!77 修复CVE-2023-28450

From: @renmingshuai Reviewed-by: @kircher Signed-off-by: @kircher
2023-03-30 02:01:42 +00:00 · 2023-03-30 02:01:42 +00:00 · 59e91464ee
commit 59e91464ee
parent 3dedea855b 6caae62b6e
2 changed files with 53 additions and 1 deletions
--- a/backport-CVE-2023-28450-Set-the-default-maximum-DNS-UDP-packet.patch
+++ b/backport-CVE-2023-28450-Set-the-default-maximum-DNS-UDP-packet.patch
@ -0,0 +1,45 @@
 From eb92fb32b746f2104b0f370b5b295bb8dd4bd5e5 Mon Sep 17 00:00:00 2001
 From: Simon Kelley <simon@thekelleys.org.uk>
 Date: Tue, 7 Mar 2023 22:07:46 +0000
 Subject: [PATCH] Set the default maximum DNS UDP packet size to 1232.
 http://www.dnsflagday.net/2020/ refers.
 Thanks to Xiang Li for the prompt.
 Conflict:NA
 Reference:https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=eb92fb32b746f
 ---
 man/dnsmasq.8 | 3 ++-
 src/config.h  | 2 +-
 2 files changed, 3 insertions(+), 2 deletions(-)
 diff --git a/man/dnsmasq.8 b/man/dnsmasq.8
 index 4a1107a..cf3c9f6 100644
 --- a/man/dnsmasq.8
 +++ b/man/dnsmasq.8
@@ -172,7 +172,8 @@ to zero completely disables DNS function, leaving only DHCP and/or TFTP.
 .TP
 .B \-P, --edns-packet-max=<size>
 Specify the largest EDNS.0 UDP packet which is supported by the DNS
 -forwarder. Defaults to 4096, which is the RFC5625-recommended size.
 +forwarder. Defaults to 1232, which is the recommended size following the
 +DNS flag day in 2020. Only increase if you know what you are doing.
 .TP
 .B \-Q, --query-port=<query_port>
 Send outbound DNS queries from, and listen for their replies on, the
 diff --git a/src/config.h b/src/config.h
 index b8ca806..10c0b48 100644
 --- a/src/config.h
 +++ b/src/config.h
@@ -19,7 +19,7 @@
 #define CHILD_LIFETIME 150 /* secs 'till terminated (RFC1035 suggests > 120s) */
 #define TCP_MAX_QUERIES 100 /* Maximum number of queries per incoming TCP connection */
 #define TCP_BACKLOG 32  /* kernel backlog limit for TCP connections */
 -#define EDNS_PKTSZ 4096 /* default max EDNS.0 UDP packet from RFC5625 */
 +#define EDNS_PKTSZ 1232 /* default max EDNS.0 UDP packet from from  /dnsflagday.net/2020 */
 #define SAFE_PKTSZ 1280 /* "go anywhere" UDP packet size */
 #define KEYBLOCK_LEN 40 /* choose to minimise fragmentation when storing DNSSEC keys */
 #define DNSSEC_WORK 50 /* Max number of queries to validate one question */
 -- 
 2.23.0
--- a/dnsmasq.spec
+++ b/dnsmasq.spec
@ -1,6 +1,6 @@
 Name:           dnsmasq
 Version:        2.82
-Release:        11
+Release:        12
 Summary:        Dnsmasq provides network infrastructure for small networks
 License:        GPLv2 or GPLv3
 URL:            http://www.thekelleys.org.uk/dnsmasq/
@ -34,6 +34,7 @@ Patch23:     backport-0009-Move-fd-into-frec_src-fixes-15b60ddf935a531269bb8c68.
 Patch24:     backport-0010-CVE-2021-3448.patch
 Patch25:     backport-Fix-write-after-free-in-DHCPv6-code-CVE-2022-0934.patch
 Patch26:     backport-Listen-only-on-lo-device-fix-CVE-2020-14312.patch
 Patch27:     backport-CVE-2023-28450-Set-the-default-maximum-DNS-UDP-packet.patch
 BuildRequires:  dbus-devel pkgconfig libidn2-devel nettle-devel systemd
 Requires:       nettle >= 3.4 %{name}-help
@ -126,6 +127,12 @@ install -Dpm644 %{SOURCE2} $RPM_BUILD_ROOT%{_sysusersdir}/dnsmasq.conf
 %{_mandir}/man8/dnsmasq*
 %changelog
 * Tue Mar 28 2023 renmingshuai <renmingshuai@huawei.com> - 2.82-12
 - Type:CVE
 - Id:CVE-2023-28450
 - SUG:NA
 - DESC:Fix CVE-2023-28450
 * Thu Jul 14 2022 renmingshuai <renmingshuai@huawei.com> - 2.82-11
 - Type:CVE
 - Id:NA