From c5ef8fb659db243a276017d29b8080836985ff65 Mon Sep 17 00:00:00 2001 From: AlmaLinux RelEng Bot Date: Tue, 26 May 2026 01:48:39 -0400 Subject: [PATCH] import CS git dnsmasq-2.79-36.el8_10 --- SOURCES/dnsmasq-2.93-CVE-2026-2291.patch | 36 ++++++++++++ SOURCES/dnsmasq-2.93-CVE-2026-4890.patch | 70 ++++++++++++++++++++++++ SOURCES/dnsmasq-2.93-CVE-2026-4891.patch | 39 +++++++++++++ SOURCES/dnsmasq-2.93-CVE-2026-4892.patch | 36 ++++++++++++ SOURCES/dnsmasq-2.93-CVE-2026-4893.patch | 33 +++++++++++ SPECS/dnsmasq.spec | 19 ++++++- 6 files changed, 232 insertions(+), 1 deletion(-) create mode 100644 SOURCES/dnsmasq-2.93-CVE-2026-2291.patch create mode 100644 SOURCES/dnsmasq-2.93-CVE-2026-4890.patch create mode 100644 SOURCES/dnsmasq-2.93-CVE-2026-4891.patch create mode 100644 SOURCES/dnsmasq-2.93-CVE-2026-4892.patch create mode 100644 SOURCES/dnsmasq-2.93-CVE-2026-4893.patch diff --git a/SOURCES/dnsmasq-2.93-CVE-2026-2291.patch b/SOURCES/dnsmasq-2.93-CVE-2026-2291.patch new file mode 100644 index 0000000..4e03909 --- /dev/null +++ b/SOURCES/dnsmasq-2.93-CVE-2026-2291.patch @@ -0,0 +1,36 @@ +From b8544d5802e56186eb144fbcdd18070b01dc9ab0 Mon Sep 17 00:00:00 2001 +From: Simon Kelley +Date: Fri, 10 Apr 2026 16:29:31 +0100 +Subject: [PATCH 1/5] Fix buffer overflow in struct bigname. CVE-2026-2291 + +All buffers capable of holding a domain name should be +at least MAXDNAME*2 + 1 bytes long, where MAXDNAME is the maximum +size of a domain name. The accounts for the trailing zero and the +fact that some characters are escaped in the internal representation +of a domain name in dnsmasq. + +The declaration of struct bigname get this wrong, with the effect +that a remote attacker capable of asking DNS queries or answering DNS +queries can cause a large OOB write in the heap. + +This was first spotted by Andrew S. Fasano. +--- + src/dnsmasq.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/dnsmasq.h b/src/dnsmasq.h +index e455c3f..be8cf2a 100644 +--- a/src/dnsmasq.h ++++ b/src/dnsmasq.h +@@ -467,7 +467,7 @@ struct interface_name { + }; + + union bigname { +- char name[MAXDNAME]; ++ char name[(2*MAXDNAME) + 1]; + union bigname *next; /* freelist */ + }; + +-- +2.54.0 + diff --git a/SOURCES/dnsmasq-2.93-CVE-2026-4890.patch b/SOURCES/dnsmasq-2.93-CVE-2026-4890.patch new file mode 100644 index 0000000..4ae0dcf --- /dev/null +++ b/SOURCES/dnsmasq-2.93-CVE-2026-4890.patch @@ -0,0 +1,70 @@ +From 09fe631edd6d95630efc11bec8c5017705e68a10 Mon Sep 17 00:00:00 2001 +From: Simon Kelley +Date: Fri, 10 Apr 2026 22:16:45 +0100 +Subject: [PATCH 2/5] Fix NSEC bitmap parsing infinite loop. CVE-2026-4890 + +Report from Royce M . + +Location: dnssec.c:1290-1306, dnssec.c:1450-1463 + +The bitmap window iteration advances by p[1] instead of p[1]+2 (missing the 2-byte window header). With bitmap_length=0, both rdlen and p are +unchanged, causing an infinite loop and dnsmasq stops responding to all queries. + +The same code accesses p[2] after only checking rdlen >= 2 without verifying p[1] >= 1, causing OOB reads at 6 locations. + +Both bugs are reachable before RRSIG validation (confirmed by the source comment at line 2125), so no valid DNSSEC signatures are needed. +--- + src/dnssec.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/src/dnssec.c b/src/dnssec.c +index ed2f53f..68f1b5d 100644 +--- a/src/dnssec.c ++++ b/src/dnssec.c +@@ -1270,10 +1270,10 @@ static int prove_non_existence_nsec(struct dns_header *header, size_t plen, unsi + packet checked to be as long as rdlen implies in prove_non_existence() */ + + /* If we can prove that there's no NS record, return that information. */ +- if (nons && rdlen >= 2 && p[0] == 0 && (p[2] & (0x80 >> T_NS)) != 0) ++ if (nons && rdlen >= 2 && p[0] == 0 && p[1] >= 1 && (p[2] & (0x80 >> T_NS)) != 0) + *nons = 0; + +- if (rdlen >= 2 && p[0] == 0) ++ if (rdlen >= 2 && p[0] == 0 && p[1] >= 1) + { + /* A CNAME answer would also be valid, so if there's a CNAME is should + have been returned. */ +@@ -1301,8 +1301,8 @@ static int prove_non_existence_nsec(struct dns_header *header, size_t plen, unsi + break; /* finished checking */ + } + +- rdlen -= p[1]; +- p += p[1]; ++ rdlen -= p[1] + 2; ++ p += p[1] + 2; + } + + return 0; +@@ -1429,7 +1429,7 @@ static int check_nsec3_coverage(struct dns_header *header, size_t plen, int dige + p += hash_len; /* skip next-domain hash */ + rdlen -= p - psave; + +- if (rdlen >= 2 && p[0] == 0) ++ if (rdlen >= 2 && p[0] == 0 && p[1] >= 1) + { + /* If we can prove that there's no NS record, return that information. */ + if (nons && (p[2] & (0x80 >> T_NS)) != 0) +@@ -1458,8 +1458,8 @@ static int check_nsec3_coverage(struct dns_header *header, size_t plen, int dige + break; /* finished checking */ + } + +- rdlen -= p[1]; +- p += p[1]; ++ rdlen -= p[1] + 2; ++ p += p[1] + 2; + } + + return 1; +-- +2.54.0 + diff --git a/SOURCES/dnsmasq-2.93-CVE-2026-4891.patch b/SOURCES/dnsmasq-2.93-CVE-2026-4891.patch new file mode 100644 index 0000000..3be3dad --- /dev/null +++ b/SOURCES/dnsmasq-2.93-CVE-2026-4891.patch @@ -0,0 +1,39 @@ +From 2efe6d3acaf840fa06d58b6fad21ad73d0865716 Mon Sep 17 00:00:00 2001 +From: Simon Kelley +Date: Wed, 25 Mar 2026 23:04:08 +0000 +Subject: [PATCH 3/5] Verify rdlen field in RRSIG packets. CVE-2026-4891 + +Bug report from Royce M + +This avoids crafted packets which give a value for rdlen _less_ +then the space taken up by the fixed data and the signer's name +and engender a negative calculated length for the signature. +--- + src/dnssec.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/src/dnssec.c b/src/dnssec.c +index 68f1b5d..d32db5b 100644 +--- a/src/dnssec.c ++++ b/src/dnssec.c +@@ -546,10 +546,14 @@ static int validate_rrset(time_t now, struct dns_header *header, size_t plen, in + + *ttl_out = ttl; + } +- ++ ++ /* Don't trust rdlen not to be too small and give us a negative sig_len ++ It has already been checked that it doesn't run us off the end ++ of the packet. */ ++ if ((sig_len = rdlen - (p - psav)) <= 0) ++ return STAT_BOGUS; ++ + sig = p; +- sig_len = rdlen - (p - psav); +- + nsigttl = htonl(orig_ttl); + + hash->update(ctx, 18, psav); +-- +2.54.0 + diff --git a/SOURCES/dnsmasq-2.93-CVE-2026-4892.patch b/SOURCES/dnsmasq-2.93-CVE-2026-4892.patch new file mode 100644 index 0000000..db5c266 --- /dev/null +++ b/SOURCES/dnsmasq-2.93-CVE-2026-4892.patch @@ -0,0 +1,36 @@ +From e0a5f7bef040d25631ffff9abaf8424091b768bc Mon Sep 17 00:00:00 2001 +From: Simon Kelley +Date: Wed, 25 Mar 2026 23:16:35 +0000 +Subject: [PATCH 4/5] Fix buffer overflow in helper.c with large CLIDs. + CVE-2026-4892 + +Bug reported bt Royce M + +Location: helper.c:265-270 +DHCPv6 CLIDs can be up to 65535 bytes. When --dhcp-script is configured, +the helper hex-encodes raw CLID bytes via sprintf("%.2x") into daemon->packet (5131 bytes). +A 1000-byte CLID writes ~3000 bytes. The helper process retains root privileges. + +Note: log6_packet() correctly caps CLID to 100 bytes for logging, but the helper code path was missed. +--- + src/helper.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/helper.c b/src/helper.c +index b9da225..3a31e61 100644 +--- a/src/helper.c ++++ b/src/helper.c +@@ -261,8 +261,8 @@ int create_helper(int event_fd, int err_fd, uid_t uid, gid_t gid, long max_fd) + data.hostname_len + data.ed_len + data.clid_len, 1)) + continue; + +- /* CLID into packet */ +- for (p = daemon->packet, i = 0; i < data.clid_len; i++) ++ /* CLID into packet: limit to 100 bytes to avoid overflowing buffer. */ ++ for (p = daemon->packet, i = 0; i < data.clid_len && i < 100; i++) + { + p += sprintf(p, "%.2x", buf[i]); + if (i != data.clid_len - 1) +-- +2.54.0 + diff --git a/SOURCES/dnsmasq-2.93-CVE-2026-4893.patch b/SOURCES/dnsmasq-2.93-CVE-2026-4893.patch new file mode 100644 index 0000000..773c6df --- /dev/null +++ b/SOURCES/dnsmasq-2.93-CVE-2026-4893.patch @@ -0,0 +1,33 @@ +From 4b8388d967e207b277c45e1fc0fb646767e5ca5d Mon Sep 17 00:00:00 2001 +From: Simon Kelley +Date: Wed, 25 Mar 2026 23:22:37 +0000 +Subject: [PATCH] Fix broken client subnet validation. CVE-2026-4893 + +Bug report from Royce M + +Location: forward.c:713, edns0.c:421 + +With --add-subnet enabled, process_reply() passes the OPT record +length (~23 bytes) instead of the packet length to check_source(). +All internal bounds checks fail, and the function always returns 1. +ECS source validation per RFC 7871 Section 9.2 is completely bypassed. +--- + src/forward.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/forward.c b/src/forward.c +index d27f230..156770a 100644 +--- a/src/forward.c ++++ b/src/forward.c +@@ -629,7 +629,7 @@ static size_t process_reply(struct dns_header *header, time_t now, struct server + + if ((pheader = find_pseudoheader(header, n, &plen, &sizep, &is_sign, NULL))) + { +- if (check_subnet && !check_source(header, plen, pheader, query_source)) ++ if (check_subnet && !check_source(header, n, pheader, query_source)) + { + my_syslog(LOG_WARNING, _("discarding DNS reply: subnet option mismatch")); + return 0; +-- +2.54.0 + diff --git a/SPECS/dnsmasq.spec b/SPECS/dnsmasq.spec index edc61f7..77f5c6b 100644 --- a/SPECS/dnsmasq.spec +++ b/SPECS/dnsmasq.spec @@ -13,7 +13,7 @@ Name: dnsmasq Version: 2.79 -Release: 35%{?extraversion:.%{extraversion}}%{?dist} +Release: 36%{?extraversion:.%{extraversion}}%{?dist} Summary: A lightweight DHCP/caching DNS server License: GPLv2 or GPLv3 @@ -107,6 +107,11 @@ Patch47: dnsmasq-2.85-forward-retries.patch # http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=45d8a2435e8200e892b82b6a04c7ddfb07a4165a # http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=eb1fe15ca80b6bc43cd6bfdf309ec6c590aff811 Patch48: dnsmasq-2.79-cname-collision.patch +Patch49: dnsmasq-2.93-CVE-2026-2291.patch +Patch50: dnsmasq-2.93-CVE-2026-4890.patch +Patch51: dnsmasq-2.93-CVE-2026-4891.patch +Patch52: dnsmasq-2.93-CVE-2026-4892.patch +Patch53: dnsmasq-2.93-CVE-2026-4893.patch # This is workaround to nettle bug #1549190 # https://bugzilla.redhat.com/show_bug.cgi?id=1549190 @@ -188,6 +193,11 @@ server's leases. %patch46 -p1 -b .CVE-2023-50387-CVE-2023-50868 %patch47 -p1 -b .RHEL-6586 %patch48 -p1 -b .RHEL-61943 +%patch49 -p1 -b .CVE-2026-2291 +%patch50 -p1 -b .CVE-2026-4890 +%patch51 -p1 -b .CVE-2026-4891 +%patch52 -p1 -b .CVE-2026-4892 +%patch53 -p1 -b .CVE-2026-4893 # use /var/lib/dnsmasq instead of /var/lib/misc for file in dnsmasq.conf.example man/dnsmasq.8 man/es/dnsmasq.8 src/config.h; do @@ -287,6 +297,13 @@ install -Dpm 644 %{SOURCE2} %{buildroot}%{_sysusersdir}/dnsmasq.conf %{_mandir}/man1/dhcp_* %changelog +* Tue May 05 2026 Petr Menšík - 2.79-36 +- Prevent overflow in extract_name function (CVE-2026-2291) +- Prevent DoS in DNSSEC validation (CVE-2026-4890) +- Prevent out-of-bounds read in DNSSEC validation (CVE-2026-4891) +- Prevent out-of-bounds write in DHCPv6 server (CVE-2026-4892) +- Prevent source check avoidance by RFC 7871 client-subnet (CVE-2026-4893) + * Mon Aug 18 2025 Tomas Korbar - 2.79-35 - Fix dnsmasq caching of intertwined CNAMES - Resolves: RHEL-61943