From 59c1640a4d08f52b11de9bbb9cc6df3f63fe6157 Mon Sep 17 00:00:00 2001
From: renmingshuai <renmingshuai@huawei.com>
Date: Thu, 14 Jul 2022 14:20:23 +0800
Subject: [PATCH] Listen only on lo device

---
 ...only-on-lo-device-fix-CVE-2020-14312.patch | 34 +++++++++++++++++++
 dnsmasq.spec                                  |  9 ++++-
 2 files changed, 42 insertions(+), 1 deletion(-)
 create mode 100644 backport-Listen-only-on-lo-device-fix-CVE-2020-14312.patch

diff --git a/backport-Listen-only-on-lo-device-fix-CVE-2020-14312.patch b/backport-Listen-only-on-lo-device-fix-CVE-2020-14312.patch
new file mode 100644
index 0000000..909f722
--- /dev/null
+++ b/backport-Listen-only-on-lo-device-fix-CVE-2020-14312.patch
@@ -0,0 +1,34 @@
+Subject: [PATCH] backport-Listen only on lo device fix CVE-2020-14312
+
+Reference:https://src.fedoraproject.org/rpms/dnsmasq/blob/f32/f/dnsmasq-2.81-configuration.patch
+---
+ dnsmasq.conf.example | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/dnsmasq.conf.example b/dnsmasq.conf.example
+index 6aaa55a..9e1139a 100644
+--- a/dnsmasq.conf.example
++++ b/dnsmasq.conf.example
+@@ -104,6 +104,8 @@ group=dnsmasq
+ # interface (eg eth0) here.
+ # Repeat the line for more than one interface.
+ #interface=
++# Listen only on localhost by default
++interface=lo
+ # Or you can specify which interface _not_ to listen on
+ #except-interface=
+ # Or which to listen on by address (remember to include 127.0.0.1 if
+@@ -122,6 +124,10 @@ group=dnsmasq
+ # uncomment this option. About the only time you may need this is when
+ # running another nameserver on the same machine.
+ #bind-interfaces
++# To listen only on localhost and do not receive packets on other
++# interfaces, bind only to lo device. Comment out to bind on siggle
++# wildcard socket.
++bind-interfaces
+ 
+ # If you don't want dnsmasq to read /etc/hosts, uncomment the
+ # following line.
+-- 
+1.8.3.1
+
diff --git a/dnsmasq.spec b/dnsmasq.spec
index c825bb3..b8980ed 100644
--- a/dnsmasq.spec
+++ b/dnsmasq.spec
@@ -1,6 +1,6 @@
 Name:           dnsmasq
 Version:        2.82
-Release:        10
+Release:        11
 Summary:        Dnsmasq provides network infrastructure for small networks
 License:        GPLv2 or GPLv3
 URL:            http://www.thekelleys.org.uk/dnsmasq/
@@ -33,6 +33,7 @@ Patch22:     backport-0008-Correct-occasional-bind-dynamic-synchronization-brea.
 Patch23:     backport-0009-Move-fd-into-frec_src-fixes-15b60ddf935a531269bb8c68.patch
 Patch24:     backport-0010-CVE-2021-3448.patch
 Patch25:     backport-Fix-write-after-free-in-DHCPv6-code-CVE-2022-0934.patch
+Patch26:     backport-Listen-only-on-lo-device-fix-CVE-2020-14312.patch
 
 BuildRequires:  dbus-devel pkgconfig libidn2-devel nettle-devel systemd
 Requires:       nettle >= 3.4 %{name}-help
@@ -125,6 +126,12 @@ install -Dpm644 %{SOURCE2} $RPM_BUILD_ROOT%{_sysusersdir}/dnsmasq.conf
 %{_mandir}/man8/dnsmasq*
 
 %changelog
+* Thu Jul 14 2022 renmingshuai <renmingshuai@huawei.com> - 2.82-11
+- Type:CVE
+- Id:NA
+- SUG:NA
+- DESC:fix CVE-2020-14312
+
 * Wed Jul 13 2022 renmingshuai <renmingshuai@huawei.com> - 2.82-10
 - Type:CVE
 - Id:NA
-- 
Gitee