Debian Patches
Status for dnsmasq/2.92-5
| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| CVE-2026-4893.patch | commit 434d68f2eb1a58744470698483a3ae09b5a9a870 Fix broken client subnet validation. CVE-2026-4893 Bug report from Royce M <royce@xchglabs.com> Location: forward.c:713, edns0.c:421 With --add-subnet enabled, process_reply() passes the OPT record length (~23 bytes) instead of the packet length to check_source(). All internal bounds checks fail, and the function always returns 1. ECS source validation per RFC 7871 Section 9.2 is completely bypassed. diff --git a/src/forward.c b/src/forward.c index e2f64c0..208480d 100644 |
Simon Kelley <simon@thekelleys.org.uk> | no | 2026-03-25 | ||
| CVE-2026-5172.patch | commit fa3c8ddef6712b52f562813317e6a997e1210123 Fix buffer overflow vulnerability in extract_addresses() CVE-2026-5172 Thanks to Hugo Martinez Ray for spotting this. The value of rdlen for an RR can be a lie, allowing the call to extract_name() at rfc1025.c:952 to advance the value of p1 past the calculated end of the record. The makes the calculation of bytes remaining in the RR underflow to a huge number and results in a massive heap OOB read and certain crash. diff --git a/src/rfc1035.c b/src/rfc1035.c index f0e1082..7e05fb5 100644 |
Simon Kelley <simon@thekelleys.org.uk> | no | 2026-03-30 | ||
| eliminate-privacy-breaches.patch | Remove or replace privacy breaching logos and forms Lintian complains about these by issuing the tags privacy-breach-logo and privacy-breach-donation. |
Sven Geuer <debmaint@g-e-u-e-r.de> | not-needed | 2025-12-04 | ||
| CVE-2026-6507.patch | Fix CVE-2026-6507. | not-needed | debian | upstream, https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=9ad74926d4f7f34ff902e1db5235535aa813c33f | 2026-04-19 | |
| CVE-2026-2291.patch | commit ec2fbfbbdaa7d7db1c707dce26ce1a37cfe09660 Fix buffer overflow in struct bigname. CVE-2026-2291 All buffers capable of holding a domain name should be at least MAXDNAME*2 + 1 bytes long, where MAXDNAME is the maximum size of a domain name. The accounts for the trailing zero and the fact that some characters are escaped in the internal representation of a domain name in dnsmasq. The declaration of struct bigname get this wrong, with the effect that a remote attacker capable of asking DNS queries or answering DNS queries can cause a large OOB write in the heap. This was first spotted by Andrew S. Fasano. diff --git a/src/dnsmasq.h b/src/dnsmasq.h index 254bacd..58be09f 100644 |
Simon Kelley <simon@thekelleys.org.uk> | no | 2026-04-10 | ||
| CVE-2026-4890.patch | commit 4fdb707633afe8028118bcaf39b4882f634b5999 Fix NSEC bitmap parsing infinite loop. CVE-2026-4890 Report from Royce M <royce@xchglabs.com>. Location: dnssec.c:1290-1306, dnssec.c:1450-1463 The bitmap window iteration advances by p[1] instead of p[1]+2 (missing the 2-byte window header). With bitmap_length=0, both rdlen and p are unchanged, causing an infinite loop and dnsmasq stops responding to all queries. Reachable before RRSIG validation (confirmed by the source comment at line 2125), so no valid DNSSEC signatures are needed. |
Simon Kelley <simon@thekelleys.org.uk> | no | 2026-04-10 | ||
| CVE-2026-4891.patch | commit 2cacea42e4d45717bd0ce3ccfe8e78960245e5da Verify rdlen field in RRSIG packets. CVE-2026-4891 Bug report from Royce M <royce@xchglabs.com> This avoids crafted packets which give a value for rdlen _less_ then the space taken up by the fixed data and the signer's name and engender a negative calculated length for the signature. diff --git a/src/dnssec.c b/src/dnssec.c index 0860daa..4bb0495 100644 |
Simon Kelley <simon@thekelleys.org.uk> | no | 2026-03-25 | ||
| CVE-2026-4892.patch | commit 011a36c51438c986535a7248ed2e7f424f8e1078 Fix buffer overflow in helper.c with large CLIDs. CVE-2026-4892 Bug reported bt Royce M <royce@xchglabs.com> Location: helper.c:265-270 DHCPv6 CLIDs can be up to 65535 bytes. When --dhcp-script is configured, the helper hex-encodes raw CLID bytes via sprintf("%.2x") into daemon->packet (5131 bytes). A 1000-byte CLID writes ~3000 bytes. The helper process retains root privileges. Note: log6_packet() correctly caps CLID to 100 bytes for logging, but the helper code path was missed. diff --git a/src/helper.c b/src/helper.c index 72f81fe..2c12801 100644 |
Simon Kelley <simon@thekelleys.org.uk> | no | 2026-03-25 |
All known versions for source package 'dnsmasq'
- 2.92-5 (sid)
- 2.92-4 (forky)
- 2.91-1+deb13u1 (trixie-security)
- 2.91-1 (trixie)
- 2.90-4~deb12u2 (bookworm-security)
- 2.90-4~deb12u1 (bookworm)