[libvirt] [PATCH v0.10.2-maint] network: prevent dnsmasq from listening on localhost

Peter Krempa pkrempa at redhat.com
Thu Dec 13 09:40:02 UTC 2012


On 12/13/12 10:00, Laine Stump wrote:
> (I'm sending this v0.10.2-maint "backport" of the upstream patch to
> the list because the code in question was completely replaced, so it
> required a new patch rather than a backport. The backport for
> 0.9.11-maint is nearly identical to this, so I won't be sending that
> one)
>
> This patch resolves the problem reported in:
>
>     https://bugzilla.redhat.com/show_bug.cgi?id=886663
>
> The source of the problem was the fix for CVE 2011-3411:
>
>     https://bugzilla.redhat.com/show_bug.cgi?id=833033
>
> which was originally committed upstream in commit
> 753ff83a50263d6975f88d6605d4b5ddfcc97560. That commit improperly
> removed the "--except-interface lo" from dnsmasq commandlines when
> --bind-dynamic was used (based on comments in the latter bug).
>
> It turns out that the problem reported in the CVE could be eliminated
> without removing "--except-interface lo", and removing it actually
> caused each instance of dnsmasq to listen on localhost on port 53,
> which created a new problem:
>
> If another instance of dnsmasq using "--bind-interfaces" (instead of
> "--bind-dynamic") had already been started (or if another instance
> started later used "--bind-dynamic"), this wouldn't have any immediately
> visible ill effects, but if you tried to start another dnsmasq
> instance using "--bind-interfaces" *after* starting any libvirt
> networks, the new dnsmasq would fail to start, because there was
> already another process listening on port 53.
>
> This patch changes the network driver to *always* add
> "--except-interface lo" to dnsmasq conf files, regardless of whether we use
> bind-dynamic or bind-interfaces. This way no libvirt dnsmasq instances
> are listening on localhost (and the CVE is still fixed).
>
> The actual code change is miniscule, but must be propogated through all
> of the test files as well.
>
> (This is *not* a cherry-pick of the upstream commit, because
> subsequent to the CVE fix, another patch changed the network driver to
> put dnsmasq options in a conf file rather than directly on the dnsmasq
> commandline, but preserved the same options.)
> ---
>   src/network/bridge_driver.c                                       | 8 ++++----
>   tests/networkxml2argvdata/isolated-network.argv                   | 2 +-
>   tests/networkxml2argvdata/nat-network-dns-hosts.argv              | 2 +-
>   tests/networkxml2argvdata/nat-network-dns-srv-record-minimal.argv | 2 +-
>   tests/networkxml2argvdata/nat-network-dns-srv-record.argv         | 2 +-
>   tests/networkxml2argvdata/nat-network-dns-txt-record.argv         | 2 +-
>   tests/networkxml2argvdata/nat-network.argv                        | 2 +-
>   tests/networkxml2argvdata/netboot-network.argv                    | 2 +-
>   tests/networkxml2argvdata/netboot-proxy-network.argv              | 2 +-
>   tests/networkxml2argvdata/routed-network.argv                     | 2 +-
>   10 files changed, 13 insertions(+), 13 deletions(-)
>

ACK to this "backport" too :). I didn't do a compile test of this patch 
but the changes seem reasonable and according to the manpage.

Peter




More information about the libvir-list mailing list