mirrors/meta-openembedded
1
0
Fork 0
mirror of https://github.com/openembedded/meta-openembedded.git synced 2026-06-01 01:30:23 +00:00
Code Issues Projects Releases Wiki Activity

dnsmasq: fix CVE-2026-4892

Browse Source 
A heap-based out-of-bounds write vulnerability in the DHCPv6
implementation of dnsmasq allows local attackers to execute
arbitrary code with root privileges via a crafted DHCPv6 packet.

Reference:
[ https://nvd.nist.gov/vuln/detail/CVE-2026-4892 ]

Signed-off-by: Abhishek Bachiphale <Abhishek.Bachiphale@windriver.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
This commit is contained in:
Abhishek Bachiphale
2026-05-18 22:43:34 +05:30
committed by Khem Raj
parent a9de48a9fa
commit 21c3d7eb6f
2 changed files with 37 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
meta-networking/recipes-support/dnsmasq/dnsmasq_2.92.bb
+1
View File
@@ -18,6 +18,7 @@ SRC_URI = "http://www.thekelleys.org.uk/dnsmasq/${@['archive/', ''][float(d.getV
file://CVE-2026-2291.patch \
file://CVE-2026-4890.patch \
file://CVE-2026-4891.patch \
file://CVE-2026-4892.patch \
"
SRC_URI[sha256sum] = "fd908e79ff37f73234afcb6d3363f78353e768703d92abd8e3220ade6819b1e1"
meta-networking/recipes-support/dnsmasq/files/CVE-2026-4892.patch
+36
View File
@@ -0,0 +1,36 @@
commit 011a36c51438c986535a7248ed2e7f424f8e1078
Author: Simon Kelley <simon@thekelleys.org.uk>
Date: Wed Mar 25 23:16:35 2026 +0000
Fix buffer overflow in helper.c with large CLIDs. CVE-2026-4892
Bug reported bt Royce M <royce@xchglabs.com>
Location: helper.c:265-270
DHCPv6 CLIDs can be up to 65535 bytes. When --dhcp-script is configured,
the helper hex-encodes raw CLID bytes via sprintf("%.2x") into daemon->packet (5131 bytes).
A 1000-byte CLID writes ~3000 bytes. The helper process retains root privileges.
Note: log6_packet() correctly caps CLID to 100 bytes for logging, but the helper code path was missed.
CVE: CVE-2026-4892
Upstream-Status: Backport [ https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=10e6b5b83e80749cba7b090d7780b29f908f0571 ]
Signed-off-by: Abhishek Bachiphale <Abhishek.Bachiphale@windriver.com>
diff --git a/src/helper.c b/src/helper.c
index 72f81fe..2c12801 100644
--- a/src/helper.c
+++ b/src/helper.c
@@ -261,8 +261,8 @@ int create_helper(int event_fd, int err_fd, uid_t uid, gid_t gid, long max_fd)
data.hostname_len + data.ed_len + data.clid_len, RW_READ))
continue;
- /* CLID into packet */
- for (p = daemon->packet, i = 0; i < data.clid_len; i++)
+ /* CLID into packet: limit to 100 bytes to avoid overflowing buffer. */
+ for (p = daemon->packet, i = 0; i < data.clid_len && i < 100; i++)
{
p += sprintf(p, "%.2x", buf[i]);
if (i != data.clid_len - 1)