Prevent overflow in extract_name function (CVE-2026-2291)
Handle invalid names correctly and refuse them without writing into too small buffer. Contains upstream proposed basic fix. Resolves-Vulnerability: CVE-2026-2291 Resolves: RHEL-148711 (cherry picked from commit f2182d5c6296fe676a449a2ff9bb65326a9339e7)
This commit is contained in:
Petr Menšík
parent
1f97a52930
commit
af5fc65743
36
dnsmasq-2.93-CVE-2026-2291.patch
Normal file
36
dnsmasq-2.93-CVE-2026-2291.patch
Normal file
@ -0,0 +1,36 @@
|
||||
From b8544d5802e56186eb144fbcdd18070b01dc9ab0 Mon Sep 17 00:00:00 2001
|
||||
From: Simon Kelley <simon@thekelleys.org.uk>
|
||||
Date: Fri, 10 Apr 2026 16:29:31 +0100
|
||||
Subject: [PATCH 1/5] Fix buffer overflow in struct bigname. CVE-2026-2291
|
||||
|
||||
All buffers capable of holding a domain name should be
|
||||
at least MAXDNAME*2 + 1 bytes long, where MAXDNAME is the maximum
|
||||
size of a domain name. The accounts for the trailing zero and the
|
||||
fact that some characters are escaped in the internal representation
|
||||
of a domain name in dnsmasq.
|
||||
|
||||
The declaration of struct bigname get this wrong, with the effect
|
||||
that a remote attacker capable of asking DNS queries or answering DNS
|
||||
queries can cause a large OOB write in the heap.
|
||||
|
||||
This was first spotted by Andrew S. Fasano.
|
||||
---
|
||||
src/dnsmasq.h | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/dnsmasq.h b/src/dnsmasq.h
|
||||
index e455c3f..be8cf2a 100644
|
||||
--- a/src/dnsmasq.h
|
||||
+++ b/src/dnsmasq.h
|
||||
@@ -467,7 +467,7 @@ struct interface_name {
|
||||
};
|
||||
|
||||
union bigname {
|
||||
- char name[MAXDNAME];
|
||||
+ char name[(2*MAXDNAME) + 1];
|
||||
union bigname *next; /* freelist */
|
||||
};
|
||||
|
||||
--
|
||||
2.54.0
|
||||
|
||||
@ -13,7 +13,7 @@
|
||||
|
||||
Name: dnsmasq
|
||||
Version: 2.79
|
||||
Release: 35%{?extraversion:.%{extraversion}}%{?dist}
|
||||
Release: 36%{?extraversion:.%{extraversion}}%{?dist}
|
||||
Summary: A lightweight DHCP/caching DNS server
|
||||
|
||||
License: GPLv2 or GPLv3
|
||||
@ -107,6 +107,7 @@ Patch47: dnsmasq-2.85-forward-retries.patch
|
||||
# http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=45d8a2435e8200e892b82b6a04c7ddfb07a4165a
|
||||
# http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=eb1fe15ca80b6bc43cd6bfdf309ec6c590aff811
|
||||
Patch48: dnsmasq-2.79-cname-collision.patch
|
||||
Patch49: dnsmasq-2.93-CVE-2026-2291.patch
|
||||
|
||||
# This is workaround to nettle bug #1549190
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1549190
|
||||
@ -188,6 +189,7 @@ server's leases.
|
||||
%patch46 -p1 -b .CVE-2023-50387-CVE-2023-50868
|
||||
%patch47 -p1 -b .RHEL-6586
|
||||
%patch48 -p1 -b .RHEL-61943
|
||||
%patch49 -p1 -b .CVE-2026-2291
|
||||
|
||||
# use /var/lib/dnsmasq instead of /var/lib/misc
|
||||
for file in dnsmasq.conf.example man/dnsmasq.8 man/es/dnsmasq.8 src/config.h; do
|
||||
@ -287,6 +289,9 @@ install -Dpm 644 %{SOURCE2} %{buildroot}%{_sysusersdir}/dnsmasq.conf
|
||||
%{_mandir}/man1/dhcp_*
|
||||
|
||||
%changelog
|
||||
* Tue May 05 2026 Petr Menšík <pemensik@redhat.com> - 2.79-36
|
||||
- Prevent overflow in extract_name function (CVE-2026-2291)
|
||||
|
||||
* Mon Aug 18 2025 Tomas Korbar <tkorbar@redhat.com> - 2.79-35
|
||||
- Fix dnsmasq caching of intertwined CNAMES
|
||||
- Resolves: RHEL-61943
|
||||
|
||||
Loading…
Reference in New Issue
Block a user