From a9de48a9fa55a254c0bf2eb528c81bd90e015c03 Mon Sep 17 00:00:00 2001 From: Abhishek Bachiphale Date: Mon, 18 May 2026 22:43:33 +0530 Subject: [PATCH] dnsmasq: fix CVE-2026-4891 A heap-based out-of-bounds read vulnerability in the DNSSEC validation of dnsmasq allows remote attackers to cause a denial of service via a crafted DNS packet. Reference: [ https://nvd.nist.gov/vuln/detail/CVE-2026-4891 ] Signed-off-by: Abhishek Bachiphale Signed-off-by: Khem Raj --- .../recipes-support/dnsmasq/dnsmasq_2.92.bb | 1 + .../dnsmasq/files/CVE-2026-4891.patch | 40 +++++++++++++++++++ 2 files changed, 41 insertions(+) create mode 100644 meta-networking/recipes-support/dnsmasq/files/CVE-2026-4891.patch diff --git a/meta-networking/recipes-support/dnsmasq/dnsmasq_2.92.bb b/meta-networking/recipes-support/dnsmasq/dnsmasq_2.92.bb index 61cdccb241..850bfd2657 100644 --- a/meta-networking/recipes-support/dnsmasq/dnsmasq_2.92.bb +++ b/meta-networking/recipes-support/dnsmasq/dnsmasq_2.92.bb @@ -17,6 +17,7 @@ SRC_URI = "http://www.thekelleys.org.uk/dnsmasq/${@['archive/', ''][float(d.getV file://dnsmasq-resolved.conf \ file://CVE-2026-2291.patch \ file://CVE-2026-4890.patch \ + file://CVE-2026-4891.patch \ " SRC_URI[sha256sum] = "fd908e79ff37f73234afcb6d3363f78353e768703d92abd8e3220ade6819b1e1" diff --git a/meta-networking/recipes-support/dnsmasq/files/CVE-2026-4891.patch b/meta-networking/recipes-support/dnsmasq/files/CVE-2026-4891.patch new file mode 100644 index 0000000000..e721f5ec0b --- /dev/null +++ b/meta-networking/recipes-support/dnsmasq/files/CVE-2026-4891.patch @@ -0,0 +1,40 @@ +commit 2cacea42e4d45717bd0ce3ccfe8e78960245e5da +Author: Simon Kelley +Date: Wed Mar 25 23:04:08 2026 +0000 + +Verify rdlen field in RRSIG packets. CVE-2026-4891 + +Bug report from Royce M + +This avoids crafted packets which give a value for rdlen _less_ +then the space taken up by the fixed data and the signer's name +and engender a negative calculated length for the signature. + +CVE: CVE-2026-4891 + +Upstream-Status: Backport [ https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=788b4e0f6c05217981b512bed4e5fea6f8855d01 ] + +Signed-off-by: Abhishek Bachiphale + +diff --git a/src/dnssec.c b/src/dnssec.c +index 0860daa..4bb0495 100644 +--- a/src/dnssec.c ++++ b/src/dnssec.c +@@ -546,10 +546,14 @@ static int validate_rrset(time_t now, struct dns_header *header, size_t plen, in + + *ttl_out = ttl; + } +- ++ ++ /* Don't trust rdlen not to be too small and give us a negative sig_len ++ It has already been checked that it doesn't run us off the end ++ of the packet. */ ++ if ((sig_len = rdlen - (p - psav)) <= 0) ++ return STAT_BOGUS; ++ + sig = p; +- sig_len = rdlen - (p - psav); +- + nsigttl = htonl(orig_ttl); + + hash->update(ctx, 18, psav);