From 9786bf4aecd5727ee3f0e22ea606c83618e5b1f1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Tue, 5 May 2026 17:26:18 +0200 Subject: [PATCH] Prevent overflow in extract_name function (CVE-2026-2291) Handle invalid names correctly and refuse them without writing into too small buffer. Contains upstream proposed basic fix. Resolves-Vulnerability: CVE-2026-2291 Resolves: RHEL-181041 --- dnsmasq-2.93-CVE-2026-2291.patch | 36 ++++++++++++++++++++++++++++++++ dnsmasq.spec | 6 +++++- 2 files changed, 41 insertions(+), 1 deletion(-) create mode 100644 dnsmasq-2.93-CVE-2026-2291.patch diff --git a/dnsmasq-2.93-CVE-2026-2291.patch b/dnsmasq-2.93-CVE-2026-2291.patch new file mode 100644 index 0000000..4e03909 --- /dev/null +++ b/dnsmasq-2.93-CVE-2026-2291.patch @@ -0,0 +1,36 @@ +From b8544d5802e56186eb144fbcdd18070b01dc9ab0 Mon Sep 17 00:00:00 2001 +From: Simon Kelley +Date: Fri, 10 Apr 2026 16:29:31 +0100 +Subject: [PATCH 1/5] Fix buffer overflow in struct bigname. CVE-2026-2291 + +All buffers capable of holding a domain name should be +at least MAXDNAME*2 + 1 bytes long, where MAXDNAME is the maximum +size of a domain name. The accounts for the trailing zero and the +fact that some characters are escaped in the internal representation +of a domain name in dnsmasq. + +The declaration of struct bigname get this wrong, with the effect +that a remote attacker capable of asking DNS queries or answering DNS +queries can cause a large OOB write in the heap. + +This was first spotted by Andrew S. Fasano. +--- + src/dnsmasq.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/dnsmasq.h b/src/dnsmasq.h +index e455c3f..be8cf2a 100644 +--- a/src/dnsmasq.h ++++ b/src/dnsmasq.h +@@ -467,7 +467,7 @@ struct interface_name { + }; + + union bigname { +- char name[MAXDNAME]; ++ char name[(2*MAXDNAME) + 1]; + union bigname *next; /* freelist */ + }; + +-- +2.54.0 + diff --git a/dnsmasq.spec b/dnsmasq.spec index 0733902..23de8b1 100644 --- a/dnsmasq.spec +++ b/dnsmasq.spec @@ -23,7 +23,7 @@ Name: dnsmasq Version: 2.90 -Release: 6%{?extraversion:.%{extraversion}}%{?dist} +Release: 7%{?extraversion:.%{extraversion}}%{?dist} Summary: A lightweight DHCP/caching DNS server # SPDX identifiers already @@ -49,6 +49,7 @@ Patch2: dnsmasq-2.81-configuration.patch Patch3: dnsmasq-2.78-fips.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2439088 Patch4: dnsmasq-CVE-2026-2291.patch +Patch5: dnsmasq-2.93-CVE-2026-2291.patch Requires: nettle @@ -223,6 +224,9 @@ install -Dpm 644 %{SOURCE5} %{buildroot}%{_tmpfilesdir}/%{name}.conf %endif %changelog +* Tue May 05 2026 Petr Menšík - 2.90-7 +- Prevent overflow in extract_name function (CVE-2026-2291) + * Wed Mar 18 2026 Petr Menšík - 2.90-6 - Prevent heap buffer overflow in cache via NAME_ESCAPE expansion (CVE-2026-2291)