettle hogweed` ++nettle_cflags = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DNSSEC $(PKG_CONFIG) --cflags 'nettle hogweed' \ ++ HAVE_NETTLEHASH $(PKG_CONFIG) --cflags nettle` ++nettle_libs = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DNSSEC $(PKG_CONFIG) --libs 'nettle hogweed' \ ++ HAVE_NETTLEHASH $(PKG_CONFIG) --libs nettle` + gmp_libs = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DNSSEC NO_GMP --copy -lgmp` + sunos_libs = `if uname | grep SunOS >/dev/null 2>&1; then echo -lsocket -lnsl -lposix4; fi` + version = -DVERSION='\"`$(top)/bld/get-version $(top)`\"' +Index: dnsmasq-2.81/bld/pkg-wrapper +=================================================================== +--- dnsmasq-2.81.orig/bld/pkg-wrapper ++++ dnsmasq-2.81/bld/pkg-wrapper +@@ -1,35 +1,37 @@ + #!/bin/sh + +-search=$1 +-shift +-pkg=$1 +-shift +-op=$1 +-shift +- + in=`cat` + +-if grep "^\#[[:space:]]*define[[:space:]]*$search" config.h >/dev/null 2>&1 || \ +- echo $in | grep $search >/dev/null 2>&1; then ++search() ++{ ++ grep "^\#[[:space:]]*define[[:space:]]*$1" config.h >/dev/null 2>&1 || \ ++ echo $in | grep $1 >/dev/null 2>&1 ++} ++ ++while [ "$#" -gt 0 ]; do ++ search=$1 ++ pkg=$2 ++ op=$3 ++ lib=$4 ++ shift 4 ++if search "$search"; then ++ + # Nasty, nasty, in --copy, arg 2 (if non-empty) is another config to search for, used with NO_GMP + if [ $op = "--copy" ]; then + if [ -z "$pkg" ]; then +- pkg="$*" +- elif grep "^\#[[:space:]]*define[[:space:]]*$pkg" config.h >/dev/null 2>&1 || \ +- echo $in | grep $pkg >/dev/null 2>&1; then ++ pkg="$lib" ++ elif search "$pkg"; then + pkg="" + else +- pkg="$*" ++ pkg="$lib" + fi +- elif grep "^\#[[:space:]]*define[[:space:]]*${search}_STATIC" config.h >/dev/null 2>&1 || \ +- echo $in | grep ${search}_STATIC >/dev/null 2>&1; then +- pkg=`$pkg --static $op $*` ++ elif search "${search}_STATIC"; then ++ pkg=`$pkg --static $op $lib` + else +- pkg=`$pkg $op $*` ++ pkg=`$pkg $op $lib` + fi + +- if grep "^\#[[:space:]]*define[[:space:]]*${search}_STATIC" config.h >/dev/null 2>&1 || \ +- echo $in | grep ${search}_STATIC >/dev/null 2>&1; then ++ if search "${search}_STATIC"; then + if [ $op = "--libs" ] || [ $op = "--copy" ]; then + echo "-Wl,-Bstatic $pkg -Wl,-Bdynamic" + else +@@ -40,3 +42,4 @@ if grep "^\#[[:space:]]*define[[:space:] + fi + fi + ++done +Index: dnsmasq-2.81/src/config.h +=================================================================== +--- dnsmasq-2.81.orig/src/config.h ++++ dnsmasq-2.81/src/config.h +@@ -118,6 +118,9 @@ HAVE_AUTH + define this to include the facility to act as an authoritative DNS + server for one or more zones. + ++HAVE_NETTLEHASH ++ include just hash function from nettle, but no DNSSEC. ++ + HAVE_DNSSEC + include DNSSEC validator. + +@@ -185,6 +188,7 @@ RESOLVFILE + /* #define HAVE_IDN */ + /* #define HAVE_LIBIDN2 */ + /* #define HAVE_CONNTRACK */ ++/* #define HAVE_NETTLEHASH */ + /* #define HAVE_DNSSEC */ + + +@@ -418,6 +422,10 @@ static char *compile_opts = + "no-" + #endif + "auth " ++#if !defined(HAVE_NETTLEHASH) && !defined(HAVE_DNSSEC) ++"no-" ++#endif ++"nettlehash " + #ifndef HAVE_DNSSEC + "no-" + #endif +Index: dnsmasq-2.81/src/dnsmasq.h +=================================================================== +--- dnsmasq-2.81.orig/src/dnsmasq.h ++++ dnsmasq-2.81/src/dnsmasq.h +@@ -161,6 +161,9 @@ extern int capget(cap_user_header_t head + # include <nettle/nettle-meta.h> + #endif + ++#if defined(HAVE_DNSSEC) || defined(HAVE_NETTLEHASH) ++# include <nettle/nettle-meta.h> ++#endif + /* daemon is function in the C library.... */ + #define daemon dnsmasq_daemon + +Index: dnsmasq-2.81/src/hash_questions.c +=================================================================== +--- dnsmasq-2.81.orig/src/hash_questions.c ++++ dnsmasq-2.81/src/hash_questions.c +@@ -28,7 +28,7 @@ + + #include "dnsmasq.h" + +-#ifdef HAVE_DNSSEC ++#if defined(HAVE_DNSSEC) || defined(HAVE_NETTLEHASH) + unsigned char *hash_questions(struct dns_header *header, size_t plen, char *name) + { + int q; |