import CS git dnsmasq-2.79-36.el8_10

SOURCES/dnsmasq-2.93-CVE-2026-2291.patch

@@ -0,0 +1,36 @@
+From b8544d5802e56186eb144fbcdd18070b01dc9ab0 Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon@thekelleys.org.uk>
+Date: Fri, 10 Apr 2026 16:29:31 +0100
+Subject: [PATCH 1/5] Fix buffer overflow in struct bigname. CVE-2026-2291
+
+All buffers capable of holding a domain name should be
+at least MAXDNAME*2 + 1 bytes long, where MAXDNAME is the maximum
+size of a domain name. The accounts for the trailing zero and the
+fact that some characters are escaped in the internal representation
+of a domain name in dnsmasq.
+
+The declaration of struct bigname get this wrong, with the effect
+that a remote attacker capable of asking DNS queries or answering DNS
+queries can cause a large OOB write in the heap.
+
+This was first spotted by Andrew S. Fasano.
+---
+ src/dnsmasq.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/dnsmasq.h b/src/dnsmasq.h
+index e455c3f..be8cf2a 100644
+--- a/src/dnsmasq.h
++++ b/src/dnsmasq.h
+@@ -467,7 +467,7 @@ struct interface_name {
+ };
+ 
+ union bigname {
+-  char name[MAXDNAME];
++  char name[(2*MAXDNAME) + 1];
+   union bigname *next; /* freelist */
+ };
+ 
+-- 
+2.54.0
+

SOURCES/dnsmasq-2.93-CVE-2026-4890.patch

@@ -0,0 +1,70 @@
+From 09fe631edd6d95630efc11bec8c5017705e68a10 Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon@thekelleys.org.uk>
+Date: Fri, 10 Apr 2026 22:16:45 +0100
+Subject: [PATCH 2/5] Fix NSEC bitmap parsing infinite loop. CVE-2026-4890
+
+Report from Royce M <royce@xchglabs.com>.
+
+Location: dnssec.c:1290-1306, dnssec.c:1450-1463
+
+The bitmap window iteration advances by p[1] instead of p[1]+2 (missing the 2-byte window header). With bitmap_length=0, both rdlen and p are
+unchanged, causing an infinite loop and dnsmasq stops responding to all queries.
+
+The same code accesses p[2] after only checking rdlen >= 2 without verifying p[1] >= 1, causing OOB reads at 6 locations.
+
+Both bugs are reachable before RRSIG validation (confirmed by the source comment at line 2125), so no valid DNSSEC signatures are needed.
+---
+ src/dnssec.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/src/dnssec.c b/src/dnssec.c
+index ed2f53f..68f1b5d 100644
+--- a/src/dnssec.c
++++ b/src/dnssec.c
+@@ -1270,10 +1270,10 @@ static int prove_non_existence_nsec(struct dns_header *header, size_t plen, unsi
+ 	     packet checked to be as long as rdlen implies in prove_non_existence() */
+ 	  
+ 	  /* If we can prove that there's no NS record, return that information. */
+-	  if (nons && rdlen >= 2 && p[0] == 0 && (p[2] & (0x80 >> T_NS)) != 0)
++	  if (nons && rdlen >= 2 && p[0] == 0 && p[1] >= 1  && (p[2] & (0x80 >> T_NS)) != 0)
+ 	    *nons = 0;
+ 	  
+-	  if (rdlen >= 2 && p[0] == 0)
++	  if (rdlen >= 2 && p[0] == 0 && p[1] >= 1)
+ 	    {
+ 	      /* A CNAME answer would also be valid, so if there's a CNAME is should 
+ 		 have been returned. */
+@@ -1301,8 +1301,8 @@ static int prove_non_existence_nsec(struct dns_header *header, size_t plen, unsi
+ 		  break; /* finished checking */
+ 		}
+ 	      
+-	      rdlen -= p[1];
+-	      p +=  p[1];
++	      rdlen -= p[1] + 2;
++	      p +=  p[1] + 2;
+ 	    }
+ 	  
+ 	  return 0;
+@@ -1429,7 +1429,7 @@ static int check_nsec3_coverage(struct dns_header *header, size_t plen, int dige
+ 		p += hash_len; /* skip next-domain hash */
+ 		rdlen -= p - psave;
+ 
+-		if (rdlen >= 2 && p[0] == 0)
++		if (rdlen >= 2 && p[0] == 0 && p[1] >= 1)
+ 		  {
+ 		    /* If we can prove that there's no NS record, return that information. */
+ 		    if (nons && (p[2] & (0x80 >> T_NS)) != 0)
+@@ -1458,8 +1458,8 @@ static int check_nsec3_coverage(struct dns_header *header, size_t plen, int dige
+ 			break; /* finished checking */
+ 		      }
+ 		    
+-		    rdlen -= p[1];
+-		    p +=  p[1];
++		    rdlen -= p[1] + 2;
++		    p +=  p[1] + 2;
+ 		  }
+ 		
+ 		return 1;
+-- 
+2.54.0
+

SOURCES/dnsmasq-2.93-CVE-2026-4891.patch

@@ -0,0 +1,39 @@
+From 2efe6d3acaf840fa06d58b6fad21ad73d0865716 Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon@thekelleys.org.uk>
+Date: Wed, 25 Mar 2026 23:04:08 +0000
+Subject: [PATCH 3/5] Verify rdlen field in RRSIG packets. CVE-2026-4891
+
+Bug report from Royce M <royce@xchglabs.com>
+
+This avoids crafted packets which give a value for rdlen _less_
+then the space taken up by the fixed data and the signer's name
+and engender a negative calculated length for the signature.
+---
+ src/dnssec.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/src/dnssec.c b/src/dnssec.c
+index 68f1b5d..d32db5b 100644
+--- a/src/dnssec.c
++++ b/src/dnssec.c
+@@ -546,10 +546,14 @@ static int validate_rrset(time_t now, struct dns_header *header, size_t plen, in
+ 
+ 	   *ttl_out = ttl;
+ 	 }
+-       
++
++      /* Don't trust rdlen not to be too small and give us a negative sig_len
++	 It has already been checked that it doesn't run us off the end
++	 of the packet. */
++      if ((sig_len = rdlen - (p - psav)) <= 0)
++	return STAT_BOGUS;
++
+       sig = p;
+-      sig_len = rdlen - (p - psav);
+-              
+       nsigttl = htonl(orig_ttl);
+       
+       hash->update(ctx, 18, psav);
+-- 
+2.54.0
+

SOURCES/dnsmasq-2.93-CVE-2026-4892.patch

@@ -0,0 +1,36 @@
+From e0a5f7bef040d25631ffff9abaf8424091b768bc Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon@thekelleys.org.uk>
+Date: Wed, 25 Mar 2026 23:16:35 +0000
+Subject: [PATCH 4/5] Fix buffer overflow in helper.c with large CLIDs.
+ CVE-2026-4892
+
+Bug reported bt Royce M <royce@xchglabs.com>
+
+Location: helper.c:265-270
+DHCPv6 CLIDs can be up to 65535 bytes. When --dhcp-script is configured,
+the helper hex-encodes raw CLID bytes via sprintf("%.2x") into daemon->packet (5131 bytes).
+A 1000-byte CLID writes ~3000 bytes. The helper process retains root privileges.
+
+Note: log6_packet() correctly caps CLID to 100 bytes for logging, but the helper code path was missed.
+---
+ src/helper.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/helper.c b/src/helper.c
+index b9da225..3a31e61 100644
+--- a/src/helper.c
++++ b/src/helper.c
+@@ -261,8 +261,8 @@ int create_helper(int event_fd, int err_fd, uid_t uid, gid_t gid, long max_fd)
+ 		      data.hostname_len + data.ed_len + data.clid_len, 1))
+ 	continue;
+ 
+-      /* CLID into packet */
+-      for (p = daemon->packet, i = 0; i < data.clid_len; i++)
++      /* CLID into packet: limit to 100 bytes to avoid overflowing buffer. */
++      for (p = daemon->packet, i = 0; i < data.clid_len && i < 100; i++)
+ 	{
+ 	  p += sprintf(p, "%.2x", buf[i]);
+ 	  if (i != data.clid_len - 1) 
+-- 
+2.54.0
+

SOURCES/dnsmasq-2.93-CVE-2026-4893.patch

@@ -0,0 +1,33 @@
+From 4b8388d967e207b277c45e1fc0fb646767e5ca5d Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon@thekelleys.org.uk>
+Date: Wed, 25 Mar 2026 23:22:37 +0000
+Subject: [PATCH] Fix broken client subnet validation. CVE-2026-4893
+
+Bug report from Royce M <royce@xchglabs.com>
+
+Location: forward.c:713, edns0.c:421
+
+With --add-subnet enabled, process_reply() passes the OPT record
+length (~23 bytes) instead of the packet length to check_source().
+All internal bounds checks fail, and the function always returns 1.
+ECS source validation per RFC 7871 Section 9.2 is completely bypassed.
+---
+ src/forward.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/forward.c b/src/forward.c
+index d27f230..156770a 100644
+--- a/src/forward.c
++++ b/src/forward.c
+@@ -629,7 +629,7 @@ static size_t process_reply(struct dns_header *header, time_t now, struct server
+   
+   if ((pheader = find_pseudoheader(header, n, &plen, &sizep, &is_sign, NULL)))
+     {
+-      if (check_subnet && !check_source(header, plen, pheader, query_source))
++      if (check_subnet && !check_source(header, n, pheader, query_source))
+ 	{
+ 	  my_syslog(LOG_WARNING, _("discarding DNS reply: subnet option mismatch"));
+ 	  return 0;
+-- 
+2.54.0
+

SPECS/dnsmasq.spec

@@ -13,7 +13,7 @@
 
 Name:           dnsmasq
 Version:        2.79
-Release:        35%{?extraversion:.%{extraversion}}%{?dist}
+Release:        36%{?extraversion:.%{extraversion}}%{?dist}
 Summary:        A lightweight DHCP/caching DNS server
 
 License:        GPLv2 or GPLv3
@@ -107,6 +107,11 @@ Patch47:        dnsmasq-2.85-forward-retries.patch
 # http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=45d8a2435e8200e892b82b6a04c7ddfb07a4165a
 # http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=eb1fe15ca80b6bc43cd6bfdf309ec6c590aff811
 Patch48:        dnsmasq-2.79-cname-collision.patch
+Patch49:        dnsmasq-2.93-CVE-2026-2291.patch
+Patch50:        dnsmasq-2.93-CVE-2026-4890.patch
+Patch51:        dnsmasq-2.93-CVE-2026-4891.patch
+Patch52:        dnsmasq-2.93-CVE-2026-4892.patch
+Patch53:        dnsmasq-2.93-CVE-2026-4893.patch
 
 # This is workaround to nettle bug #1549190
 # https://bugzilla.redhat.com/show_bug.cgi?id=1549190
@@ -188,6 +193,11 @@ server's leases.
 %patch46 -p1 -b .CVE-2023-50387-CVE-2023-50868
 %patch47 -p1 -b .RHEL-6586
 %patch48 -p1 -b .RHEL-61943
+%patch49 -p1 -b .CVE-2026-2291
+%patch50 -p1 -b .CVE-2026-4890
+%patch51 -p1 -b .CVE-2026-4891
+%patch52 -p1 -b .CVE-2026-4892
+%patch53 -p1 -b .CVE-2026-4893
 
 # use /var/lib/dnsmasq instead of /var/lib/misc
 for file in dnsmasq.conf.example man/dnsmasq.8 man/es/dnsmasq.8 src/config.h; do
@@ -287,6 +297,13 @@ install -Dpm 644 %{SOURCE2} %{buildroot}%{_sysusersdir}/dnsmasq.conf
 %{_mandir}/man1/dhcp_*
 
 %changelog
+* Tue May 05 2026 Petr Menšík <pemensik@redhat.com> - 2.79-36
+- Prevent overflow in extract_name function (CVE-2026-2291)
+- Prevent DoS in DNSSEC validation (CVE-2026-4890)
+- Prevent out-of-bounds read in DNSSEC validation (CVE-2026-4891)
+- Prevent out-of-bounds write in DHCPv6 server (CVE-2026-4892)
+- Prevent source check avoidance by RFC 7871 client-subnet (CVE-2026-4893)
+
 * Mon Aug 18 2025 Tomas Korbar <tkorbar@redhat.com> - 2.79-35
 - Fix dnsmasq caching of intertwined CNAMES
 - Resolves: RHEL-61943