Skip to content

Commit 8f8d8a6

Browse files
Kanishk-BansalKanishk Bansal
andauthored
Signed-off-by: Kanishk Bansal <kanbansal@microsoft.com> Co-authored-by: Kanishk Bansal <kanbansal@microsoft.com>
1 parent 078633a commit 8f8d8a6

9 files changed

Lines changed: 264 additions & 4 deletions

SPECS/dnsmasq/CVE-2026-2291.patch

Lines changed: 40 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,40 @@
1+
From f3b6e638206cc2ed7bb8e5f4b774a15eef4fd2ce Mon Sep 17 00:00:00 2001
2+
From: Simon Kelley <simon@thekelleys.org.uk>
3+
Date: Fri, 22 May 2026 04:53:51 +0000
4+
Subject: [PATCH 1/6] CVE-2026-2291
5+
6+
Fix buffer overflow in struct bigname. CVE-2026-2291
7+
8+
All buffers capable of holding a domain name should be
9+
at least MAXDNAME*2 + 1 bytes long, where MAXDNAME is the maximum
10+
size of a domain name. The accounts for the trailing zero and the
11+
fact that some characters are escaped in the internal representation
12+
of a domain name in dnsmasq.
13+
14+
The declaration of struct bigname get this wrong, with the effect
15+
that a remote attacker capable of asking DNS queries or answering DNS
16+
queries can cause a large OOB write in the heap.
17+
18+
This was first spotted by Andrew S. Fasano.
19+
20+
Upstream Patch Reference: https://thekelleys.org.uk/dnsmasq/CVE/CVE-2026-2291.diff
21+
---
22+
src/dnsmasq.h | 2 +-
23+
1 file changed, 1 insertion(+), 1 deletion(-)
24+
25+
diff --git a/src/dnsmasq.h b/src/dnsmasq.h
26+
index cb00e08..6390c2e 100644
27+
--- a/src/dnsmasq.h
28+
+++ b/src/dnsmasq.h
29+
@@ -481,7 +481,7 @@ struct interface_name {
30+
};
31+
32+
union bigname {
33+
- char name[MAXDNAME];
34+
+ char name[(2*MAXDNAME) + 1];
35+
union bigname *next; /* freelist */
36+
};
37+
38+
--
39+
2.45.4
40+

SPECS/dnsmasq/CVE-2026-4890.patch

Lines changed: 53 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,53 @@
1+
From bcab02ff370b5c15b4b60378b0c2cbcff6155d6c Mon Sep 17 00:00:00 2001
2+
From: Simon Kelley <simon@thekelleys.org.uk>
3+
Date: Fri, 22 May 2026 04:55:07 +0000
4+
Subject: [PATCH 2/6] CVE-2026-4890
5+
6+
Fix NSEC bitmap parsing infinite loop. CVE-2026-4890
7+
8+
Report from Royce M <royce@xchglabs.com>.
9+
10+
Location: dnssec.c:1290-1306, dnssec.c:1450-1463
11+
12+
The bitmap window iteration advances by p[1] instead of p[1]+2
13+
(missing the 2-byte window header). With bitmap_length=0, both rdlen and p are
14+
unchanged, causing an infinite loop and dnsmasq stops responding to all queries.
15+
16+
Reachable before RRSIG validation
17+
(confirmed by the source comment at line 2125), so no valid
18+
DNSSEC signatures are needed.
19+
20+
Upstream Patch Reference: https://thekelleys.org.uk/dnsmasq/CVE/CVE-2026-4890.dnsmasq-2.92.diff
21+
---
22+
src/dnssec.c | 8 ++++----
23+
1 file changed, 4 insertions(+), 4 deletions(-)
24+
25+
diff --git a/src/dnssec.c b/src/dnssec.c
26+
index 0860daa..b2ebc1a 100644
27+
--- a/src/dnssec.c
28+
+++ b/src/dnssec.c
29+
@@ -1344,8 +1344,8 @@ static int prove_non_existence_nsec(struct dns_header *header, size_t plen, unsi
30+
break; /* finished checking */
31+
}
32+
33+
- rdlen -= p[1];
34+
- p += p[1];
35+
+ rdlen -= p[1] + 2;
36+
+ p += p[1] + 2;
37+
}
38+
39+
return 0;
40+
@@ -1508,8 +1508,8 @@ static int check_nsec3_coverage(struct dns_header *header, size_t plen, int dige
41+
break; /* finished checking */
42+
}
43+
44+
- rdlen -= p[1];
45+
- p += p[1];
46+
+ rdlen -= p[1] + 2;
47+
+ p += p[1] + 2;
48+
}
49+
50+
return 1;
51+
--
52+
2.45.4
53+

SPECS/dnsmasq/CVE-2026-4891.patch

Lines changed: 43 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,43 @@
1+
From 3c80c7c0f429f7a1b3a44901932c5ce4da9c7476 Mon Sep 17 00:00:00 2001
2+
From: Simon Kelley <simon@thekelleys.org.uk>
3+
Date: Fri, 22 May 2026 04:55:57 +0000
4+
Subject: [PATCH 3/6] CVE-2026-4891
5+
6+
Verify rdlen field in RRSIG packets. CVE-2026-4891
7+
8+
Bug report from Royce M <royce@xchglabs.com>
9+
10+
This avoids crafted packets which give a value for rdlen _less_
11+
then the space taken up by the fixed data and the signer's name
12+
and engender a negative calculated length for the signature.
13+
14+
Upstream Patch Reference: https://thekelleys.org.uk/dnsmasq/CVE/CVE-2026-4891.diff
15+
---
16+
src/dnssec.c | 10 +++++++---
17+
1 file changed, 7 insertions(+), 3 deletions(-)
18+
19+
diff --git a/src/dnssec.c b/src/dnssec.c
20+
index b2ebc1a..3951620 100644
21+
--- a/src/dnssec.c
22+
+++ b/src/dnssec.c
23+
@@ -546,10 +546,14 @@ static int validate_rrset(time_t now, struct dns_header *header, size_t plen, in
24+
25+
*ttl_out = ttl;
26+
}
27+
-
28+
+
29+
+ /* Don't trust rdlen not to be too small and give us a negative sig_len
30+
+ It has already been checked that it doesn't run us off the end
31+
+ of the packet. */
32+
+ if ((sig_len = rdlen - (p - psav)) <= 0)
33+
+ return STAT_BOGUS;
34+
+
35+
sig = p;
36+
- sig_len = rdlen - (p - psav);
37+
-
38+
nsigttl = htonl(orig_ttl);
39+
40+
hash->update(ctx, 18, psav);
41+
--
42+
2.45.4
43+

SPECS/dnsmasq/CVE-2026-4892.patch

Lines changed: 40 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,40 @@
1+
From e065da11a51688aada2b3f160cfd0ac43f5b7eb8 Mon Sep 17 00:00:00 2001
2+
From: Simon Kelley <simon@thekelleys.org.uk>
3+
Date: Fri, 22 May 2026 04:56:34 +0000
4+
Subject: [PATCH 4/6] CVE-2026-4892
5+
6+
Fix buffer overflow in helper.c with large CLIDs. CVE-2026-4892
7+
8+
Bug reported by Royce M <royce@xchglabs.com>
9+
10+
Location: helper.c:265-270
11+
DHCPv6 CLIDs can be up to 65535 bytes. When --dhcp-script is configured,
12+
the helper hex-encodes raw CLID bytes via sprintf("%.2x") into daemon->packet (5131 bytes).
13+
A 1000-byte CLID writes ~3000 bytes. The helper process retains root privileges.
14+
15+
Note: log6_packet() correctly caps CLID to 100 bytes for logging, but the helper code path was missed.
16+
17+
Upstream Patch Reference: https://thekelleys.org.uk/dnsmasq/CVE/CVE-2026-4892.diff
18+
19+
---
20+
src/helper.c | 4 ++--
21+
1 file changed, 2 insertions(+), 2 deletions(-)
22+
23+
diff --git a/src/helper.c b/src/helper.c
24+
index 72f81fe..2c12801 100644
25+
--- a/src/helper.c
26+
+++ b/src/helper.c
27+
@@ -261,8 +261,8 @@ int create_helper(int event_fd, int err_fd, uid_t uid, gid_t gid, long max_fd)
28+
data.hostname_len + data.ed_len + data.clid_len, RW_READ))
29+
continue;
30+
31+
- /* CLID into packet */
32+
- for (p = daemon->packet, i = 0; i < data.clid_len; i++)
33+
+ /* CLID into packet: limit to 100 bytes to avoid overflowing buffer. */
34+
+ for (p = daemon->packet, i = 0; i < data.clid_len && i < 100; i++)
35+
{
36+
p += sprintf(p, "%.2x", buf[i]);
37+
if (i != data.clid_len - 1)
38+
--
39+
2.45.4
40+

SPECS/dnsmasq/CVE-2026-4893.patch

Lines changed: 37 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,37 @@
1+
From 503a1ac7072c8a8f74ef39cdfcb17781d3d1cd07 Mon Sep 17 00:00:00 2001
2+
From: Simon Kelley <simon@thekelleys.org.uk>
3+
Date: Fri, 22 May 2026 04:57:07 +0000
4+
Subject: [PATCH 5/6] CVE-2026-4893
5+
6+
Fix broken client subnet validation. CVE-2026-4893
7+
8+
Bug report from Royce M <royce@xchglabs.com>
9+
10+
Location: forward.c:713, edns0.c:421
11+
12+
With --add-subnet enabled, process_reply() passes the OPT record
13+
length (~23 bytes) instead of the packet length to check_source().
14+
All internal bounds checks fail, and the function always returns 1.
15+
ECS source validation per RFC 7871 Section 9.2 is completely bypassed.
16+
17+
Upstream Patch Reference: https://thekelleys.org.uk/dnsmasq/CVE/CVE-2026-4893.diff
18+
---
19+
src/forward.c | 2 +-
20+
1 file changed, 1 insertion(+), 1 deletion(-)
21+
22+
diff --git a/src/forward.c b/src/forward.c
23+
index e2f64c0..208480d 100644
24+
--- a/src/forward.c
25+
+++ b/src/forward.c
26+
@@ -724,7 +724,7 @@ static size_t process_reply(struct dns_header *header, time_t now, struct server
27+
/* Get extended RCODE. */
28+
rcode |= sizep[2] << 4;
29+
30+
- if (option_bool(OPT_CLIENT_SUBNET) && !check_source(header, plen, pheader, query_source))
31+
+ if (option_bool(OPT_CLIENT_SUBNET) && !check_source(header, n, pheader, query_source))
32+
{
33+
my_syslog(LOG_WARNING, _("discarding DNS reply: subnet option mismatch"));
34+
return 0;
35+
--
36+
2.45.4
37+

SPECS/dnsmasq/CVE-2026-5172.patch

Lines changed: 37 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,37 @@
1+
From d37c38288c0bc98af40fd606c116744baaa1574c Mon Sep 17 00:00:00 2001
2+
From: Simon Kelley <simon@thekelleys.org.uk>
3+
Date: Fri, 22 May 2026 04:57:41 +0000
4+
Subject: [PATCH 6/6] CVE-2026-5172
5+
6+
Fix buffer overflow vulnerability in extract_addresses() CVE-2026-5172
7+
8+
Thanks to Hugo Martinez Ray for spotting this.
9+
10+
The value of rdlen for an RR can be a lie, allowing the
11+
call to extract_name() at rfc1025.c:952 to advance the value of p1
12+
past the calculated end of the record. This makes the calculation
13+
of bytes remaining in the RR underflow to a huge number and results
14+
in a massive heap OOB read and certain crash.
15+
16+
Upstream Patch Reference: https://thekelleys.org.uk/dnsmasq/CVE/CVE-2026-5172.diff
17+
---
18+
src/rfc1035.c | 3 ++-
19+
1 file changed, 2 insertions(+), 1 deletion(-)
20+
21+
diff --git a/src/rfc1035.c b/src/rfc1035.c
22+
index f0e1082..7e05fb5 100644
23+
--- a/src/rfc1035.c
24+
+++ b/src/rfc1035.c
25+
@@ -943,7 +943,8 @@ int extract_addresses(struct dns_header *header, size_t qlen, char *name, time_t
26+
/* Name, extract it then re-encode. */
27+
int len;
28+
29+
- if (!extract_name(header, qlen, &p1, name, EXTR_NAME_EXTRACT, 0))
30+
+ /* rdlen may lie, and extract_name() advances p1 past where it says the record ends. */
31+
+ if (!extract_name(header, qlen, &p1, name, EXTR_NAME_EXTRACT, 0) || (p1 > endrr))
32+
{
33+
blockdata_free(addr.rrblock.rrdata);
34+
return 2;
35+
--
36+
2.45.4
37+
Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
{
22
"Signatures": {
3-
"dnsmasq-2.90.tar.xz": "8e50309bd837bfec9649a812e066c09b6988b73d749b7d293c06c57d46a109e4"
3+
"dnsmasq-2.92.tar.xz": "4bf50c2c1018f9fbc26037df51b90ecea0cb73d46162846763b92df0d6c3a458"
44
}
55
}

SPECS/dnsmasq/dnsmasq.spec

Lines changed: 11 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
Summary: DNS proxy with integrated DHCP server
22
Name: dnsmasq
3-
Version: 2.90
3+
Version: 2.92
44
Release: 1%{?dist}
55
License: GPLv2 or GPLv3
66
Group: System Environment/Daemons
@@ -9,6 +9,12 @@ Source0: https://www.thekelleys.org.uk/%{name}/%{name}-%{version}.tar.xz
99
Vendor: Microsoft Corporation
1010
Distribution: Azure Linux
1111
Patch0: fix-missing-ioctl-SIOCGSTAMP-add-sockios-header-linux-5.2.patch
12+
Patch1: CVE-2026-2291.patch
13+
Patch2: CVE-2026-4890.patch
14+
Patch3: CVE-2026-4891.patch
15+
Patch4: CVE-2026-4892.patch
16+
Patch5: CVE-2026-4893.patch
17+
Patch6: CVE-2026-5172.patch
1218

1319
BuildRequires: kernel-headers
1420

@@ -66,6 +72,10 @@ EOF
6672
%config /usr/share/dnsmasq/trust-anchors.conf
6773

6874
%changelog
75+
* Fri May 22 2026 Kanishk Bansal <kanbansal@microsoft.com> - 2.92-1
76+
- Upgrade to 2.92
77+
- Patch CVE-2026-2291, CVE-2026-4890, CVE-2026-4891, CVE-2026-4892, CVE-2026-4893, CVE-2026-5172
78+
6979
* Thu Feb 22 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 2.90-1
7080
- Auto-upgrade to 2.90 - Azure Linux 3.0 Upgrades
7181

cgmanifest.json

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -2818,8 +2818,8 @@
28182818
"type": "other",
28192819
"other": {
28202820
"name": "dnsmasq",
2821-
"version": "2.90",
2822-
"downloadUrl": "https://www.thekelleys.org.uk/dnsmasq/dnsmasq-2.90.tar.xz"
2821+
"version": "2.92",
2822+
"downloadUrl": "https://www.thekelleys.org.uk/dnsmasq/dnsmasq-2.92.tar.xz"
28232823
}
28242824
}
28252825
},

0 commit comments

Comments
 (0)