mirrors/meta-openembedded
1
0
Fork 0
mirror of https://github.com/openembedded/meta-openembedded.git synced 2026-06-09 16:19:59 +00:00
Code Issues Projects Releases Wiki Activity

dnsmasq: upgrade 2.92 -> 2.93

Browse Source 
ChangeLog:
https://dnsmasq.org/CHANGELOG

- Update checksum
- Remove obsolete patches
- Verified build and runtime functionality

Security fixes (included upstream in 2.93) :
- CVE-2026-2291
- CVE-2026-4890
- CVE-2026-4891
- CVE-2026-4892
- CVE-2026-4893
- CVE-2026-5172

- Removed patches corresponding to the above CVEs
  as fixes are now part of upstream release

Signed-off-by: Abhishek Bachiphale <Abhishek.Bachiphale@windriver.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
This commit is contained in:
Abhishek Bachiphale
2026-06-05 02:22:57 +05:30
committed by Khem Raj
parent b2b319eef3
commit 44ec3710d5
7 changed files with 1 additions and 238 deletions
Download Patch File Download Diff File Expand all files Collapse all files
meta-networking/recipes-support/dnsmasq/dnsmasq_2.92.bb → meta-networking/recipes-support/dnsmasq/dnsmasq_2.93.bb
+1 -7
View File
@@ -15,14 +15,8 @@ SRC_URI = "http://www.thekelleys.org.uk/dnsmasq/${@['archive/', ''][float(d.getV
file://dnsmasq-resolvconf.service \
file://dnsmasq-noresolvconf.service \
file://dnsmasq-resolved.conf \
file://CVE-2026-2291.patch \
file://CVE-2026-4890.patch \
file://CVE-2026-4891.patch \
file://CVE-2026-4892.patch \
file://CVE-2026-4893.patch \
file://CVE-2026-5172.patch \
"
SRC_URI[sha256sum] = "fd908e79ff37f73234afcb6d3363f78353e768703d92abd8e3220ade6819b1e1"
SRC_URI[sha256sum] = "cc967771abdafeb43d10db18932d6b59fd4bed2c69c22acf8cb96aff6920d55f"
inherit pkgconfig update-rc.d systemd
meta-networking/recipes-support/dnsmasq/files/CVE-2026-2291.patch
-37
View File
@@ -1,37 +0,0 @@
commit ec2fbfbbdaa7d7db1c707dce26ce1a37cfe09660
Author: Simon Kelley <simon@thekelleys.org.uk>
Date: Fri Apr 10 16:29:31 2026 +0100
Fix buffer overflow in struct bigname. CVE-2026-2291
All buffers capable of holding a domain name should be
at least MAXDNAME*2 + 1 bytes long, where MAXDNAME is the maximum
size of a domain name. The accounts for the trailing zero and the
fact that some characters are escaped in the internal representation
of a domain name in dnsmasq.
The declaration of struct bigname get this wrong, with the effect
that a remote attacker capable of asking DNS queries or answering DNS
queries can cause a large OOB write in the heap.
This was first spotted by Andrew S. Fasano.
CVE: CVE-2026-2291
Upstream-Status: Backport [ https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=014e909f787e808bb35daa546d3f8f3663918de2 ]
Signed-off-by: Abhishek Bachiphale <Abhishek.Bachiphale@windriver.com>
diff --git a/src/dnsmasq.h b/src/dnsmasq.h
index 254bacd..58be09f 100644
--- a/src/dnsmasq.h
+++ b/src/dnsmasq.h
@@ -479,7 +479,7 @@ struct interface_name {
};
union bigname {
- char name[MAXDNAME];
+ char name[(2*MAXDNAME) + 1];
union bigname *next; /* freelist */
};
meta-networking/recipes-support/dnsmasq/files/CVE-2026-4890.patch
-50
View File
@@ -1,50 +0,0 @@
commit 4fdb707633afe8028118bcaf39b4882f634b5999
Author: Simon Kelley <simon@thekelleys.org.uk>
Date: Fri Apr 10 16:24:02 2026 +0100
Fix NSEC bitmap parsing infinite loop. CVE-2026-4890
Report from Royce M <royce@xchglabs.com>.
Location: dnssec.c:1290-1306, dnssec.c:1450-1463
The bitmap window iteration advances by p[1] instead of p[1]+2
(missing the 2-byte window header). With bitmap_length=0, both rdlen and p are
unchanged, causing an infinite loop and dnsmasq stops responding to all queries.
Reachable before RRSIG validation
(confirmed by the source comment at line 2125), so no valid
DNSSEC signatures are needed.
CVE: CVE-2026-4890
Upstream-Status: Backport [ https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=7b151eb60609a0139474918222806f9bcfb4fe71 ]
Signed-off-by: Abhishek Bachiphale <Abhishek.Bachiphale@windriver.com>
diff --git a/src/dnssec.c b/src/dnssec.c
index 4bb0495..3951620 100644
--- a/src/dnssec.c
+++ b/src/dnssec.c
@@ -1348,8 +1348,8 @@ static int prove_non_existence_nsec(struct dns_header *header, size_t plen, unsi
break; /* finished checking */
}
- rdlen -= p[1];
- p += p[1];
+ rdlen -= p[1] + 2;
+ p += p[1] + 2;
}
return 0;
@@ -1512,8 +1512,8 @@ static int check_nsec3_coverage(struct dns_header *header, size_t plen, int dige
break; /* finished checking */
}
- rdlen -= p[1];
- p += p[1];
+ rdlen -= p[1] + 2;
+ p += p[1] + 2;
}
return 1;
meta-networking/recipes-support/dnsmasq/files/CVE-2026-4891.patch
-40
View File
@@ -1,40 +0,0 @@
commit 2cacea42e4d45717bd0ce3ccfe8e78960245e5da
Author: Simon Kelley <simon@thekelleys.org.uk>
Date: Wed Mar 25 23:04:08 2026 +0000
Verify rdlen field in RRSIG packets. CVE-2026-4891
Bug report from Royce M <royce@xchglabs.com>
This avoids crafted packets which give a value for rdlen _less_
then the space taken up by the fixed data and the signer's name
and engender a negative calculated length for the signature.
CVE: CVE-2026-4891
Upstream-Status: Backport [ https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=788b4e0f6c05217981b512bed4e5fea6f8855d01 ]
Signed-off-by: Abhishek Bachiphale <Abhishek.Bachiphale@windriver.com>
diff --git a/src/dnssec.c b/src/dnssec.c
index 0860daa..4bb0495 100644
--- a/src/dnssec.c
+++ b/src/dnssec.c
@@ -546,10 +546,14 @@ static int validate_rrset(time_t now, struct dns_header *header, size_t plen, in
*ttl_out = ttl;
}
-
+
+ /* Don't trust rdlen not to be too small and give us a negative sig_len
+ It has already been checked that it doesn't run us off the end
+ of the packet. */
+ if ((sig_len = rdlen - (p - psav)) <= 0)
+ return STAT_BOGUS;
+
sig = p;
- sig_len = rdlen - (p - psav);
-
nsigttl = htonl(orig_ttl);
hash->update(ctx, 18, psav);
meta-networking/recipes-support/dnsmasq/files/CVE-2026-4892.patch
-36
View File
@@ -1,36 +0,0 @@
commit 011a36c51438c986535a7248ed2e7f424f8e1078
Author: Simon Kelley <simon@thekelleys.org.uk>
Date: Wed Mar 25 23:16:35 2026 +0000
Fix buffer overflow in helper.c with large CLIDs. CVE-2026-4892
Bug reported bt Royce M <royce@xchglabs.com>
Location: helper.c:265-270
DHCPv6 CLIDs can be up to 65535 bytes. When --dhcp-script is configured,
the helper hex-encodes raw CLID bytes via sprintf("%.2x") into daemon->packet (5131 bytes).
A 1000-byte CLID writes ~3000 bytes. The helper process retains root privileges.
Note: log6_packet() correctly caps CLID to 100 bytes for logging, but the helper code path was missed.
CVE: CVE-2026-4892
Upstream-Status: Backport [ https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=10e6b5b83e80749cba7b090d7780b29f908f0571 ]
Signed-off-by: Abhishek Bachiphale <Abhishek.Bachiphale@windriver.com>
diff --git a/src/helper.c b/src/helper.c
index 72f81fe..2c12801 100644
--- a/src/helper.c
+++ b/src/helper.c
@@ -261,8 +261,8 @@ int create_helper(int event_fd, int err_fd, uid_t uid, gid_t gid, long max_fd)
data.hostname_len + data.ed_len + data.clid_len, RW_READ))
continue;
- /* CLID into packet */
- for (p = daemon->packet, i = 0; i < data.clid_len; i++)
+ /* CLID into packet: limit to 100 bytes to avoid overflowing buffer. */
+ for (p = daemon->packet, i = 0; i < data.clid_len && i < 100; i++)
{
p += sprintf(p, "%.2x", buf[i]);
if (i != data.clid_len - 1)
meta-networking/recipes-support/dnsmasq/files/CVE-2026-4893.patch
-34
View File
@@ -1,34 +0,0 @@
commit 434d68f2eb1a58744470698483a3ae09b5a9a870
Author: Simon Kelley <simon@thekelleys.org.uk>
Date: Wed Mar 25 23:22:37 2026 +0000
Fix broken client subnet validation. CVE-2026-4893
Bug report from Royce M <royce@xchglabs.com>
Location: forward.c:713, edns0.c:421
With --add-subnet enabled, process_reply() passes the OPT record
length (~23 bytes) instead of the packet length to check_source().
All internal bounds checks fail, and the function always returns 1.
ECS source validation per RFC 7871 Section 9.2 is completely bypassed.
CVE: CVE-2026-4893
Upstream-Status: Backport [ https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=e3a26d092e47bf1d18aeadb758e4ca35c83b5f2d ]
Signed-off-by: Abhishek Bachiphale <Abhishek.Bachiphale@windriver.com>
diff --git a/src/forward.c b/src/forward.c
index e2f64c0..208480d 100644
--- a/src/forward.c
+++ b/src/forward.c
@@ -724,7 +724,7 @@ static size_t process_reply(struct dns_header *header, time_t now, struct server
/* Get extended RCODE. */
rcode |= sizep[2] << 4;
- if (option_bool(OPT_CLIENT_SUBNET) && !check_source(header, plen, pheader, query_source))
+ if (option_bool(OPT_CLIENT_SUBNET) && !check_source(header, n, pheader, query_source))
{
my_syslog(LOG_WARNING, _("discarding DNS reply: subnet option mismatch"));
return 0;
meta-networking/recipes-support/dnsmasq/files/CVE-2026-5172.patch
-34
View File
@@ -1,34 +0,0 @@
commit fa3c8ddef6712b52f562813317e6a997e1210123
Author: Simon Kelley <simon@thekelleys.org.uk>
Date: Mon Mar 30 16:24:33 2026 +0100
Fix buffer overflow vulnerability in extract_addresses() CVE-2026-5172
Thanks to Hugo Martinez Ray for spotting this.
The value of rdlen for an RR can be a lie, allowing the
call to extract_name() at rfc1025.c:952 to advance the value of p1
past the calculated end of the record. The makes the calculation
of bytes remaining in the RR underflow to a huge number and results
in a massive heap OOB read and certain crash.
CVE: CVE-2026-5172
Upstream-Status: Backport [ https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=073082ddc0aba7b8efa15a688d6183463b65effa ]
Signed-off-by: Abhishek Bachiphale <Abhishek.Bachiphale@windriver.com>
diff --git a/src/rfc1035.c b/src/rfc1035.c
index f0e1082..7e05fb5 100644
--- a/src/rfc1035.c
+++ b/src/rfc1035.c
@@ -943,7 +943,8 @@ int extract_addresses(struct dns_header *header, size_t qlen, char *name, time_t
/* Name, extract it then re-encode. */
int len;
- if (!extract_name(header, qlen, &p1, name, EXTR_NAME_EXTRACT, 0))
+ /* rdlen may lie, and extract_name() advances p1 past where it says the record ends. */
+ if (!extract_name(header, qlen, &p1, name, EXTR_NAME_EXTRACT, 0) || (p1 > endrr))
{
blockdata_free(addr.rrblock.rrdata);
return 2;