mirror of
https://github.com/openembedded/meta-openembedded.git
synced 2026-07-16 04:17:25 +00:00
dnsmasq: upgrade 2.92 -> 2.93
- Update package checksum - Remove obsolete upstreamed patches - Verify successful build and runtime functionality Include upstream security fixes: - CVE-2026-2291 - CVE-2026-4890 Remove following patches as fixes are now included upstream: - CVE-2026-4891 - CVE-2026-4892 - CVE-2026-4893 - CVE-2026-5172 Signed-off-by: Abhishek Bachiphale <Abhishek.Bachiphale@windriver.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
This commit is contained in:
committed by
Anuj Mittal
parent
3521444a71
commit
2a9765bf8f
+1
-5
@@ -15,12 +15,8 @@ SRC_URI = "http://www.thekelleys.org.uk/dnsmasq/${@['archive/', ''][float(d.getV
|
|||||||
file://dnsmasq-resolvconf.service \
|
file://dnsmasq-resolvconf.service \
|
||||||
file://dnsmasq-noresolvconf.service \
|
file://dnsmasq-noresolvconf.service \
|
||||||
file://dnsmasq-resolved.conf \
|
file://dnsmasq-resolved.conf \
|
||||||
file://CVE-2026-4891.patch \
|
|
||||||
file://CVE-2026-4892.patch \
|
|
||||||
file://CVE-2026-4893.patch \
|
|
||||||
file://CVE-2026-5172.patch \
|
|
||||||
"
|
"
|
||||||
SRC_URI[sha256sum] = "fd908e79ff37f73234afcb6d3363f78353e768703d92abd8e3220ade6819b1e1"
|
SRC_URI[sha256sum] = "cc967771abdafeb43d10db18932d6b59fd4bed2c69c22acf8cb96aff6920d55f"
|
||||||
|
|
||||||
inherit pkgconfig update-rc.d systemd
|
inherit pkgconfig update-rc.d systemd
|
||||||
|
|
||||||
@@ -1,40 +0,0 @@
|
|||||||
commit 2cacea42e4d45717bd0ce3ccfe8e78960245e5da
|
|
||||||
Author: Simon Kelley <simon@thekelleys.org.uk>
|
|
||||||
Date: Wed Mar 25 23:04:08 2026 +0000
|
|
||||||
|
|
||||||
Verify rdlen field in RRSIG packets. CVE-2026-4891
|
|
||||||
|
|
||||||
Bug report from Royce M <royce@xchglabs.com>
|
|
||||||
|
|
||||||
This avoids crafted packets which give a value for rdlen _less_
|
|
||||||
then the space taken up by the fixed data and the signer's name
|
|
||||||
and engender a negative calculated length for the signature.
|
|
||||||
|
|
||||||
CVE: CVE-2026-4891
|
|
||||||
|
|
||||||
Upstream-Status: Backport [ https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=788b4e0f6c05217981b512bed4e5fea6f8855d01 ]
|
|
||||||
|
|
||||||
Signed-off-by: Abhishek Bachiphale <Abhishek.Bachiphale@windriver.com>
|
|
||||||
|
|
||||||
diff --git a/src/dnssec.c b/src/dnssec.c
|
|
||||||
index 0860daa..4bb0495 100644
|
|
||||||
--- a/src/dnssec.c
|
|
||||||
+++ b/src/dnssec.c
|
|
||||||
@@ -546,10 +546,14 @@ static int validate_rrset(time_t now, struct dns_header *header, size_t plen, in
|
|
||||||
|
|
||||||
*ttl_out = ttl;
|
|
||||||
}
|
|
||||||
-
|
|
||||||
+
|
|
||||||
+ /* Don't trust rdlen not to be too small and give us a negative sig_len
|
|
||||||
+ It has already been checked that it doesn't run us off the end
|
|
||||||
+ of the packet. */
|
|
||||||
+ if ((sig_len = rdlen - (p - psav)) <= 0)
|
|
||||||
+ return STAT_BOGUS;
|
|
||||||
+
|
|
||||||
sig = p;
|
|
||||||
- sig_len = rdlen - (p - psav);
|
|
||||||
-
|
|
||||||
nsigttl = htonl(orig_ttl);
|
|
||||||
|
|
||||||
hash->update(ctx, 18, psav);
|
|
||||||
@@ -1,36 +0,0 @@
|
|||||||
commit 011a36c51438c986535a7248ed2e7f424f8e1078
|
|
||||||
Author: Simon Kelley <simon@thekelleys.org.uk>
|
|
||||||
Date: Wed Mar 25 23:16:35 2026 +0000
|
|
||||||
|
|
||||||
Fix buffer overflow in helper.c with large CLIDs. CVE-2026-4892
|
|
||||||
|
|
||||||
Bug reported bt Royce M <royce@xchglabs.com>
|
|
||||||
|
|
||||||
Location: helper.c:265-270
|
|
||||||
DHCPv6 CLIDs can be up to 65535 bytes. When --dhcp-script is configured,
|
|
||||||
the helper hex-encodes raw CLID bytes via sprintf("%.2x") into daemon->packet (5131 bytes).
|
|
||||||
A 1000-byte CLID writes ~3000 bytes. The helper process retains root privileges.
|
|
||||||
|
|
||||||
Note: log6_packet() correctly caps CLID to 100 bytes for logging, but the helper code path was missed.
|
|
||||||
|
|
||||||
CVE: CVE-2026-4892
|
|
||||||
|
|
||||||
Upstream-Status: Backport [ https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=10e6b5b83e80749cba7b090d7780b29f908f0571 ]
|
|
||||||
|
|
||||||
Signed-off-by: Abhishek Bachiphale <Abhishek.Bachiphale@windriver.com>
|
|
||||||
|
|
||||||
diff --git a/src/helper.c b/src/helper.c
|
|
||||||
index 72f81fe..2c12801 100644
|
|
||||||
--- a/src/helper.c
|
|
||||||
+++ b/src/helper.c
|
|
||||||
@@ -261,8 +261,8 @@ int create_helper(int event_fd, int err_fd, uid_t uid, gid_t gid, long max_fd)
|
|
||||||
data.hostname_len + data.ed_len + data.clid_len, RW_READ))
|
|
||||||
continue;
|
|
||||||
|
|
||||||
- /* CLID into packet */
|
|
||||||
- for (p = daemon->packet, i = 0; i < data.clid_len; i++)
|
|
||||||
+ /* CLID into packet: limit to 100 bytes to avoid overflowing buffer. */
|
|
||||||
+ for (p = daemon->packet, i = 0; i < data.clid_len && i < 100; i++)
|
|
||||||
{
|
|
||||||
p += sprintf(p, "%.2x", buf[i]);
|
|
||||||
if (i != data.clid_len - 1)
|
|
||||||
@@ -1,34 +0,0 @@
|
|||||||
commit 434d68f2eb1a58744470698483a3ae09b5a9a870
|
|
||||||
Author: Simon Kelley <simon@thekelleys.org.uk>
|
|
||||||
Date: Wed Mar 25 23:22:37 2026 +0000
|
|
||||||
|
|
||||||
Fix broken client subnet validation. CVE-2026-4893
|
|
||||||
|
|
||||||
Bug report from Royce M <royce@xchglabs.com>
|
|
||||||
|
|
||||||
Location: forward.c:713, edns0.c:421
|
|
||||||
|
|
||||||
With --add-subnet enabled, process_reply() passes the OPT record
|
|
||||||
length (~23 bytes) instead of the packet length to check_source().
|
|
||||||
All internal bounds checks fail, and the function always returns 1.
|
|
||||||
ECS source validation per RFC 7871 Section 9.2 is completely bypassed.
|
|
||||||
|
|
||||||
CVE: CVE-2026-4893
|
|
||||||
|
|
||||||
Upstream-Status: Backport [ https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=e3a26d092e47bf1d18aeadb758e4ca35c83b5f2d ]
|
|
||||||
|
|
||||||
Signed-off-by: Abhishek Bachiphale <Abhishek.Bachiphale@windriver.com>
|
|
||||||
|
|
||||||
diff --git a/src/forward.c b/src/forward.c
|
|
||||||
index e2f64c0..208480d 100644
|
|
||||||
--- a/src/forward.c
|
|
||||||
+++ b/src/forward.c
|
|
||||||
@@ -724,7 +724,7 @@ static size_t process_reply(struct dns_header *header, time_t now, struct server
|
|
||||||
/* Get extended RCODE. */
|
|
||||||
rcode |= sizep[2] << 4;
|
|
||||||
|
|
||||||
- if (option_bool(OPT_CLIENT_SUBNET) && !check_source(header, plen, pheader, query_source))
|
|
||||||
+ if (option_bool(OPT_CLIENT_SUBNET) && !check_source(header, n, pheader, query_source))
|
|
||||||
{
|
|
||||||
my_syslog(LOG_WARNING, _("discarding DNS reply: subnet option mismatch"));
|
|
||||||
return 0;
|
|
||||||
@@ -1,34 +0,0 @@
|
|||||||
commit fa3c8ddef6712b52f562813317e6a997e1210123
|
|
||||||
Author: Simon Kelley <simon@thekelleys.org.uk>
|
|
||||||
Date: Mon Mar 30 16:24:33 2026 +0100
|
|
||||||
|
|
||||||
Fix buffer overflow vulnerability in extract_addresses() CVE-2026-5172
|
|
||||||
|
|
||||||
Thanks to Hugo Martinez Ray for spotting this.
|
|
||||||
|
|
||||||
The value of rdlen for an RR can be a lie, allowing the
|
|
||||||
call to extract_name() at rfc1025.c:952 to advance the value of p1
|
|
||||||
past the calculated end of the record. The makes the calculation
|
|
||||||
of bytes remaining in the RR underflow to a huge number and results
|
|
||||||
in a massive heap OOB read and certain crash.
|
|
||||||
|
|
||||||
CVE: CVE-2026-5172
|
|
||||||
|
|
||||||
Upstream-Status: Backport [ https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=073082ddc0aba7b8efa15a688d6183463b65effa ]
|
|
||||||
|
|
||||||
Signed-off-by: Abhishek Bachiphale <Abhishek.Bachiphale@windriver.com>
|
|
||||||
|
|
||||||
diff --git a/src/rfc1035.c b/src/rfc1035.c
|
|
||||||
index f0e1082..7e05fb5 100644
|
|
||||||
--- a/src/rfc1035.c
|
|
||||||
+++ b/src/rfc1035.c
|
|
||||||
@@ -943,7 +943,8 @@ int extract_addresses(struct dns_header *header, size_t qlen, char *name, time_t
|
|
||||||
/* Name, extract it then re-encode. */
|
|
||||||
int len;
|
|
||||||
|
|
||||||
- if (!extract_name(header, qlen, &p1, name, EXTR_NAME_EXTRACT, 0))
|
|
||||||
+ /* rdlen may lie, and extract_name() advances p1 past where it says the record ends. */
|
|
||||||
+ if (!extract_name(header, qlen, &p1, name, EXTR_NAME_EXTRACT, 0) || (p1 > endrr))
|
|
||||||
{
|
|
||||||
blockdata_free(addr.rrblock.rrdata);
|
|
||||||
return 2;
|
|
||||||
Reference in New Issue
Block a user