mirror of
https://github.com/openembedded/meta-openembedded.git
synced 2026-07-16 16:27:27 +00:00
dnsmasq: Fix CVE-2026-4891
Pick patch from [1] dnsmasq 2.90 debian bookworm pacthes. [1] https://sources.debian.org/src/dnsmasq/2.90-4~deb12u2/debian/patches/CVE-2026-4891.patch Signed-off-by: Hugo SIMELIERE (Schneider Electric) <hsimeliere.opensource@witekio.com> Reviewed-by: Bruno VERNAY <bruno.vernay@se.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
This commit is contained in:
committed by
Anuj Mittal
parent
59f8c396f9
commit
cab6f6c603
@@ -16,6 +16,7 @@ SRC_URI = "http://www.thekelleys.org.uk/dnsmasq/${@['archive/', ''][float(d.getV
|
|||||||
file://dnsmasq-resolvconf.service \
|
file://dnsmasq-resolvconf.service \
|
||||||
file://dnsmasq-noresolvconf.service \
|
file://dnsmasq-noresolvconf.service \
|
||||||
file://dnsmasq-resolved.conf \
|
file://dnsmasq-resolved.conf \
|
||||||
|
file://CVE-2026-4891.patch \
|
||||||
"
|
"
|
||||||
SRC_URI[sha256sum] = "8f6666b542403b5ee7ccce66ea73a4a51cf19dd49392aaccd37231a2c51b303b"
|
SRC_URI[sha256sum] = "8f6666b542403b5ee7ccce66ea73a4a51cf19dd49392aaccd37231a2c51b303b"
|
||||||
|
|
||||||
|
|||||||
@@ -0,0 +1,44 @@
|
|||||||
|
From 046fe2393ea47622b8e1c3e0c6dcca8347a6c431 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Simon Kelley <simon@thekelleys.org.uk>
|
||||||
|
Date: Wed, 25 Mar 2026 23:04:08 +0000
|
||||||
|
Subject: [PATCH] Verify rdlen field in RRSIG packets. CVE-2026-4891
|
||||||
|
|
||||||
|
Bug report from Royce M <royce@xchglabs.com>
|
||||||
|
|
||||||
|
This avoids crafted packets which give a value for rdlen _less_
|
||||||
|
then the space taken up by the fixed data and the signer's name
|
||||||
|
and engender a negative calculated length for the signature.
|
||||||
|
|
||||||
|
CVE: CVE-2026-4891
|
||||||
|
Upstream-Status: Backport [https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=788b4e0f6c05217981b512bed4e5fea6f8855d01]
|
||||||
|
|
||||||
|
Signed-off-by: Hugo SIMELIERE (Schneider Electric) <hsimeliere.opensource@witekio.com>
|
||||||
|
---
|
||||||
|
src/dnssec.c | 10 +++++++---
|
||||||
|
1 file changed, 7 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/dnssec.c b/src/dnssec.c
|
||||||
|
index 68f1b5d0..d32db5b4 100644
|
||||||
|
--- a/src/dnssec.c
|
||||||
|
+++ b/src/dnssec.c
|
||||||
|
@@ -546,10 +546,14 @@ static int validate_rrset(time_t now, struct dns_header *header, size_t plen, in
|
||||||
|
|
||||||
|
*ttl_out = ttl;
|
||||||
|
}
|
||||||
|
-
|
||||||
|
+
|
||||||
|
+ /* Don't trust rdlen not to be too small and give us a negative sig_len
|
||||||
|
+ It has already been checked that it doesn't run us off the end
|
||||||
|
+ of the packet. */
|
||||||
|
+ if ((sig_len = rdlen - (p - psav)) <= 0)
|
||||||
|
+ return STAT_BOGUS;
|
||||||
|
+
|
||||||
|
sig = p;
|
||||||
|
- sig_len = rdlen - (p - psav);
|
||||||
|
-
|
||||||
|
nsigttl = htonl(orig_ttl);
|
||||||
|
|
||||||
|
hash->update(ctx, 18, psav);
|
||||||
|
--
|
||||||
|
2.43.0
|
||||||
|
|
||||||
Reference in New Issue
Block a user