CVE-2020-25681 et al (dnspooq) and LXD

fwaggle · January 19, 2021, 8:44pm

Hi folks,

Is there any guidance on if this pile of dnsmasq vulnerabilities affects LXD? I made sure my snap package is fully refreshed, and then checked the version and it’s still reporting 2.79:

root@lxd-server:~# snap refresh lxd
lxd 4.10 from Canonical✓ refreshed
root@lxd-server:~# /snap/lxd/current/bin/dnsmasq --version
/snap/lxd/current/bin/dnsmasq: error while loading shared libraries: libidn.so.11: cannot open shared object file: No such file or directory
root@lxd-server:~# snap run --shell lxd
bash-4.4# dnsmasq --version
Dnsmasq version 2.79  Copyright (c) 2000-2018 Simon Kelley

Is there no update because the configuration used is not vulnerable, or is an update forthcoming?

Here’s the USN covering all the vulnerabilities for your convenience: https://ubuntu.com/security/notices/USN-4698-1

stgraber · January 19, 2021, 8:48pm

2.79 is normal, the LXD snap is based on core18 (Ubuntu 18.04) which ships 2.79.

The security fix will be picked up by the next stable snap update. We should have one come out later today or early tomorrow, I’m just looking at what fixes we may want to cherry-pick into LXD at the same time.

fwaggle · January 19, 2021, 8:52pm

Thanks Stéphane!

So the fix will be backported, I won’t be able to tell via the version number? Will there be a command-line way to tell if the fix is applied?

stgraber · January 19, 2021, 8:54pm

Per the USN you linked to, 2.79-1ubuntu0.2 is the fixed version for dnsmasq in 18.04.
I don’t know if dnsmasq ever exposes the full version though.

If you wanted to know for sure, you could unpack the fixed deb from Ubuntu, hash the binary in there and compare to that in the snap.

stgraber · January 19, 2021, 9:12pm

https://code.launchpad.net/~ubuntu-lxc/+snap/lxd-latest-candidate/ should show a new build soon, once it’s done and CI is happy with it, we’ll push to stable.

(Worth noting that as snap publishers we get e-mail notifications for any package that’s included in the snap and that needs a refresh for a security fix)

fwaggle · January 19, 2021, 9:36pm

Thanks so much!

If I’ve done it correctly, it looks like the SHA256 checksum of the correct dnsmasq is 4171871eaa8351d609a2fb43056803e4172779541fa10a25b1eeb26ee17fb5ff which should make it fairly trivial to work out which machines need it and which don’t.

stgraber · January 20, 2021, 1:07pm

Update is in latest/stable now.

fwaggle · January 20, 2021, 9:05pm

Thanks Stéphane Graber!

Do you happen to know when/if it will make it into LTS (4.0.4)?

stgraber · January 20, 2021, 9:23pm

Building a slightly updated version of the 4.0 LTS branch now.