Bug 1343072 (CVE-2015-8899)

Summary: CVE-2015-8899 dnsmasq: Denial-of-service when empty address from DNS overlays A record from hosts
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: abaron, aortega, apevec, ayoung, chrisw, dmoppert, itamar, jrusnack, jschluet, laine, lhh, lpeer, markmc, psimerda, rbryant, sclewis, slong, srevivo, tdecacqu, thozza, veillard
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A NULL pointer dereference flaw was found in dmsmasq in the cache_insert() function. An attacker could exploit this flaw by locally defining an A or AAAA record in the /etc/hosts file that is not in the upstream server. When the upstream server sends a reply that the same name is empty, dmsmasq crashes (denial of service).
 Story Points: ---
Clone Of: Environment:
Last Closed: 2016-06-11 02:28:11 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1343073    
Bug Blocks: 1343074    

Description Andrej Nemec 2016-06-06 12:52:48 UTC 
A vulnerability was found in dmsmasq. A Denial-of-service will occur when an A or AAAA record is defined locally, in a hosts file, and an upstream server sends a reply that the same name is empty.

Upstream bug:

http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2016q2/010479.html

Upstream fix:

http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=41a8d9e99be9f2cc8b02051dd322cb45e0faac87
Comment 1 Andrej Nemec 2016-06-06 12:53:45 UTC 
Created dnsmasq tracking bugs for this issue:

Affects: fedora-all [bug 1343073]
Comment 2 Doran Moppert 2016-06-07 01:40:21 UTC 
Low impact as the worst this can cause is a denial of service.

Vulnerable code was introduced in v2.73:  all RHEL versions ship earlier
versions of dnsmasq which are not affected by this issue.
Comment 3 Summer Long 2016-06-09 23:43:19 UTC 
Created attachment 1166437 [details]
Patch for version2.75

http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=patch;h=41a8d9e99be9f2cc8b02051dd322cb45e0faac87
Comment 4 Summer Long 2016-06-10 00:17:54 UTC 
Same as RHEL (see comment #2). All RHOSP versions ship earlier dnsmasq versions (either 2.48 or 2.66), and are not affected by this issue.