Debian Patches

Status for dnsmasq/2.90-4~deb12u2

Patch Description Author Forwarded Bugs Origin Last update
eliminate-privacy-breaches.patch Remove or replace privacy breaching logos and forms Lintian complains about these by issuing the tags privacy-breach-logo and
privacy-breach-donation.		 Sven Geuer <debmaint@g-e-u-e-r.de> not-needed 2023-11-18
CVE-2026-2291.patch commit ec2fbfbbdaa7d7db1c707dce26ce1a37cfe09660

Fix buffer overflow in struct bigname. CVE-2026-2291

All buffers capable of holding a domain name should be
at least MAXDNAME*2 + 1 bytes long, where MAXDNAME is the maximum
size of a domain name. The accounts for the trailing zero and the
fact that some characters are escaped in the internal representation
of a domain name in dnsmasq.

The declaration of struct bigname get this wrong, with the effect
that a remote attacker capable of asking DNS queries or answering DNS
queries can cause a large OOB write in the heap.

This was first spotted by Andrew S. Fasano.		 Simon Kelley <simon@thekelleys.org.uk> no 2026-04-10
CVE-2026-4890.patch commit de76f21e115c451cf0653790fc4b209cd4778a07

Fix NSEC bitmap parsing infinite loop. CVE-2026-4890

Report from Royce M <royce@xchglabs.com>.

Location: dnssec.c:1290-1306, dnssec.c:1450-1463

The bitmap window iteration advances by p[1] instead of p[1]+2 (missing the 2-byte window header). With bitmap_length=0, both rdlen and p are
unchanged, causing an infinite loop and dnsmasq stops responding to all queries.

The same code accesses p[2] after only checking rdlen >= 2 without verifying p[1] >= 1, causing OOB reads at 6 locations.

Both bugs are reachable before RRSIG validation (confirmed by the source comment at line 2125), so no valid DNSSEC signatures are needed.		 Simon Kelley <simon@thekelleys.org.uk> no 2026-04-10
CVE-2026-4891.patch commit 2cacea42e4d45717bd0ce3ccfe8e78960245e5da

Verify rdlen field in RRSIG packets. CVE-2026-4891

Bug report from Royce M <royce@xchglabs.com>

This avoids crafted packets which give a value for rdlen _less_
then the space taken up by the fixed data and the signer's name
and engender a negative calculated length for the signature.		 Simon Kelley <simon@thekelleys.org.uk> no 2026-03-25
CVE-2026-4892.patch commit 011a36c51438c986535a7248ed2e7f424f8e1078

Fix buffer overflow in helper.c with large CLIDs. CVE-2026-4892

Bug reported bt Royce M <royce@xchglabs.com>

Location: helper.c:265-270
DHCPv6 CLIDs can be up to 65535 bytes. When --dhcp-script is configured,
the helper hex-encodes raw CLID bytes via sprintf("%.2x") into daemon->packet (5131 bytes).
A 1000-byte CLID writes ~3000 bytes. The helper process retains root privileges.

Note: log6_packet() correctly caps CLID to 100 bytes for logging, but the helper code path was missed.		 Simon Kelley <simon@thekelleys.org.uk> no 2026-03-25
CVE-2026-4893.patch commit 434d68f2eb1a58744470698483a3ae09b5a9a870

Fix broken client subnet validation. CVE-2026-4893

Bug report from Royce M <royce@xchglabs.com>

Location: forward.c:713, edns0.c:421

With --add-subnet enabled, process_reply() passes the OPT record
length (~23 bytes) instead of the packet length to check_source().
All internal bounds checks fail, and the function always returns 1.
ECS source validation per RFC 7871 Section 9.2 is completely bypassed.		 Simon Kelley <simon@thekelleys.org.uk> no 2026-03-25
CVE-2026-5172.patch commit fa3c8ddef6712b52f562813317e6a997e1210123

Fix buffer overflow vulnerability in extract_addresses() CVE-2026-5172

Thanks to Hugo Martinez Ray for spotting this.

The value of rdlen for an RR can be a lie, allowing the
call to extract_name() at rfc1025.c:952 to advance the value of p1
past the calculated end of the record. The makes the calculation
of bytes remaining in the RR underflow to a huge number and results
in a massive heap OOB read and certain crash.		 Simon Kelley <simon@thekelleys.org.uk> no 2026-03-30

All known versions for source package 'dnsmasq'

Links