Commit Graph

273 Commits

Author SHA1 Message Date
Petr Menšík
2bcf829f3a Fix buffer overflow in helper.c with large CLIDs (CVE-2026-4892)
Bug reported bt Royce M <royce@xchglabs.com>

Location: helper.c:265-270
DHCPv6 CLIDs can be up to 65535 bytes. When --dhcp-script is configured,
the helper hex-encodes raw CLID bytes via sprintf("%.2x") into daemon->packet (5131 bytes).
A 1000-byte CLID writes ~3000 bytes. The helper process retains root privileges.

Note: log6_packet() correctly caps CLID to 100 bytes for logging, but the helper code path was missed.

Resolves-Vulnerability: CVE-2026-4892
Resolves: RHEL-168313
2026-06-03 10:40:18 +02:00
Petr Menšík
cd2aa18d31 Verify rdlen field in RRSIG packets (CVE-2026-4891)
Resolves-Vulnerability: CVE-2026-4891
Resolves: RHEL-168295
2026-06-03 10:40:18 +02:00
Petr Menšík
e7eb721b3a Fix NSEC bitmap parsing infinite loop (CVE-2026-4890)
Resolves-Vulnerability: CVE-2026-4890
Resolves: RHEL-168277
2026-06-03 10:40:18 +02:00
Petr Menšík
9786bf4aec Prevent overflow in extract_name function (CVE-2026-2291)
Handle invalid names correctly and refuse them without writing into too
small buffer. Contains upstream proposed basic fix.

Resolves-Vulnerability: CVE-2026-2291
Resolves: RHEL-181041
2026-06-03 10:40:02 +02:00
Petr Menšík
9b84838ba3 Fix improper validated wire format of DNS name
Ensure extract_name stops whenever name is longer than 255 bytes. That
is defined by RFC 1035 and MAXDNAME is derived from that length. Dnsmasq
until now relied on upstream servers filtering similar responses to be
filtered out.

Stop immediately if the packet is big enough, but binary name length
exceeds 255 bytes. That is prerequisite for escaped name to become
longer than existing buffer long MAXDNAME. Introduce new MAXWNAME
constant for on-wire length limit. MAXDNAME remains escaped
"presentation" format limit, possibly containing IDN or escaping.
Standard escaping is \ddd, where ddd are decadic value of that byte.
Such escaping is not implemented by dnsmasq. MAXDNAME should be large
enough for any escaped names as long as MAXWNAME cannot exceed defined
length.

Signed-off-by: Petr Menšík <pemensik@redhat.com>
Resolves-Vulnerability: CVE-2026-2291
Resolves: RHEL-181041
2026-06-03 10:39:06 +02:00
Fedor Vorobev
63b2c9b44b Added installation of tmpfiles.d config
Resolves: RHEL-122843
2025-12-08 14:44:29 +01:00
psklenar@redhat.com
9aaabd7373 https://issues.redhat.com/browse/RHELMISC-13073 2025-06-05 12:16:04 +02:00
Troy Dawson
cd5b7c14b2 Bump release for October 2024 mass rebuild:
Resolves: RHEL-64018
2024-10-29 08:21:18 -07:00
Troy Dawson
b1f44a24ce Bump release for June 2024 mass rebuild 2024-06-24 08:40:26 -07:00
Petr Menšík
7ab3fdda5f Update SPDX in license tag to use uppercase conjunction
Resolves: RHEL-35710
2024-06-01 00:09:59 +02:00
Petr Menšík
fb809b9034 Update to 2.90 (#2264049)
https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html

Resolves: RHEL-39607 RHEL-39608
2024-06-01 00:09:37 +02:00
psklenar@redhat.com
3488577874 plans with the dnsmasq 2024-05-27 11:04:27 +02:00
psklenar@redhat.com
388d0ea40b nm.fmf with NetworkManager 2024-05-27 10:10:58 +02:00
psklenar@redhat.com
ca783ac32c plans.fmf with all plans 2024-05-27 10:04:18 +02:00
psklenar@redhat.com
d66faf5d10 plans.fmf with all plans 2024-05-27 10:00:23 +02:00
psklenar@redhat.com
d67484713c rhel10 setting for CI 2024-05-27 09:58:02 +02:00
Fedora Release Engineering
54bb18c16c Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild 2024-01-24 09:38:05 +00:00
Fedora Release Engineering
4738f026dd Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild 2024-01-19 17:21:39 +00:00
Petr Menšík
31e2c5fa8f Use local-service=host for initial configuration (#2258062)
Use just specialized local-service option, which would deactivate as
soon as any interface= or listen-address= options are used.

Update default configuration to use it.
2024-01-12 17:50:49 +01:00
Petr Menšík
f1847fcc57 Add VCS tag to package
Use forgeurl0 variable to store upstream git repository URL and use
that.
2023-07-20 10:45:22 +02:00
Fedora Release Engineering
656cd1120e Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2023-07-19 17:40:50 +00:00
Petr Menšík
22d735d001 Add extra test plan to run all defined tests
They should not block release on failure, but should be executed with
visible results.
2023-06-13 13:55:42 +02:00
Petr Menšík
9234006b7d Prevent crash on dbus reconnection (#2186468) 2023-04-27 11:46:29 +02:00
Petr Menšík
c4797a90af Actually enable localization support in dnsmasq (#2131681) 2023-04-27 11:34:32 +02:00
Petr Menšík
8311b7dd12 Include localized man pages simpler way
Make language packs noarch also
2023-04-05 18:10:18 +02:00
Petr Menšík
067b065880 Add separate SPDX licenses also to translations 2023-04-05 17:52:22 +02:00
Petr Menšík
d57471e354 Set the default maximum DNS UDP packet size to 1232
Resolves: CVE-2023-28450
2023-04-03 16:26:57 +02:00
Petr Menšík
76bd39af36 Update to 2.89 (#2167121)
Fix bug introduced in 2.88 (commit fe91134b) which can result
in corruption of the DNS cache internal data structures and
logging of "cache internal error". This has only been seen
in one place in the wild, and it took considerable effort
to even generate a test case to reproduce it, but there's
no way to be sure it won't strike, and the effect is to break
the cache badly. Installations with DNSSEC enabled are more
likely to see the problem, but not running DNSSEC does not
guarantee that it won't happen. Thanks to Timo van Roermund
for reporting the bug and for his great efforts in chasing
it down.

Also --no-ident option to disable CHAOS entries.
2023-02-13 20:11:42 +01:00
Fedora Release Engineering
c18e8375ae Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2023-01-19 01:36:01 +00:00
Petr Menšík
b313864b6c Create dnsmasq-langpack subpackage with translations (#2131681)
For now create just single additional languages pack, which provides
translations for some localizations. Because it is quite small, it
should not matter.
2022-12-08 18:18:41 +01:00
Petr Menšík
773d89e137 Update to 2.88 (#2150667)
Still keeping underflow patch, even it seems not necessary.

https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2022q4/016767.html
2022-12-06 18:35:48 +01:00
Petr Menšík
a2d26dd525 Fix regression removing config statements on DBus change (#2148301) 2022-11-25 11:21:24 +01:00
Petr Menšík
3539c7a7f0 Update License tag to SPDX identifier 2022-09-30 13:19:30 +02:00
Petr Menšík
fb936db8eb Update to 2.87 (#2129658) 2022-09-27 15:35:46 +02:00
Fedora Release Engineering
e28b110acb Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2022-07-21 00:41:20 +00:00
Petr Menšík
19e76a2a0a Do not own configuration by dnsmasq group (#2104973)
Dynamic owned files makes problems with container based releases.
Because they are not necessary, get rid of them.
2022-07-08 22:43:06 +02:00
Petr Menšík
ef60adb63e Fix losing static forwarders configuration after dbus update
Correct loop updates of up pointer. Do not lose server records prior to
first marked server on update.

Modified for 2.86 version.

Resolves: rhbz#2061944
2022-06-17 13:01:00 +02:00
Petr Menšík
f9d6c726e6 Require NetworkManager-ci tests pass on rawhide 2022-05-06 00:02:51 +02:00
Petr Menšík
7da92dcce5 Move NetworkManager-ci part to separate plan
Correct used git repo for NM CI

Use moved upstream to gitlab.

Make fmf a bit nicer.

Remove discover from script only

It breaks running the other plan this way.

Prepare inside the script
2022-05-06 00:00:49 +02:00
Petr Menšík
da02ce5baf Deactivate STI, use tmt 2022-05-06 00:00:49 +02:00
Petr Menšík
1f5e1331ba Move from github tests to fedora /tests/dnsmasq
Fix gating to still reference only STI test product.
2022-05-04 13:42:03 +02:00
Anssi Hannula
3123631ff7 Enable conntrack support
This allows using e.g. the --conntrack configuration option.
2022-04-29 19:06:47 +02:00
Petr Menšík
c8a9dcf212 Update GNU address in license file
Just download fresh copy from GNU, until upstream updates the license.
2022-04-29 18:12:10 +02:00
Petr Menšík
5624c40cb5 fixup! Avoid bogus messages from rpmlint about badfuncs 2022-04-29 17:04:05 +02:00
Petr Menšík
d71e6bdd87 Avoid bogus messages from rpmlint about badfuncs
The code handles both IPv4 and IPv6, but those functions are used only
in IPv4-only code paths, where it does not limit anything.
2022-04-29 11:13:31 +02:00
Petr Menšík
af6782a97c Minor description update to satisfy rpmlint 2022-04-29 11:13:31 +02:00
Petr Sklenar
c06c867464 adding ci.fmf to have more plans 2022-04-20 09:09:42 +00:00
Petr Sklenar
275f610b3a gating yaml with one fmf plan 2022-04-20 09:09:42 +00:00
Petr Sklenar
a85837f755 fedora ci should start the both way 2022-04-20 09:09:42 +00:00
Petr Sklenar
8034904a73 Adding fmf plan 2022-04-20 09:09:42 +00:00