From eb7f313c79a6e5f789fa3fe271f49e2148f09b92 Mon Sep 17 00:00:00 2001 From: renmingshuai Date: Tue, 11 Jun 2024 02:15:31 +0000 Subject: [PATCH] Fix CVE-2023-49441 --- ...Fix-standalone-SHA256-implementation.patch | 49 +++++++++++++++++++ dnsmasq.spec | 9 +++- 2 files changed, 57 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2023-49441-Fix-standalone-SHA256-implementation.patch diff --git a/backport-CVE-2023-49441-Fix-standalone-SHA256-implementation.patch b/backport-CVE-2023-49441-Fix-standalone-SHA256-implementation.patch new file mode 100644 index 0000000..19cc2d2 --- /dev/null +++ b/backport-CVE-2023-49441-Fix-standalone-SHA256-implementation.patch @@ -0,0 +1,49 @@ +From 65c2d6afd67a032f45f40d7e4d620f5d73e5f07d Mon Sep 17 00:00:00 2001 +From: Simon Kelley +Date: Wed, 22 Nov 2023 22:02:05 +0000 +Subject: [PATCH] Fix standalone SHA256 implementation. + +Bug report here: +https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2023q4/017332.html + +This error probably has no practical effect since even if the hash +is wrong, it's only compared internally to other hashes computed using +the same code. + +Understanding the error: + +hash-questions.c:168:21: runtime error: left shift of 128 by 24 places +cannot be represented in type 'int' + +requires a certain amount of c-lawyerliness. I think the problem is that + +m[i] = data[j] << 24 + +promotes the unsigned char data array value to int before doing the shift and +then promotes the result to unsigned char to match the type of m[i]. +What needs to happen is to cast the unsigned char to unsigned int +BEFORE the shift. + +This patch does that with explicit casts. + +Reference:https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=65c2d6afd67a032f45f40d7e4d620f5d73e5f07d +--- + src/hash-questions.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/hash-questions.c b/src/hash-questions.c +index c1ee135..e6304ac 100644 +--- a/src/hash-questions.c ++++ b/src/hash-questions.c +@@ -165,7 +165,7 @@ static void sha256_transform(SHA256_CTX *ctx, const BYTE data[]) + WORD a, b, c, d, e, f, g, h, i, j, t1, t2, m[64]; + + for (i = 0, j = 0; i < 16; ++i, j += 4) +- m[i] = (data[j] << 24) | (data[j + 1] << 16) | (data[j + 2] << 8) | (data[j + 3]); ++ m[i] = (((WORD)data[j]) << 24) | (((WORD)data[j + 1]) << 16) | (((WORD)data[j + 2]) << 8) | (((WORD)data[j + 3])); + for ( ; i < 64; ++i) + m[i] = SIG1(m[i - 2]) + m[i - 7] + SIG0(m[i - 15]) + m[i - 16]; + +-- +2.33.0 + diff --git a/dnsmasq.spec b/dnsmasq.spec index b9a8c4c..cef53de 100644 --- a/dnsmasq.spec +++ b/dnsmasq.spec @@ -1,6 +1,6 @@ Name: dnsmasq Version: 2.86 -Release: 7 +Release: 8 Summary: Dnsmasq provides network infrastructure for small networks License: GPLv2 or GPLv3 URL: http://www.thekelleys.org.uk/dnsmasq/ @@ -47,6 +47,7 @@ Patch36: backport-Optimize-inserting-records-into-server-list.patch Patch37: backport-Fix-massive-confusion-on-server-reload.patch Patch38: backport-Fix-use-after-free-in-mark_servers.patch Patch39: backport-Fix-memory-leak-when-using-dhcp-optsfile-with-DHCPv6.patch +Patch40: backport-CVE-2023-49441-Fix-standalone-SHA256-implementation.patch BuildRequires: gcc BuildRequires: dbus-devel pkgconfig libidn2-devel nettle-devel systemd @@ -136,6 +137,12 @@ install -Dpm644 %{SOURCE2} $RPM_BUILD_ROOT%{_sysusersdir}/dnsmasq.conf %{_mandir}/man8/dnsmasq* %changelog +* Tue Jun 11 2024 renmingshuai - 2.86-8 +- Type:CVE +- Id:CVE-2023-49441 +- SUG:NA +- DESC:Fix CVE-2023-49441 + * Wed Nov 22 2023 renmingshuai - 2.86-7 - Type:bugfix - Id:NA -- Gitee