885727 – Libvirt won't parse dnsmasq capabilities when debug logs are enabled

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 885727 - Libvirt won't parse dnsmasq capabilities when debug logs are enabled

Summary: Libvirt won't parse dnsmasq capabilities when debug logs are enabled

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	libvirt
Sub Component:
Version:	6.4
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Michal Privoznik
QA Contact:	Virtualization Bugs
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	888457
TreeView+	depends on / blocked

Reported:	2012-12-10 13:44 UTC by Michal Privoznik
Modified:	2013-02-21 07:28 UTC (History)
CC List:	10 users (show)
Fixed In Version:	libvirt-0.10.2-12.el6
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2013-02-21 07:28:23 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2013:0276	0	normal	SHIPPED_LIVE	Moderate: libvirt security, bug fix, and enhancement update	2013-02-20 21:18:26 UTC

Description Michal Privoznik 2012-12-10 13:44:33 UTC

Description of problem:
With enabled debug logs, libvirt fails to parse dnsmasq output which results in 
Bug 882265 - CVE-2012-3411 being reproducible again.

Version-Release number of selected component (if applicable):
libvirt-0.10.2-11.el6

How reproducible:
100%

Steps to Reproduce:
1. enable debug logs (log_level=1)
2. restart libvirtd
3. virsh net-destroy default && virsh net-start default
4. ps axf | grep dnsmasq
  
Actual results:
32677 ?        S      0:00 /usr/sbin/dnsmasq --strict-order --local=// --domain-needed --pid-file=/var/run/libvirt/network/default.pid --conf-file= --bind-interfaces --except-interface lo --listen-address 192.168.122.1 --dhcp-range 192.168.122.2,192.168.122.253 --dhcp-leasefile=/var/lib/libvirt/dnsmasq/default.leases --dhcp-lease-max=252 --dhcp-no-override --dhcp-hostsfile=/var/lib/libvirt/dnsmasq/default.hostsfile --addn-hosts=/var/lib/libvirt/dnsmasq/default.addnhosts


Expected results:
 7478 ?        S      0:00 /usr/sbin/dnsmasq --strict-order --local=// --domain-needed --pid-file=/var/run/libvirt/network/default.pid --conf-file= --bind-dynamic --interface virbr0 --dhcp-range 192.168.122.2,192.168.122.253 --dhcp-leasefile=/var/lib/libvirt/dnsmasq/default.leases --dhcp-lease-max=252 --dhcp-no-override --dhcp-hostsfile=/var/lib/libvirt/dnsmasq/default.hostsfile --addn-hosts=/var/lib/libvirt/dnsmasq/default.addnhosts

(important diff is --bind-interfaces vs. --bind-dynamic)


Additional info:

Comment 1 Michal Privoznik 2012-12-10 13:48:15 UTC

Fixed upstream:

commit ff33f807739dc2950e4df8c1d4007ce9f8b290c0
Author:     Michal Privoznik <mprivozn>
AuthorDate: Thu Dec 6 13:48:11 2012 +0100
Commit:     Michal Privoznik <mprivozn>
CommitDate: Thu Dec 6 13:48:11 2012 +0100

    dnsmasq: Fix parsing of the version number
    
    If debugging is enabled, the debug messages are sent to stderr.
    Moreover, if a command has catching of stderr set, the messages
    gets mixed with stdout output (assuming both outputs are stored
    in the same variable). The resulting string then doesn't
    necessarily have to start with desired prefix then. This bug
    exposes itself when parsing dnsmasq output:
    
    2012-12-06 11:18:11.445+0000: 18491: error :
    dnsmasqCapsSetFromBuffer:664 : internal error cannot parse
    /usr/sbin/dnsmasq version number in '2012-12-06
    11:11:02.232+0000: 18492: debug : virFileClose:72 : Closed fd 22'
    
    We can clearly see that the output of dnsmasq --version doesn't
    start with expected "Dnsmasq version " string but a libvirt debug
    output.

v1.0.0-249-gff33f80

Comment 4 Huang Wenlong 2012-12-11 07:48:26 UTC

Hi.Michal 
Maybe I reproduce this bug without debug log enabled 
pls have a look https://bugzilla.redhat.com/show_bug.cgi?id=884957

Comment 5 Michal Privoznik 2012-12-11 09:22:02 UTC

(In reply to comment #4)
> Hi.Michal 
> Maybe I reproduce this bug without debug log enabled 
> pls have a look https://bugzilla.redhat.com/show_bug.cgi?id=884957

No, I don't think they are the same. In the bug you are referring to, dnsmasq won't start as it can't bind to ::1. In this bug, dnsmasq doesn't die, but libvirt doesn't determine its version, so libvirt assumes it's older one, which doesn't support --bind-dynamic yet. Hence, dnsmasq is started with --bind-interfaces (which is the root cause of CVE). In your bug, --bind-dynamic is actually used so we're safe from the CVE POV.

Comment 6 Michal Privoznik 2012-12-11 09:22:39 UTC

Moving to POST:

http://post-office.corp.redhat.com/archives/rhvirt-patches/2012-December/msg00168.html

Comment 7 Huang Wenlong 2012-12-12 10:00:09 UTC

(In reply to comment #5)
> (In reply to comment #4)
> > Hi.Michal 
> > Maybe I reproduce this bug without debug log enabled 
> > pls have a look https://bugzilla.redhat.com/show_bug.cgi?id=884957
> 
> No, I don't think they are the same. In the bug you are referring to,
> dnsmasq won't start as it can't bind to ::1. In this bug, dnsmasq doesn't
> die, but libvirt doesn't determine its version, so libvirt assumes it's
> older one, which doesn't support --bind-dynamic yet. Hence, dnsmasq is
> started with --bind-interfaces (which is the root cause of CVE). In your
> bug, --bind-dynamic is actually used so we're safe from the CVE POV.

Get it ,thank you for your analysis

Comment 9 zhpeng 2012-12-13 10:01:28 UTC

Test is with libvirt-0.10.2-12.el6.x86_64, steps same as reporter said. Result:

pkg:libvirt-0.10.2-12.el6.x86_64

 4830 ?        S      0:00 /usr/sbin/dnsmasq --strict-order --local=// --domain-needed --pid-file=/var/run/libvirt/network/default.pid --conf-file= --bind-dynamic --interface virbr0 --dhcp-range 192.168.122.2,192.168.122.254 --dhcp-leasefile=/var/lib/libvirt/dnsmasq/default.leases --dhcp-lease-max=253 --dhcp-no-override --dhcp-hostsfile=/var/lib/libvirt/dnsmasq/default.hostsfile --addn-hosts=/var/lib/libvirt/dnsmasq/default.addnhosts

So it's verified.

Comment 10 zhpeng 2013-01-25 08:01:43 UTC

For now:
libvirt-0.10.2-17.el6.x86_64
dnsmasq-2.48-13.el6.x86_64

ps -ef |grep dns
nobody    8382     1  0 11:04 ?        00:00:00 /usr/sbin/dnsmasq --strict-order --local=// --domain-needed --pid-file=/var/run/libvirt/network/default.pid --conf-file= --except-interface lo --bind-interfaces --listen-address 192.168.122.1 --dhcp-range 192.168.122.2,192.168.122.254 --dhcp-leasefile=/var/lib/libvirt/dnsmasq/default.leases --dhcp-lease-max=253 --dhcp-no-override --dhcp-hostsfile=/var/lib/libvirt/dnsmasq/default.hostsfile --addn-hosts=/var/lib/libvirt/dnsmasq/default.addnhosts

there are "--except-interface lo --bind-interfaces" in the new dnsmasq process created by libvirtd

Comment 11 errata-xmlrpc 2013-02-21 07:28:23 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0276.html

Note You need to log in before you can comment on or make changes to this bug.