mirror of
https://github.com/openembedded/meta-openembedded.git
synced 2026-06-13 17:39:57 +00:00
dnsmasq: Fix CVE-2026-4892
Pick patch from [1] dnsmasq 2.90 debian bookworm pacthes. [1] https://sources.debian.org/src/dnsmasq/2.90-4~deb12u2/debian/patches/CVE-2026-4892.patch Signed-off-by: Hugo SIMELIERE (Schneider Electric) <hsimeliere.opensource@witekio.com> Reviewed-by: Bruno VERNAY <bruno.vernay@se.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
This commit is contained in:
Hugo SIMELIERE (Schneider Electric)
committed by
Anuj Mittal
Anuj Mittal
parent
cab6f6c603
commit
e614003e0a
@@ -17,6 +17,7 @@ SRC_URI = "http://www.thekelleys.org.uk/dnsmasq/${@['archive/', ''][float(d.getV
|
||||
file://dnsmasq-noresolvconf.service \
|
||||
file://dnsmasq-resolved.conf \
|
||||
file://CVE-2026-4891.patch \
|
||||
file://CVE-2026-4892.patch \
|
||||
"
|
||||
SRC_URI[sha256sum] = "8f6666b542403b5ee7ccce66ea73a4a51cf19dd49392aaccd37231a2c51b303b"
|
||||
|
||||
|
||||
@@ -0,0 +1,41 @@
|
||||
From 2f029069825270a3b91eb5f50bb8477ed7f761d3 Mon Sep 17 00:00:00 2001
|
||||
From: Simon Kelley <simon@thekelleys.org.uk>
|
||||
Date: Wed, 25 Mar 2026 23:16:35 +0000
|
||||
Subject: [PATCH] Fix buffer overflow in helper.c with large CLIDs.
|
||||
CVE-2026-4892
|
||||
|
||||
Bug reported bt Royce M <royce@xchglabs.com>
|
||||
|
||||
Location: helper.c:265-270
|
||||
DHCPv6 CLIDs can be up to 65535 bytes. When --dhcp-script is configured,
|
||||
the helper hex-encodes raw CLID bytes via sprintf("%.2x") into daemon->packet (5131 bytes).
|
||||
A 1000-byte CLID writes ~3000 bytes. The helper process retains root privileges.
|
||||
|
||||
Note: log6_packet() correctly caps CLID to 100 bytes for logging, but the helper code path was missed.
|
||||
|
||||
CVE: CVE-2026-4892
|
||||
Upstream-Status: Backport [https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=10e6b5b83e80749cba7b090d7780b29f908f0571]
|
||||
|
||||
Signed-off-by: Hugo SIMELIERE (Schneider Electric) <hsimeliere.opensource@witekio.com>
|
||||
---
|
||||
src/helper.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/helper.c b/src/helper.c
|
||||
index b9da2259..3a31e618 100644
|
||||
--- a/src/helper.c
|
||||
+++ b/src/helper.c
|
||||
@@ -261,8 +261,8 @@ int create_helper(int event_fd, int err_fd, uid_t uid, gid_t gid, long max_fd)
|
||||
data.hostname_len + data.ed_len + data.clid_len, 1))
|
||||
continue;
|
||||
|
||||
- /* CLID into packet */
|
||||
- for (p = daemon->packet, i = 0; i < data.clid_len; i++)
|
||||
+ /* CLID into packet: limit to 100 bytes to avoid overflowing buffer. */
|
||||
+ for (p = daemon->packet, i = 0; i < data.clid_len && i < 100; i++)
|
||||
{
|
||||
p += sprintf(p, "%.2x", buf[i]);
|
||||
if (i != data.clid_len - 1)
|
||||
--
|
||||
2.43.0
|
||||
|
||||
Reference in New Issue
Block a user