From af5fc6574344e4beec6c040ad6fcdf1b35b5bfb6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Tue, 5 May 2026 17:26:18 +0200 Subject: [PATCH] Prevent overflow in extract_name function (CVE-2026-2291) Handle invalid names correctly and refuse them without writing into too small buffer. Contains upstream proposed basic fix. Resolves-Vulnerability: CVE-2026-2291 Resolves: RHEL-148711 (cherry picked from commit f2182d5c6296fe676a449a2ff9bb65326a9339e7) --- dnsmasq-2.93-CVE-2026-2291.patch | 36 ++++++++++++++++++++++++++++++++ dnsmasq.spec | 7 ++++++- 2 files changed, 42 insertions(+), 1 deletion(-) create mode 100644 dnsmasq-2.93-CVE-2026-2291.patch diff --git a/dnsmasq-2.93-CVE-2026-2291.patch b/dnsmasq-2.93-CVE-2026-2291.patch new file mode 100644 index 0000000..4e03909 --- /dev/null +++ b/dnsmasq-2.93-CVE-2026-2291.patch @@ -0,0 +1,36 @@ +From b8544d5802e56186eb144fbcdd18070b01dc9ab0 Mon Sep 17 00:00:00 2001 +From: Simon Kelley +Date: Fri, 10 Apr 2026 16:29:31 +0100 +Subject: [PATCH 1/5] Fix buffer overflow in struct bigname. CVE-2026-2291 + +All buffers capable of holding a domain name should be +at least MAXDNAME*2 + 1 bytes long, where MAXDNAME is the maximum +size of a domain name. The accounts for the trailing zero and the +fact that some characters are escaped in the internal representation +of a domain name in dnsmasq. + +The declaration of struct bigname get this wrong, with the effect +that a remote attacker capable of asking DNS queries or answering DNS +queries can cause a large OOB write in the heap. + +This was first spotted by Andrew S. Fasano. +--- + src/dnsmasq.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/dnsmasq.h b/src/dnsmasq.h +index e455c3f..be8cf2a 100644 +--- a/src/dnsmasq.h ++++ b/src/dnsmasq.h +@@ -467,7 +467,7 @@ struct interface_name { + }; + + union bigname { +- char name[MAXDNAME]; ++ char name[(2*MAXDNAME) + 1]; + union bigname *next; /* freelist */ + }; + +-- +2.54.0 + diff --git a/dnsmasq.spec b/dnsmasq.spec index edc61f7..c94d617 100644 --- a/dnsmasq.spec +++ b/dnsmasq.spec @@ -13,7 +13,7 @@ Name: dnsmasq Version: 2.79 -Release: 35%{?extraversion:.%{extraversion}}%{?dist} +Release: 36%{?extraversion:.%{extraversion}}%{?dist} Summary: A lightweight DHCP/caching DNS server License: GPLv2 or GPLv3 @@ -107,6 +107,7 @@ Patch47: dnsmasq-2.85-forward-retries.patch # http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=45d8a2435e8200e892b82b6a04c7ddfb07a4165a # http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=eb1fe15ca80b6bc43cd6bfdf309ec6c590aff811 Patch48: dnsmasq-2.79-cname-collision.patch +Patch49: dnsmasq-2.93-CVE-2026-2291.patch # This is workaround to nettle bug #1549190 # https://bugzilla.redhat.com/show_bug.cgi?id=1549190 @@ -188,6 +189,7 @@ server's leases. %patch46 -p1 -b .CVE-2023-50387-CVE-2023-50868 %patch47 -p1 -b .RHEL-6586 %patch48 -p1 -b .RHEL-61943 +%patch49 -p1 -b .CVE-2026-2291 # use /var/lib/dnsmasq instead of /var/lib/misc for file in dnsmasq.conf.example man/dnsmasq.8 man/es/dnsmasq.8 src/config.h; do @@ -287,6 +289,9 @@ install -Dpm 644 %{SOURCE2} %{buildroot}%{_sysusersdir}/dnsmasq.conf %{_mandir}/man1/dhcp_* %changelog +* Tue May 05 2026 Petr Menšík - 2.79-36 +- Prevent overflow in extract_name function (CVE-2026-2291) + * Mon Aug 18 2025 Tomas Korbar - 2.79-35 - Fix dnsmasq caching of intertwined CNAMES - Resolves: RHEL-61943