!74 [sync] PR-73: fix CVE-2023-28450

From: @openeuler-sync-bot Reviewed-by: @seuzw Signed-off-by: @seuzw
2023-03-18 08:32:00 +00:00 · 2023-03-18 08:32:00 +00:00 · d2c69566ac
commit d2c69566ac
parent 749b29164e 208b55fafd
2 changed files with 53 additions and 2 deletions
--- a/backport-CVE-2023-28450-Set-the-default-maximum-DNS-UDP-packet.patch
+++ b/backport-CVE-2023-28450-Set-the-default-maximum-DNS-UDP-packet.patch
@ -0,0 +1,45 @@
+From eb92fb32b746f2104b0f370b5b295bb8dd4bd5e5 Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon@thekelleys.org.uk>
+Date: Tue, 7 Mar 2023 22:07:46 +0000
+Subject: [PATCH] Set the default maximum DNS UDP packet size to 1232.
+
+http://www.dnsflagday.net/2020/ refers.
+
+Thanks to Xiang Li for the prompt.
+Conflict:NA
+Reference:https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=eb92fb32b746f
+---
+ man/dnsmasq.8 | 3 ++-
+ src/config.h  | 2 +-
+ 2 files changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/man/dnsmasq.8 b/man/dnsmasq.8
+index 4a1107a..cf3c9f6 100644
+--- a/man/dnsmasq.8
+++ b/man/dnsmasq.8
+@@ -172,7 +172,8 @@ to zero completely disables DNS function, leaving only DHCP and/or TFTP.
+ .TP
+ .B \-P, --edns-packet-max=<size>
+ Specify the largest EDNS.0 UDP packet which is supported by the DNS
+-forwarder. Defaults to 4096, which is the RFC5625-recommended size.
+forwarder. Defaults to 1232, which is the recommended size following the
+DNS flag day in 2020. Only increase if you know what you are doing.
+ .TP
+ .B \-Q, --query-port=<query_port>
+ Send outbound DNS queries from, and listen for their replies on, the
+diff --git a/src/config.h b/src/config.h
+index b8ca806..10c0b48 100644
+--- a/src/config.h
+++ b/src/config.h
+@@ -19,7 +19,7 @@
+ #define CHILD_LIFETIME 150 /* secs 'till terminated (RFC1035 suggests > 120s) */
+ #define TCP_MAX_QUERIES 100 /* Maximum number of queries per incoming TCP connection */
+ #define TCP_BACKLOG 32  /* kernel backlog limit for TCP connections */
+-#define EDNS_PKTSZ 4096 /* default max EDNS.0 UDP packet from RFC5625 */
+#define EDNS_PKTSZ 1232 /* default max EDNS.0 UDP packet from from  /dnsflagday.net/2020 */
+ #define SAFE_PKTSZ 1280 /* "go anywhere" UDP packet size */
+ #define KEYBLOCK_LEN 40 /* choose to minimise fragmentation when storing DNSSEC keys */
+ #define DNSSEC_WORK 50 /* Max number of queries to validate one question */
+-- 
+2.23.0
+
--- a/dnsmasq.spec
+++ b/dnsmasq.spec
@ -1,6 +1,6 @@
 Name:           dnsmasq
 Version:        2.86
-Release:        3
+Release:        4
 Summary:        Dnsmasq provides network infrastructure for small networks
 License:        GPLv2 or GPLv3
 URL:            http://www.thekelleys.org.uk/dnsmasq/
@ -35,7 +35,7 @@ Patch24:        backport-Fix-write-after-free-in-DHCPv6-code-CVE-2022-0934.patch
 Patch25:        backport-Fix-parsing-of-IPv6-addresses-with-peer-from-netlink.patch
 Patch26:        backport-Fix-bad-interaction-between-address-ip-and-ser.patch
 Patch27:        backport-Fix-address-which-was-lost-in-2.86.patch
-
+Patch28:        backport-CVE-2023-28450-Set-the-default-maximum-DNS-UDP-packet.patch

 BuildRequires:  gcc
 BuildRequires:  dbus-devel pkgconfig libidn2-devel nettle-devel systemd
@ -125,6 +125,12 @@ install -Dpm644 %{SOURCE2} $RPM_BUILD_ROOT%{_sysusersdir}/dnsmasq.conf
 %{_mandir}/man8/dnsmasq*

 %changelog
+* Sat Mar 18 2023 renmingshuai <renmingshuai@huawei.com> - 2.86-4
+- Type:CVE
+- Id:CVE-2023-28450
+- SUG:NA
+- DESC:fix CVE-2023-28450
+
 * Thu Oct 27 2022 renmingshuai <renmingshuai@huawei.com> - 2.86-3
 - Type:bugfix
 - Id:NA