This patch resolves the problem reported in:
https://bugzilla.redhat.com/show_bug.cgi?id=886663
The source of the problem was the fix for CVE 2011-3411:
https://bugzilla.redhat.com/show_bug.cgi?id=833033
which was originally committed upstream in commit
753ff83a50263d6975f88d6605d4b5ddfcc97560. That commit improperly
removed the "--except-interface lo" from dnsmasq commandlines when
--bind-dynamic was used (based on comments in the latter bug).
It turns out that the problem reported in the CVE could be eliminated
without removing "--except-interface lo", and removing it actually
caused each instance of dnsmasq to listen on localhost on port 53,
which created a new problem:
If another instance of dnsmasq using "bind-interfaces" (instead of
"bind-dynamic") had already been started (or if another instance
started later used "bind-dynamic"), this wouldn't have any immediately
visible ill effects, but if you tried to start another dnsmasq
instance using "bind-interfaces" *after* starting any libvirt
networks, the new dnsmasq would fail to start, because there was
already another process listening on port 53.
(Subsequent to the CVE fix, another patch changed the network driver
to put dnsmasq options in a conf file rather than directly on the
dnsmasq commandline, but preserved the same options.)
This patch changes the network driver to *always* add
"except-interface=lo" to dnsmasq conf files, regardless of whether we use
bind-dynamic or bind-interfaces. This way no libvirt dnsmasq instances
are listening on localhost (and the CVE is still fixed).
The actual code change is miniscule, but must be propogated through all
of the test files as well.
if (pidfile)
virBufferAsprintf(&configbuf, "pid-file=%s\n", pidfile);
+ /* dnsmasq will *always* listen on localhost unless told otherwise */
+ virBufferAddLit(&configbuf, "except-interface=lo\n");
+
if (dnsmasqCapsGet(caps, DNSMASQ_CAPS_BIND_DYNAMIC)) {
/* using --bind-dynamic with only --interface (no
* --listen-address) prevents dnsmasq from responding to dns
"interface=%s\n",
network->def->bridge);
} else {
- virBufferAddLit(&configbuf,
- "bind-interfaces\n"
- "except-interface=lo\n");
+ virBufferAddLit(&configbuf, "bind-interfaces\n");
/*
* --interface does not actually work with dnsmasq < 2.47,
* due to DAD for ipv6 addresses on the interface.
strict-order
domain-needed
local=//
+except-interface=lo
bind-dynamic
interface=virbr0
dhcp-range=192.168.122.2,192.168.122.254
domain=mynet
expand-hosts
local=/mynet/
+except-interface=lo
bind-dynamic
interface=virbr0
dhcp-range=2001:db8:ac10:fd01::1:10,2001:db8:ac10:fd01::1:ff
strict-order
domain-needed
local=//
+except-interface=lo
bind-dynamic
interface=virbr1
dhcp-range=192.168.122.1,static
strict-order
domain-needed
local=//
-bind-interfaces
except-interface=lo
+bind-interfaces
listen-address=192.168.152.1
dhcp-option=3
no-resolv
domain=example.com
expand-hosts
local=/example.com/
+except-interface=lo
bind-dynamic
interface=virbr0
addn-hosts=/var/lib/libvirt/dnsmasq/default.addnhosts
strict-order
domain-needed
local=//
-bind-interfaces
except-interface=lo
+bind-interfaces
listen-address=192.168.122.1
listen-address=192.168.123.1
listen-address=fc00:db8:ac10:fe01::1
strict-order
domain-needed
local=//
+except-interface=lo
bind-dynamic
interface=virbr0
srv-host=name.tcp.test-domain-name,.,1024,10,10
strict-order
domain-needed
local=//
+except-interface=lo
bind-dynamic
interface=virbr0
txt-record=example,example value
strict-order
domain-needed
local=//
+except-interface=lo
bind-dynamic
interface=virbr0
dhcp-range=192.168.122.2,192.168.122.254
domain=example.com
expand-hosts
local=/example.com/
-bind-interfaces
except-interface=lo
+bind-interfaces
listen-address=192.168.122.1
dhcp-range=192.168.122.2,192.168.122.254
dhcp-no-override
domain=example.com
expand-hosts
local=/example.com/
-bind-interfaces
except-interface=lo
+bind-interfaces
listen-address=192.168.122.1
dhcp-range=192.168.122.2,192.168.122.254
dhcp-no-override
strict-order
domain-needed
local=//
+except-interface=lo
bind-dynamic
interface=virbr1
addn-hosts=/var/lib/libvirt/dnsmasq/local.addnhosts
projects / thirdparty / libvirt.git / commitdiff
