diff options
author | Brad Bishop <bradleyb@fuzziesquirrel.com> | 2018-12-17 04:11:34 +0300 |
---|---|---|
committer | Brad Bishop <bradleyb@fuzziesquirrel.com> | 2019-01-09 02:21:44 +0300 |
commit | 1a4b7ee28bf7413af6513fb45ad0d0736048f866 (patch) | |
tree | 79f6d8ea698cab8f2eaf4f54b793d2ca7a1451ce /meta-openembedded/meta-networking/recipes-support/dnsmasq | |
parent | 5b9ede0403237c7dace972affa65cf64a1aadd0e (diff) | |
download | openbmc-1a4b7ee28bf7413af6513fb45ad0d0736048f866.tar.xz |
reset upstream subtrees to yocto 2.6
Reset the following subtrees on thud HEAD:
poky: 87e3a9739d
meta-openembedded: 6094ae18c8
meta-security: 31dc4e7532
meta-raspberrypi: a48743dc36
meta-xilinx: c42016e2e6
Also re-apply backports that didn't make it into thud:
poky:
17726d0 systemd-systemctl-native: handle Install wildcards
meta-openembedded:
4321a5d libtinyxml2: update to 7.0.1
042f0a3 libcereal: Add native and nativesdk classes
e23284f libcereal: Allow empty package
030e8d4 rsyslog: curl-less build with fmhttp PACKAGECONFIG
179a1b9 gtest: update to 1.8.1
Squashed OpenBMC subtree compatibility updates:
meta-aspeed:
Brad Bishop (1):
aspeed: add yocto 2.6 compatibility
meta-ibm:
Brad Bishop (1):
ibm: prepare for yocto 2.6
meta-ingrasys:
Brad Bishop (1):
ingrasys: set layer compatibility to yocto 2.6
meta-openpower:
Brad Bishop (1):
openpower: set layer compatibility to yocto 2.6
meta-phosphor:
Brad Bishop (3):
phosphor: set layer compatibility to thud
phosphor: libgpg-error: drop patches
phosphor: react to fitimage artifact rename
Ed Tanous (4):
Dropbear: upgrade options for latest upgrade
yocto2.6: update openssl options
busybox: remove upstream watchdog patch
systemd: Rebase CONFIG_CGROUP_BPF patch
Change-Id: I7b1fe71cca880d0372a82d94b5fd785323e3a9e7
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
Diffstat (limited to 'meta-openembedded/meta-networking/recipes-support/dnsmasq')
4 files changed, 9 insertions, 273 deletions
diff --git a/meta-openembedded/meta-networking/recipes-support/dnsmasq/dnsmasq/lua.patch b/meta-openembedded/meta-networking/recipes-support/dnsmasq/dnsmasq/lua.patch index 0991dd8b9..1bf0f75c1 100644 --- a/meta-openembedded/meta-networking/recipes-support/dnsmasq/dnsmasq/lua.patch +++ b/meta-openembedded/meta-networking/recipes-support/dnsmasq/dnsmasq/lua.patch @@ -1,7 +1,7 @@ From be1b3d2d0f1608cba5efee73d6aac5ad0709041b Mon Sep 17 00:00:00 2001 From: Joe MacDonald <joe_macdonald@mentor.com> Date: Tue, 9 Sep 2014 10:24:58 -0400 -Subject: [PATCH] Upstream-status: Inappropriate [OE specific] +Subject: [PATCH] Upstream-Status: Inappropriate [OE specific] Signed-off-by: Christopher Larson <chris_larson@mentor.com> Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com> diff --git a/meta-openembedded/meta-networking/recipes-support/dnsmasq/dnsmasq_2.78.bb b/meta-openembedded/meta-networking/recipes-support/dnsmasq/dnsmasq_2.78.bb deleted file mode 100644 index d2465f82d..000000000 --- a/meta-openembedded/meta-networking/recipes-support/dnsmasq/dnsmasq_2.78.bb +++ /dev/null @@ -1,9 +0,0 @@ -require dnsmasq.inc - -SRC_URI += "\ - file://lua.patch \ - file://CVE-2017-15107.patch \ -" - -SRC_URI[dnsmasq-2.78.md5sum] = "3bb97f264c73853f802bf70610150788" -SRC_URI[dnsmasq-2.78.sha256sum] = "c92e5d78aa6353354d02aabf74590d08980bb1385d8a00b80ef9bc80430aa1dc" diff --git a/meta-openembedded/meta-networking/recipes-support/dnsmasq/dnsmasq_2.79.bb b/meta-openembedded/meta-networking/recipes-support/dnsmasq/dnsmasq_2.79.bb new file mode 100644 index 000000000..a66b9a9ad --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-support/dnsmasq/dnsmasq_2.79.bb @@ -0,0 +1,8 @@ +require dnsmasq.inc + +SRC_URI[dnsmasq-2.79.md5sum] = "5d7120a46d0c16a334f46757d7e2ba55" +SRC_URI[dnsmasq-2.79.sha256sum] = "77512dd6f31ffd96718e8dcbbf54f02c083f051d4cca709bd32540aea269f789" +SRC_URI += "\ + file://lua.patch \ +" + diff --git a/meta-openembedded/meta-networking/recipes-support/dnsmasq/files/CVE-2017-15107.patch b/meta-openembedded/meta-networking/recipes-support/dnsmasq/files/CVE-2017-15107.patch deleted file mode 100644 index 701101bcb..000000000 --- a/meta-openembedded/meta-networking/recipes-support/dnsmasq/files/CVE-2017-15107.patch +++ /dev/null @@ -1,263 +0,0 @@ -From 5a56e1b78a753d3295564daddc9ce389cc69fd68 Mon Sep 17 00:00:00 2001 -From: Simon Kelley <simon@thekelleys.org.uk> -Date: Fri, 19 Jan 2018 12:26:08 +0000 -Subject: [PATCH] DNSSEC fix for wildcard NSEC records. CVE-2017-15107 applies. - -It's OK for NSEC records to be expanded from wildcards, -but in that case, the proof of non-existence is only valid -starting at the wildcard name, *.<domain> NOT the name expanded -from the wildcard. Without this check it's possible for an -attacker to craft an NSEC which wrongly proves non-existence -in a domain which includes a wildcard for NSEC. - -Upstream-Status: Backport [http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=4fe6744a220eddd3f1749b40cac3dfc510787de6] -CVE: CVE-2017-15107 -Signed-off-by: Sinan Kaya <okaya@kernel.org> ---- - CHANGELOG | 44 +++++++++++++++++++ - src/dnssec.c | 117 +++++++++++++++++++++++++++++++++++++++++++++------ - 2 files changed, 147 insertions(+), 14 deletions(-) - -diff --git a/CHANGELOG b/CHANGELOG -index 075fe1a6..5226dce8 100644 ---- a/CHANGELOG -+++ b/CHANGELOG -@@ -1,3 +1,47 @@ -+version 2.79 -+ Fix parsing of CNAME arguments, which are confused by extra spaces. -+ Thanks to Diego Aguirre for spotting the bug. -+ -+ Where available, use IP_UNICAST_IF or IPV6_UNICAST_IF to bind -+ upstream servers to an interface, rather than SO_BINDTODEVICE. -+ Thanks to Beniamino Galvani for the patch. -+ -+ Always return a SERVFAIL answer to DNS queries without the -+ recursion desired bit set, UNLESS acting as an authoritative -+ DNS server. This avoids a potential route to cache snooping. -+ -+ Add support for Ed25519 signatures in DNSSEC validation. -+ -+ No longer support RSA/MD5 signatures in DNSSEC validation, -+ since these are not secure. This behaviour is mandated in -+ RFC-6944. -+ -+ Fix incorrect error exit code from dhcp_release6 utility. -+ Thanks Gaudenz Steinlin for the bug report. -+ -+ Use SIGINT (instead of overloading SIGHUP) to turn on DNSSEC -+ time validation when --dnssec-no-timecheck is in use. -+ Note that this is an incompatible change from earlier releases. -+ -+ Allow more than one --bridge-interface option to refer to an -+ interface, so that we can use -+ --bridge-interface=int1,alias1 -+ --bridge-interface=int1,alias2 -+ as an alternative to -+ --bridge-interface=int1,alias1,alias2 -+ Thanks to Neil Jerram for work on this. -+ -+ Fix for DNSSEC with wildcard-derived NSEC records. -+ It's OK for NSEC records to be expanded from wildcards, -+ but in that case, the proof of non-existence is only valid -+ starting at the wildcard name, *.<domain> NOT the name expanded -+ from the wildcard. Without this check it's possible for an -+ attacker to craft an NSEC which wrongly proves non-existence. -+ Thanks to Ralph Dolmans for finding this, and co-ordinating -+ the vulnerability tracking and fix release. -+ CVE-2017-15107 applies. -+ -+ - version 2.78 - Fix logic of appending ".<layer>" to PXE basename. Thanks to Chris - Novakovic for the patch. -diff --git a/src/dnssec.c b/src/dnssec.c -index a74d01ab..1417be56 100644 ---- a/src/dnssec.c -+++ b/src/dnssec.c -@@ -424,15 +424,17 @@ static void from_wire(char *name) - static int count_labels(char *name) - { - int i; -- -+ char *p; -+ - if (*name == 0) - return 0; - -- for (i = 0; *name; name++) -- if (*name == '.') -+ for (p = name, i = 0; *p; p++) -+ if (*p == '.') - i++; - -- return i+1; -+ /* Don't count empty first label. */ -+ return *name == '.' ? i : i+1; - } - - /* Implement RFC1982 wrapped compare for 32-bit numbers */ -@@ -1405,8 +1407,8 @@ static int hostname_cmp(const char *a, const char *b) - } - } - --static int prove_non_existence_nsec(struct dns_header *header, size_t plen, unsigned char **nsecs, int nsec_count, -- char *workspace1, char *workspace2, char *name, int type, int *nons) -+static int prove_non_existence_nsec(struct dns_header *header, size_t plen, unsigned char **nsecs, unsigned char **labels, int nsec_count, -+ char *workspace1_in, char *workspace2, char *name, int type, int *nons) - { - int i, rc, rdlen; - unsigned char *p, *psave; -@@ -1419,6 +1421,9 @@ static int prove_non_existence_nsec(struct dns_header *header, size_t plen, unsi - /* Find NSEC record that proves name doesn't exist */ - for (i = 0; i < nsec_count; i++) - { -+ char *workspace1 = workspace1_in; -+ int sig_labels, name_labels; -+ - p = nsecs[i]; - if (!extract_name(header, plen, &p, workspace1, 1, 10)) - return 0; -@@ -1427,7 +1432,27 @@ static int prove_non_existence_nsec(struct dns_header *header, size_t plen, unsi - psave = p; - if (!extract_name(header, plen, &p, workspace2, 1, 10)) - return 0; -- -+ -+ /* If NSEC comes from wildcard expansion, use original wildcard -+ as name for computation. */ -+ sig_labels = *labels[i]; -+ name_labels = count_labels(workspace1); -+ -+ if (sig_labels < name_labels) -+ { -+ int k; -+ for (k = name_labels - sig_labels; k != 0; k--) -+ { -+ while (*workspace1 != '.' && *workspace1 != 0) -+ workspace1++; -+ if (k != 1 && *workspace1 == '.') -+ workspace1++; -+ } -+ -+ workspace1--; -+ *workspace1 = '*'; -+ } -+ - rc = hostname_cmp(workspace1, name); - - if (rc == 0) -@@ -1825,24 +1850,26 @@ static int prove_non_existence_nsec3(struct dns_header *header, size_t plen, uns - - static int prove_non_existence(struct dns_header *header, size_t plen, char *keyname, char *name, int qtype, int qclass, char *wildname, int *nons) - { -- static unsigned char **nsecset = NULL; -- static int nsecset_sz = 0; -+ static unsigned char **nsecset = NULL, **rrsig_labels = NULL; -+ static int nsecset_sz = 0, rrsig_labels_sz = 0; - - int type_found = 0; -- unsigned char *p = skip_questions(header, plen); -+ unsigned char *auth_start, *p = skip_questions(header, plen); - int type, class, rdlen, i, nsecs_found; - - /* Move to NS section */ - if (!p || !(p = skip_section(p, ntohs(header->ancount), header, plen))) - return 0; -+ -+ auth_start = p; - - for (nsecs_found = 0, i = ntohs(header->nscount); i != 0; i--) - { - unsigned char *pstart = p; - -- if (!(p = skip_name(p, header, plen, 10))) -+ if (!extract_name(header, plen, &p, daemon->workspacename, 1, 10)) - return 0; -- -+ - GETSHORT(type, p); - GETSHORT(class, p); - p += 4; /* TTL */ -@@ -1859,7 +1886,69 @@ static int prove_non_existence(struct dns_header *header, size_t plen, char *key - if (!expand_workspace(&nsecset, &nsecset_sz, nsecs_found)) - return 0; - -- nsecset[nsecs_found++] = pstart; -+ if (type == T_NSEC) -+ { -+ /* If we're looking for NSECs, find the corresponding SIGs, to -+ extract the labels value, which we need in case the NSECs -+ are the result of wildcard expansion. -+ Note that the NSEC may not have been validated yet -+ so if there are multiple SIGs, make sure the label value -+ is the same in all, to avoid be duped by a rogue one. -+ If there are no SIGs, that's an error */ -+ unsigned char *p1 = auth_start; -+ int res, j, rdlen1, type1, class1; -+ -+ if (!expand_workspace(&rrsig_labels, &rrsig_labels_sz, nsecs_found)) -+ return 0; -+ -+ rrsig_labels[nsecs_found] = NULL; -+ -+ for (j = ntohs(header->nscount); j != 0; j--) -+ { -+ if (!(res = extract_name(header, plen, &p1, daemon->workspacename, 0, 10))) -+ return 0; -+ -+ GETSHORT(type1, p1); -+ GETSHORT(class1, p1); -+ p1 += 4; /* TTL */ -+ GETSHORT(rdlen1, p1); -+ -+ if (!CHECK_LEN(header, p1, plen, rdlen1)) -+ return 0; -+ -+ if (res == 1 && class1 == qclass && type1 == T_RRSIG) -+ { -+ int type_covered; -+ unsigned char *psav = p1; -+ -+ if (rdlen < 18) -+ return 0; /* bad packet */ -+ -+ GETSHORT(type_covered, p1); -+ -+ if (type_covered == T_NSEC) -+ { -+ p1++; /* algo */ -+ -+ /* labels field must be the same in every SIG we find. */ -+ if (!rrsig_labels[nsecs_found]) -+ rrsig_labels[nsecs_found] = p1; -+ else if (*rrsig_labels[nsecs_found] != *p1) /* algo */ -+ return 0; -+ } -+ p1 = psav; -+ } -+ -+ if (!ADD_RDLEN(header, p1, plen, rdlen1)) -+ return 0; -+ } -+ -+ /* Must have found at least one sig. */ -+ if (!rrsig_labels[nsecs_found]) -+ return 0; -+ } -+ -+ nsecset[nsecs_found++] = pstart; - } - - if (!ADD_RDLEN(header, p, plen, rdlen)) -@@ -1867,7 +1956,7 @@ static int prove_non_existence(struct dns_header *header, size_t plen, char *key - } - - if (type_found == T_NSEC) -- return prove_non_existence_nsec(header, plen, nsecset, nsecs_found, daemon->workspacename, keyname, name, qtype, nons); -+ return prove_non_existence_nsec(header, plen, nsecset, rrsig_labels, nsecs_found, daemon->workspacename, keyname, name, qtype, nons); - else if (type_found == T_NSEC3) - return prove_non_existence_nsec3(header, plen, nsecset, nsecs_found, daemon->workspacename, keyname, name, qtype, wildname, nons); - else --- -2.19.0 - |