Prevent overflow in extract_name function (CVE-2026-2291)
Handle invalid names correctly and refuse them without writing into too small buffer. Contains upstream proposed basic fix. Resolves-Vulnerability: CVE-2026-2291 Resolves: RHEL-181041
This commit is contained in:
parent
9b84838ba3
commit
9786bf4aec
36
dnsmasq-2.93-CVE-2026-2291.patch
Normal file
36
dnsmasq-2.93-CVE-2026-2291.patch
Normal file
@ -0,0 +1,36 @@
|
||||
From b8544d5802e56186eb144fbcdd18070b01dc9ab0 Mon Sep 17 00:00:00 2001
|
||||
From: Simon Kelley <simon@thekelleys.org.uk>
|
||||
Date: Fri, 10 Apr 2026 16:29:31 +0100
|
||||
Subject: [PATCH 1/5] Fix buffer overflow in struct bigname. CVE-2026-2291
|
||||
|
||||
All buffers capable of holding a domain name should be
|
||||
at least MAXDNAME*2 + 1 bytes long, where MAXDNAME is the maximum
|
||||
size of a domain name. The accounts for the trailing zero and the
|
||||
fact that some characters are escaped in the internal representation
|
||||
of a domain name in dnsmasq.
|
||||
|
||||
The declaration of struct bigname get this wrong, with the effect
|
||||
that a remote attacker capable of asking DNS queries or answering DNS
|
||||
queries can cause a large OOB write in the heap.
|
||||
|
||||
This was first spotted by Andrew S. Fasano.
|
||||
---
|
||||
src/dnsmasq.h | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/dnsmasq.h b/src/dnsmasq.h
|
||||
index e455c3f..be8cf2a 100644
|
||||
--- a/src/dnsmasq.h
|
||||
+++ b/src/dnsmasq.h
|
||||
@@ -467,7 +467,7 @@ struct interface_name {
|
||||
};
|
||||
|
||||
union bigname {
|
||||
- char name[MAXDNAME];
|
||||
+ char name[(2*MAXDNAME) + 1];
|
||||
union bigname *next; /* freelist */
|
||||
};
|
||||
|
||||
--
|
||||
2.54.0
|
||||
|
||||
@ -23,7 +23,7 @@
|
||||
|
||||
Name: dnsmasq
|
||||
Version: 2.90
|
||||
Release: 6%{?extraversion:.%{extraversion}}%{?dist}
|
||||
Release: 7%{?extraversion:.%{extraversion}}%{?dist}
|
||||
Summary: A lightweight DHCP/caching DNS server
|
||||
|
||||
# SPDX identifiers already
|
||||
@ -49,6 +49,7 @@ Patch2: dnsmasq-2.81-configuration.patch
|
||||
Patch3: dnsmasq-2.78-fips.patch
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2439088
|
||||
Patch4: dnsmasq-CVE-2026-2291.patch
|
||||
Patch5: dnsmasq-2.93-CVE-2026-2291.patch
|
||||
|
||||
|
||||
Requires: nettle
|
||||
@ -223,6 +224,9 @@ install -Dpm 644 %{SOURCE5} %{buildroot}%{_tmpfilesdir}/%{name}.conf
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Tue May 05 2026 Petr Menšík <pemensik@redhat.com> - 2.90-7
|
||||
- Prevent overflow in extract_name function (CVE-2026-2291)
|
||||
|
||||
* Wed Mar 18 2026 Petr Menšík <pemensik@redhat.com> - 2.90-6
|
||||
- Prevent heap buffer overflow in cache via NAME_ESCAPE expansion
|
||||
(CVE-2026-2291)
|
||||
|
||||
Loading…
Reference in New Issue
Block a user