From 4c70fb8051feca929e243a69c0e89b695794ef08 Mon Sep 17 00:00:00 2001 From: Peter Marko Date: Sat, 24 Feb 2024 14:03:25 +0100 Subject: dnsmasq: Upgrade 2.89 -> 2.90 Fixes CVE-2023-50387 and CVE-2023-50868 Remove backported CVE patch. Remove patch for lua as hardcoding lua version was removed. Signed-off-by: Peter Marko Signed-off-by: Khem Raj --- .../recipes-support/dnsmasq/dnsmasq/lua.patch | 33 ------ .../recipes-support/dnsmasq/dnsmasq_2.89.bb | 131 --------------------- .../recipes-support/dnsmasq/dnsmasq_2.90.bb | 129 ++++++++++++++++++++ .../dnsmasq/files/CVE-2023-28450.patch | 48 -------- 4 files changed, 129 insertions(+), 212 deletions(-) delete mode 100644 meta-networking/recipes-support/dnsmasq/dnsmasq/lua.patch delete mode 100644 meta-networking/recipes-support/dnsmasq/dnsmasq_2.89.bb create mode 100644 meta-networking/recipes-support/dnsmasq/dnsmasq_2.90.bb delete mode 100644 meta-networking/recipes-support/dnsmasq/files/CVE-2023-28450.patch (limited to 'meta-networking') diff --git a/meta-networking/recipes-support/dnsmasq/dnsmasq/lua.patch b/meta-networking/recipes-support/dnsmasq/dnsmasq/lua.patch deleted file mode 100644 index f8697699ac..0000000000 --- a/meta-networking/recipes-support/dnsmasq/dnsmasq/lua.patch +++ /dev/null @@ -1,33 +0,0 @@ -From be1b3d2d0f1608cba5efee73d6aac5ad0709041b Mon Sep 17 00:00:00 2001 -From: Joe MacDonald -Date: Tue, 9 Sep 2014 10:24:58 -0400 -Subject: [PATCH] Upstream-Status: Inappropriate [OE specific] - -Signed-off-by: Christopher Larson -Signed-off-by: Paul Eggleton - ---- -Upstream-Status: Pending - - Makefile | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/Makefile b/Makefile -index 73ea23e..ed3eeb9 100644 ---- a/Makefile -+++ b/Makefile -@@ -60,8 +60,8 @@ idn2_cflags = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_LIBIDN2 $(PKG_CONFI - idn2_libs = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_LIBIDN2 $(PKG_CONFIG) --libs libidn2` - ct_cflags = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_CONNTRACK $(PKG_CONFIG) --cflags libnetfilter_conntrack` - ct_libs = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_CONNTRACK $(PKG_CONFIG) --libs libnetfilter_conntrack` --lua_cflags = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_LUASCRIPT $(PKG_CONFIG) --cflags lua5.2` --lua_libs = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_LUASCRIPT $(PKG_CONFIG) --libs lua5.2` -+lua_cflags = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_LUASCRIPT $(PKG_CONFIG) --cflags lua` -+lua_libs = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_LUASCRIPT $(PKG_CONFIG) --libs lua` - nettle_cflags = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DNSSEC $(PKG_CONFIG) --cflags 'nettle hogweed' \ - HAVE_CRYPTOHASH $(PKG_CONFIG) --cflags nettle \ - HAVE_NETTLEHASH $(PKG_CONFIG) --cflags nettle` - --- -2.9.5 - diff --git a/meta-networking/recipes-support/dnsmasq/dnsmasq_2.89.bb b/meta-networking/recipes-support/dnsmasq/dnsmasq_2.89.bb deleted file mode 100644 index 684eb44320..0000000000 --- a/meta-networking/recipes-support/dnsmasq/dnsmasq_2.89.bb +++ /dev/null @@ -1,131 +0,0 @@ -SUMMARY = "Lightweight, easy to configure DNS forwarder and DHCP server" -HOMEPAGE = "http://www.thekelleys.org.uk/dnsmasq/doc.html" -SECTION = "net" -# GPLv3 was added in version 2.41 as license option -LICENSE = "GPL-2.0-only | GPL-3.0-only" -LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \ - file://COPYING-v3;md5=d32239bcb673463ab874e80d47fae504 \ - " - -DEPENDS += "gettext-native" - -#at least versions 2.69 and prior are moved to the archive folder on the server -SRC_URI = "http://www.thekelleys.org.uk/dnsmasq/${@['archive/', ''][float(d.getVar('PV').split('.')[1]) > 69]}dnsmasq-${PV}.tar.gz \ - file://lua.patch \ - file://init \ - file://dnsmasq.conf \ - file://dnsmasq-resolvconf.service \ - file://dnsmasq-noresolvconf.service \ - file://dnsmasq-resolved.conf \ - file://CVE-2023-28450.patch \ -" -SRC_URI[sha256sum] = "8651373d000cae23776256e83dcaa6723dee72c06a39362700344e0c12c4e7e4" - -inherit pkgconfig update-rc.d systemd - -INITSCRIPT_NAME = "dnsmasq" -INITSCRIPT_PARAMS = "defaults" - -# dnsmasq defaults -PACKAGECONFIG ?= "auth dhcp dhcp6 dumpfile inotify ipset loop script tftp" - -PACKAGECONFIG[auth] = "-DHAVE_AUTH,-DNO_AUTH" -PACKAGECONFIG[broken-rtc] = "-DHAVE_BROKEN_RTC," -PACKAGECONFIG[conntrack] = "-DHAVE_CONNTRACK,,libnetfilter-conntrack" -PACKAGECONFIG[dbus] = "-DHAVE_DBUS,,dbus" -PACKAGECONFIG[dhcp] = "-DHAVE_DHCP,-DNO_DHCP" -PACKAGECONFIG[dhcp6] = "-DHAVE_DHCP6,-DNO_DHCP6" -PACKAGECONFIG[dnssec] = "-DHAVE_DNSSEC,,nettle" -PACKAGECONFIG[dumpfile] = "-DHAVE_DUMPFILE,-DNO_DUMPFILE" -PACKAGECONFIG[idn] = "-DHAVE_LIBIDN,,libidn,,,idn2" -PACKAGECONFIG[idn2] = "-DHAVE_LIBIDN2,,libidn2,,,idn" -PACKAGECONFIG[inotify] = "-DHAVE_INOTIFY,-DNO_INOTIFY" -PACKAGECONFIG[ipset] = "-DHAVE_IPSET,-DNO_IPSET" -PACKAGECONFIG[loop] = "-DHAVE_LOOP,-DNO_LOOP" -PACKAGECONFIG[lua] = "-DHAVE_LUASCRIPT -DHAVE_SCRIPT,,lua" -PACKAGECONFIG[nftset] = "-DHAVE_NFTSET,,nftables" -PACKAGECONFIG[no-gmp] = "-DNO_GMP," -PACKAGECONFIG[no-id] = "-DNO_ID," -PACKAGECONFIG[resolvconf] = ",,,resolvconf" -PACKAGECONFIG[script] = "-DHAVE_SCRIPT,-DNO_SCRIPT" -PACKAGECONFIG[tftp] = "-DHAVE_TFTP,-DNO_TFTP" -PACKAGECONFIG[ubus] = "-DHAVE_UBUS,,ubus" - -DNSMASQ_LEASEFILE ?= "${localstatedir}/lib/misc/dnsmasq.leases" -DNSMASQ_CONFFILE ?= "${sysconfdir}/dnsmasq.conf" -DNSMASQ_RESOLVFILE ?= "${sysconfdir}/resolv.conf" - -COPTS = "${PACKAGECONFIG_CONFARGS} \ - -DLEASEFILE=\"${DNSMASQ_LEASEFILE}\" \ - -DCONFFILE=\"${DNSMASQ_CONFFILE}\" \ - -DRESOLVFILE=\"${DNSMASQ_RESOLVFILE}\" \ - -DLOCALEDIR=\"${localedir}\"" - -EXTRA_OEMAKE = "\ - 'COPTS=${COPTS}' \ - 'CFLAGS=${CFLAGS}' \ - 'LDFLAGS=${LDFLAGS}' \ -" - -SRC_URI += "${@bb.utils.contains('PACKAGECONFIG', 'resolvconf', 'file://dnsmasq.resolvconf file://99_dnsmasq file://dnsmasq-resolvconf-helper', '', d)}" - -do_compile () { - oe_runmake all-i18n - if ${@bb.utils.contains_any('PACKAGECONFIG', ['dhcp', 'dhcp6'], 'true', 'false', d)}; then - # build dhcp_release - oe_runmake -C ${S}/contrib/lease-tools - fi -} - -do_install () { - oe_runmake "PREFIX=${D}${prefix}" \ - "BINDIR=${D}${bindir}" \ - "MANDIR=${D}${mandir}" \ - install-i18n - install -d ${D}${sysconfdir}/ ${D}${sysconfdir}/init.d ${D}${sysconfdir}/dnsmasq.d - install -m 644 ${WORKDIR}/dnsmasq.conf ${D}${sysconfdir}/ - install -m 755 ${WORKDIR}/init ${D}${sysconfdir}/init.d/dnsmasq - - install -d ${D}${systemd_unitdir}/system - - if [ "${@bb.utils.filter('PACKAGECONFIG', 'resolvconf', d)}" ]; then - install -m 0644 ${WORKDIR}/dnsmasq-resolvconf.service ${D}${systemd_unitdir}/system/dnsmasq.service - else - install -m 0644 ${WORKDIR}/dnsmasq-noresolvconf.service ${D}${systemd_unitdir}/system/dnsmasq.service - fi - - if [ "${@bb.utils.filter('DISTRO_FEATURES', 'systemd', d)}" ]; then - install -d ${D}${sysconfdir}/systemd/resolved.conf.d/ - install -m 0644 ${WORKDIR}/dnsmasq-resolved.conf ${D}${sysconfdir}/systemd/resolved.conf.d/ - fi - - if [ "${@bb.utils.filter('PACKAGECONFIG', 'dhcp', d)}" ]; then - install -m 0755 ${S}/contrib/lease-tools/dhcp_release ${D}${bindir} - install -m 0755 ${S}/contrib/lease-tools/dhcp_lease_time ${D}${bindir} - fi - - if [ "${@bb.utils.filter('PACKAGECONFIG', 'dhcp6', d)}" ]; then - install -m 0755 ${S}/contrib/lease-tools/dhcp_release6 ${D}${bindir} - fi - - if [ "${@bb.utils.filter('PACKAGECONFIG', 'dbus', d)}" ]; then - install -d ${D}${sysconfdir}/dbus-1/system.d - install -m 644 dbus/dnsmasq.conf ${D}${sysconfdir}/dbus-1/system.d/ - fi - - if [ "${@bb.utils.filter('PACKAGECONFIG', 'resolvconf', d)}" ]; then - install -d ${D}${sysconfdir}/resolvconf/update.d/ - install -m 0755 ${WORKDIR}/dnsmasq.resolvconf ${D}${sysconfdir}/resolvconf/update.d/dnsmasq - - install -d ${D}${sysconfdir}/default/volatiles - install -m 0644 ${WORKDIR}/99_dnsmasq ${D}${sysconfdir}/default/volatiles - install -m 0755 ${WORKDIR}/dnsmasq-resolvconf-helper ${D}${bindir} - fi -} - -CONFFILES:${PN} = "${sysconfdir}/dnsmasq.conf" - -RPROVIDES:${PN} += "${PN}-systemd" -RREPLACES:${PN} += "${PN}-systemd" -RCONFLICTS:${PN} += "${PN}-systemd" -SYSTEMD_SERVICE:${PN} = "dnsmasq.service" diff --git a/meta-networking/recipes-support/dnsmasq/dnsmasq_2.90.bb b/meta-networking/recipes-support/dnsmasq/dnsmasq_2.90.bb new file mode 100644 index 0000000000..38fa271dc3 --- /dev/null +++ b/meta-networking/recipes-support/dnsmasq/dnsmasq_2.90.bb @@ -0,0 +1,129 @@ +SUMMARY = "Lightweight, easy to configure DNS forwarder and DHCP server" +HOMEPAGE = "http://www.thekelleys.org.uk/dnsmasq/doc.html" +SECTION = "net" +# GPLv3 was added in version 2.41 as license option +LICENSE = "GPL-2.0-only | GPL-3.0-only" +LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \ + file://COPYING-v3;md5=d32239bcb673463ab874e80d47fae504 \ + " + +DEPENDS += "gettext-native" + +#at least versions 2.69 and prior are moved to the archive folder on the server +SRC_URI = "http://www.thekelleys.org.uk/dnsmasq/${@['archive/', ''][float(d.getVar('PV').split('.')[1]) > 69]}dnsmasq-${PV}.tar.gz \ + file://init \ + file://dnsmasq.conf \ + file://dnsmasq-resolvconf.service \ + file://dnsmasq-noresolvconf.service \ + file://dnsmasq-resolved.conf \ +" +SRC_URI[sha256sum] = "8f6666b542403b5ee7ccce66ea73a4a51cf19dd49392aaccd37231a2c51b303b" + +inherit pkgconfig update-rc.d systemd + +INITSCRIPT_NAME = "dnsmasq" +INITSCRIPT_PARAMS = "defaults" + +# dnsmasq defaults +PACKAGECONFIG ?= "auth dhcp dhcp6 dumpfile inotify ipset loop script tftp" + +PACKAGECONFIG[auth] = "-DHAVE_AUTH,-DNO_AUTH" +PACKAGECONFIG[broken-rtc] = "-DHAVE_BROKEN_RTC," +PACKAGECONFIG[conntrack] = "-DHAVE_CONNTRACK,,libnetfilter-conntrack" +PACKAGECONFIG[dbus] = "-DHAVE_DBUS,,dbus" +PACKAGECONFIG[dhcp] = "-DHAVE_DHCP,-DNO_DHCP" +PACKAGECONFIG[dhcp6] = "-DHAVE_DHCP6,-DNO_DHCP6" +PACKAGECONFIG[dnssec] = "-DHAVE_DNSSEC,,nettle" +PACKAGECONFIG[dumpfile] = "-DHAVE_DUMPFILE,-DNO_DUMPFILE" +PACKAGECONFIG[idn] = "-DHAVE_LIBIDN,,libidn,,,idn2" +PACKAGECONFIG[idn2] = "-DHAVE_LIBIDN2,,libidn2,,,idn" +PACKAGECONFIG[inotify] = "-DHAVE_INOTIFY,-DNO_INOTIFY" +PACKAGECONFIG[ipset] = "-DHAVE_IPSET,-DNO_IPSET" +PACKAGECONFIG[loop] = "-DHAVE_LOOP,-DNO_LOOP" +PACKAGECONFIG[lua] = "-DHAVE_LUASCRIPT -DHAVE_SCRIPT,,lua" +PACKAGECONFIG[nftset] = "-DHAVE_NFTSET,,nftables" +PACKAGECONFIG[no-gmp] = "-DNO_GMP," +PACKAGECONFIG[no-id] = "-DNO_ID," +PACKAGECONFIG[resolvconf] = ",,,resolvconf" +PACKAGECONFIG[script] = "-DHAVE_SCRIPT,-DNO_SCRIPT" +PACKAGECONFIG[tftp] = "-DHAVE_TFTP,-DNO_TFTP" +PACKAGECONFIG[ubus] = "-DHAVE_UBUS,,ubus" + +DNSMASQ_LEASEFILE ?= "${localstatedir}/lib/misc/dnsmasq.leases" +DNSMASQ_CONFFILE ?= "${sysconfdir}/dnsmasq.conf" +DNSMASQ_RESOLVFILE ?= "${sysconfdir}/resolv.conf" + +COPTS = "${PACKAGECONFIG_CONFARGS} \ + -DLEASEFILE=\"${DNSMASQ_LEASEFILE}\" \ + -DCONFFILE=\"${DNSMASQ_CONFFILE}\" \ + -DRESOLVFILE=\"${DNSMASQ_RESOLVFILE}\" \ + -DLOCALEDIR=\"${localedir}\"" + +EXTRA_OEMAKE = "\ + 'COPTS=${COPTS}' \ + 'CFLAGS=${CFLAGS}' \ + 'LDFLAGS=${LDFLAGS}' \ +" + +SRC_URI += "${@bb.utils.contains('PACKAGECONFIG', 'resolvconf', 'file://dnsmasq.resolvconf file://99_dnsmasq file://dnsmasq-resolvconf-helper', '', d)}" + +do_compile () { + oe_runmake all-i18n + if ${@bb.utils.contains_any('PACKAGECONFIG', ['dhcp', 'dhcp6'], 'true', 'false', d)}; then + # build dhcp_release + oe_runmake -C ${S}/contrib/lease-tools + fi +} + +do_install () { + oe_runmake "PREFIX=${D}${prefix}" \ + "BINDIR=${D}${bindir}" \ + "MANDIR=${D}${mandir}" \ + install-i18n + install -d ${D}${sysconfdir}/ ${D}${sysconfdir}/init.d ${D}${sysconfdir}/dnsmasq.d + install -m 644 ${WORKDIR}/dnsmasq.conf ${D}${sysconfdir}/ + install -m 755 ${WORKDIR}/init ${D}${sysconfdir}/init.d/dnsmasq + + install -d ${D}${systemd_unitdir}/system + + if [ "${@bb.utils.filter('PACKAGECONFIG', 'resolvconf', d)}" ]; then + install -m 0644 ${WORKDIR}/dnsmasq-resolvconf.service ${D}${systemd_unitdir}/system/dnsmasq.service + else + install -m 0644 ${WORKDIR}/dnsmasq-noresolvconf.service ${D}${systemd_unitdir}/system/dnsmasq.service + fi + + if [ "${@bb.utils.filter('DISTRO_FEATURES', 'systemd', d)}" ]; then + install -d ${D}${sysconfdir}/systemd/resolved.conf.d/ + install -m 0644 ${WORKDIR}/dnsmasq-resolved.conf ${D}${sysconfdir}/systemd/resolved.conf.d/ + fi + + if [ "${@bb.utils.filter('PACKAGECONFIG', 'dhcp', d)}" ]; then + install -m 0755 ${S}/contrib/lease-tools/dhcp_release ${D}${bindir} + install -m 0755 ${S}/contrib/lease-tools/dhcp_lease_time ${D}${bindir} + fi + + if [ "${@bb.utils.filter('PACKAGECONFIG', 'dhcp6', d)}" ]; then + install -m 0755 ${S}/contrib/lease-tools/dhcp_release6 ${D}${bindir} + fi + + if [ "${@bb.utils.filter('PACKAGECONFIG', 'dbus', d)}" ]; then + install -d ${D}${sysconfdir}/dbus-1/system.d + install -m 644 dbus/dnsmasq.conf ${D}${sysconfdir}/dbus-1/system.d/ + fi + + if [ "${@bb.utils.filter('PACKAGECONFIG', 'resolvconf', d)}" ]; then + install -d ${D}${sysconfdir}/resolvconf/update.d/ + install -m 0755 ${WORKDIR}/dnsmasq.resolvconf ${D}${sysconfdir}/resolvconf/update.d/dnsmasq + + install -d ${D}${sysconfdir}/default/volatiles + install -m 0644 ${WORKDIR}/99_dnsmasq ${D}${sysconfdir}/default/volatiles + install -m 0755 ${WORKDIR}/dnsmasq-resolvconf-helper ${D}${bindir} + fi +} + +CONFFILES:${PN} = "${sysconfdir}/dnsmasq.conf" + +RPROVIDES:${PN} += "${PN}-systemd" +RREPLACES:${PN} += "${PN}-systemd" +RCONFLICTS:${PN} += "${PN}-systemd" +SYSTEMD_SERVICE:${PN} = "dnsmasq.service" diff --git a/meta-networking/recipes-support/dnsmasq/files/CVE-2023-28450.patch b/meta-networking/recipes-support/dnsmasq/files/CVE-2023-28450.patch deleted file mode 100644 index 129c9043e8..0000000000 --- a/meta-networking/recipes-support/dnsmasq/files/CVE-2023-28450.patch +++ /dev/null @@ -1,48 +0,0 @@ -From eb92fb32b746f2104b0f370b5b295bb8dd4bd5e5 Mon Sep 17 00:00:00 2001 -From: Simon Kelley -Date: Tue, 7 Mar 2023 22:07:46 +0000 -Subject: [PATCH] Set the default maximum DNS UDP packet size to 1232. - -http://www.dnsflagday.net/2020/ refers. - -Thanks to Xiang Li for the prompt. - -CVE: CVE-2023-28450 -Upstream-Status: Backport [https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=eb92fb32b746f2104b0f370b5b295bb8dd4bd5e5] - -Signed-off-by: Peter Marko ---- - man/dnsmasq.8 | 3 ++- - src/config.h | 2 +- - 2 files changed, 3 insertions(+), 2 deletions(-) - -diff --git a/man/dnsmasq.8 b/man/dnsmasq.8 -index 41e2e04..5acb935 100644 ---- a/man/dnsmasq.8 -+++ b/man/dnsmasq.8 -@@ -183,7 +183,8 @@ to zero completely disables DNS function, leaving only DHCP and/or TFTP. - .TP - .B \-P, --edns-packet-max= - Specify the largest EDNS.0 UDP packet which is supported by the DNS --forwarder. Defaults to 4096, which is the RFC5625-recommended size. -+forwarder. Defaults to 1232, which is the recommended size following the -+DNS flag day in 2020. Only increase if you know what you are doing. - .TP - .B \-Q, --query-port= - Send outbound DNS queries from, and listen for their replies on, the -diff --git a/src/config.h b/src/config.h -index 1e7b30f..37b374e 100644 ---- a/src/config.h -+++ b/src/config.h -@@ -19,7 +19,7 @@ - #define CHILD_LIFETIME 150 /* secs 'till terminated (RFC1035 suggests > 120s) */ - #define TCP_MAX_QUERIES 100 /* Maximum number of queries per incoming TCP connection */ - #define TCP_BACKLOG 32 /* kernel backlog limit for TCP connections */ --#define EDNS_PKTSZ 4096 /* default max EDNS.0 UDP packet from RFC5625 */ -+#define EDNS_PKTSZ 1232 /* default max EDNS.0 UDP packet from from /dnsflagday.net/2020 */ - #define SAFE_PKTSZ 1232 /* "go anywhere" UDP packet size, see https://dnsflagday.net/2020/ */ - #define KEYBLOCK_LEN 40 /* choose to minimise fragmentation when storing DNSSEC keys */ - #define DNSSEC_WORK 50 /* Max number of queries to validate one question */ --- -2.20.1 - -- cgit v1.2.3-54-g00ecf