dnsmasq: upgrade 2.92 -> 2.93

ChangeLog: https://dnsmasq.org/CHANGELOG - Update checksum - Remove obsolete patches - Verified build and runtime functionality Security fixes (included upstream in 2.93) : - CVE-2026-2291 - CVE-2026-4890 - CVE-2026-4891 - CVE-2026-4892 - CVE-2026-4893 - CVE-2026-5172 - Removed patches corresponding to the above CVEs as fixes are now part of upstream release Signed-off-by: Abhishek Bachiphale <Abhishek.Bachiphale@windriver.com> Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
author: Abhishek Bachiphale <Abhishek.Bachiphale@windriver.com> 2026-06-05 02:22:57 +0530
committer: Khem Raj <khem.raj@oss.qualcomm.com> 2026-06-07 18:21:50 -0700
commit: 44ec3710d58879a7e9e5f2de97cd81c3211b522c (patch)
tree: 8c6c0a4e12f1f1ffd9c12febd7011a4e226416f4
parent: b2b319eef3ced83ab03634d87d7d1540af2c18e3 (diff)
download: meta-openembedded-44ec3710d58879a7e9e5f2de97cd81c3211b522c.tar.gz
7 files changed, 1 insertions, 238 deletions
diff --git a/meta-networking/recipes-support/dnsmasq/dnsmasq_2.92.bb b/meta-networking/recipes-support/dnsmasq/dnsmasq_2.93.bb
index c19467aed9..765287018b 100644
--- a/meta-networking/recipes-support/dnsmasq/dnsmasq_2.92.bb
+++ b/meta-networking/recipes-support/dnsmasq/dnsmasq_2.93.bb
@@ -15,14 +15,8 @@ SRC_URI = "http://www.thekelleys.org.uk/dnsmasq/${@['archive/', ''][float(d.getV
           file://dnsmasq-resolvconf.service \
           file://dnsmasq-noresolvconf.service \
           file://dnsmasq-resolved.conf \
-           file://CVE-2026-2291.patch \
-           file://CVE-2026-4890.patch \
-           file://CVE-2026-4891.patch \
-           file://CVE-2026-4892.patch \
-           file://CVE-2026-4893.patch \
-           file://CVE-2026-5172.patch \
 "
-SRC_URI[sha256sum] = "fd908e79ff37f73234afcb6d3363f78353e768703d92abd8e3220ade6819b1e1"
+SRC_URI[sha256sum] = "cc967771abdafeb43d10db18932d6b59fd4bed2c69c22acf8cb96aff6920d55f"
 inherit pkgconfig update-rc.d systemd
diff --git a/meta-networking/recipes-support/dnsmasq/files/CVE-2026-2291.patch b/meta-networking/recipes-support/dnsmasq/files/CVE-2026-2291.patch
deleted file mode 100644
index 6e42f32136..0000000000
--- a/meta-networking/recipes-support/dnsmasq/files/CVE-2026-2291.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-commit ec2fbfbbdaa7d7db1c707dce26ce1a37cfe09660
-Author: Simon Kelley <simon@thekelleys.org.uk>
-Date:   Fri Apr 10 16:29:31 2026 +0100
-Fix buffer overflow in struct bigname.  CVE-2026-2291
-All buffers capable of holding a domain name should be
-at least MAXDNAME*2 + 1 bytes long, where MAXDNAME is the maximum
-size of a domain name. The accounts for the trailing zero and the
-fact that some characters are escaped in the internal representation
-of a domain name in dnsmasq.
-The declaration of struct bigname get this wrong, with the effect
-that a remote attacker capable of asking DNS queries or answering DNS
-queries can cause a large OOB write in the heap.
-This was first spotted by Andrew S. Fasano.
-CVE: CVE-2026-2291
-Upstream-Status: Backport [ https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=014e909f787e808bb35daa546d3f8f3663918de2 ] 
-Signed-off-by: Abhishek Bachiphale <Abhishek.Bachiphale@windriver.com>
-diff --git a/src/dnsmasq.h b/src/dnsmasq.h
-index 254bacd..58be09f 100644
--- a/src/dnsmasq.h
-+++ b/src/dnsmasq.h
-@@ -479,7 +479,7 @@ struct interface_name {
- };
- union bigname {
-  char name[MAXDNAME];
-+  char name[(2*MAXDNAME) + 1];
-   union bigname *next; /* freelist */
- };
diff --git a/meta-networking/recipes-support/dnsmasq/files/CVE-2026-4890.patch b/meta-networking/recipes-support/dnsmasq/files/CVE-2026-4890.patch
deleted file mode 100644
index 4a7673817b..0000000000
--- a/meta-networking/recipes-support/dnsmasq/files/CVE-2026-4890.patch
+++ /dev/null
@@ -1,50 +0,0 @@
-commit 4fdb707633afe8028118bcaf39b4882f634b5999
-Author: Simon Kelley <simon@thekelleys.org.uk>
-Date:   Fri Apr 10 16:24:02 2026 +0100
-Fix NSEC bitmap parsing infinite loop. CVE-2026-4890
-    
-Report from Royce M <royce@xchglabs.com>.
-    
-Location: dnssec.c:1290-1306, dnssec.c:1450-1463
-    
-The bitmap window iteration advances by p[1] instead of p[1]+2
-(missing the 2-byte window header). With bitmap_length=0, both rdlen and p are
-unchanged, causing an infinite loop and dnsmasq stops responding to all queries.
-    
-Reachable before RRSIG validation
-(confirmed by the source comment at line 2125), so no valid
-DNSSEC signatures are needed.
-CVE: CVE-2026-4890
-Upstream-Status: Backport [ https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=7b151eb60609a0139474918222806f9bcfb4fe71 ]
-Signed-off-by: Abhishek Bachiphale <Abhishek.Bachiphale@windriver.com>
-diff --git a/src/dnssec.c b/src/dnssec.c
-index 4bb0495..3951620 100644
--- a/src/dnssec.c
-+++ b/src/dnssec.c
-@@ -1348,8 +1348,8 @@ static int prove_non_existence_nsec(struct dns_header *header, size_t plen, unsi
-                  break; /* finished checking */
-                }
-              
-             rdlen -= p[1];
-             p +=  p[1];
-+             rdlen -= p[1] + 2;
-+             p +=  p[1] + 2;
-            }
-          
-          return 0;
-@@ -1512,8 +1512,8 @@ static int check_nsec3_coverage(struct dns_header *header, size_t plen, int dige
-                        break; /* finished checking */
-                      }
-                    
-                   rdlen -= p[1];
-                   p +=  p[1];
-+                   rdlen -= p[1] + 2;
-+                   p +=  p[1] + 2;
-                  }
-                
-                return 1;
diff --git a/meta-networking/recipes-support/dnsmasq/files/CVE-2026-4891.patch b/meta-networking/recipes-support/dnsmasq/files/CVE-2026-4891.patch
deleted file mode 100644
index e721f5ec0b..0000000000
--- a/meta-networking/recipes-support/dnsmasq/files/CVE-2026-4891.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-commit 2cacea42e4d45717bd0ce3ccfe8e78960245e5da
-Author: Simon Kelley <simon@thekelleys.org.uk>
-Date:   Wed Mar 25 23:04:08 2026 +0000
-Verify rdlen field in RRSIG packets. CVE-2026-4891
-    
-Bug report from Royce M <royce@xchglabs.com>
-    
-This avoids crafted packets which give a value for rdlen _less_
-then the space taken up by the fixed data and the signer's name
-and engender a negative calculated length for the signature.
-CVE: CVE-2026-4891
-Upstream-Status: Backport [ https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=788b4e0f6c05217981b512bed4e5fea6f8855d01 ]
-Signed-off-by: Abhishek Bachiphale <Abhishek.Bachiphale@windriver.com>
-diff --git a/src/dnssec.c b/src/dnssec.c
-index 0860daa..4bb0495 100644
--- a/src/dnssec.c
-+++ b/src/dnssec.c
-@@ -546,10 +546,14 @@ static int validate_rrset(time_t now, struct dns_header *header, size_t plen, in
- 
-           *ttl_out = ttl;
-         }
-       
-+
-+      /* Don't trust rdlen not to be too small and give us a negative sig_len
-+        It has already been checked that it doesn't run us off the end
-+        of the packet. */
-+      if ((sig_len = rdlen - (p - psav)) <= 0)
-+       return STAT_BOGUS;
-+
-       sig = p;
-      sig_len = rdlen - (p - psav);
-              
-       nsigttl = htonl(orig_ttl);
-       
-       hash->update(ctx, 18, psav);
diff --git a/meta-networking/recipes-support/dnsmasq/files/CVE-2026-4892.patch b/meta-networking/recipes-support/dnsmasq/files/CVE-2026-4892.patch
deleted file mode 100644
index 01637601a3..0000000000
--- a/meta-networking/recipes-support/dnsmasq/files/CVE-2026-4892.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-commit 011a36c51438c986535a7248ed2e7f424f8e1078
-Author: Simon Kelley <simon@thekelleys.org.uk>
-Date:   Wed Mar 25 23:16:35 2026 +0000
-Fix buffer overflow in helper.c with large CLIDs. CVE-2026-4892
-    
-Bug reported bt Royce M <royce@xchglabs.com>
-    
-Location: helper.c:265-270
-DHCPv6 CLIDs can be up to 65535 bytes. When --dhcp-script is configured,
-the helper hex-encodes raw CLID bytes via sprintf("%.2x") into daemon->packet (5131 bytes).
-A 1000-byte CLID writes ~3000 bytes. The helper process retains root privileges.
-    
-Note: log6_packet() correctly caps CLID to 100 bytes for logging, but the helper code path was missed.
-CVE: CVE-2026-4892
-Upstream-Status: Backport [ https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=10e6b5b83e80749cba7b090d7780b29f908f0571 ]
-Signed-off-by: Abhishek Bachiphale <Abhishek.Bachiphale@windriver.com>
-diff --git a/src/helper.c b/src/helper.c
-index 72f81fe..2c12801 100644
--- a/src/helper.c
-+++ b/src/helper.c
-@@ -261,8 +261,8 @@ int create_helper(int event_fd, int err_fd, uid_t uid, gid_t gid, long max_fd)
-                      data.hostname_len + data.ed_len + data.clid_len, RW_READ))
-        continue;
- 
-      /* CLID into packet */
-      for (p = daemon->packet, i = 0; i < data.clid_len; i++)
-+      /* CLID into packet: limit to 100 bytes to avoid overflowing buffer. */
-+      for (p = daemon->packet, i = 0; i < data.clid_len && i < 100; i++)
-        {
-          p += sprintf(p, "%.2x", buf[i]);
-          if (i != data.clid_len - 1) 
diff --git a/meta-networking/recipes-support/dnsmasq/files/CVE-2026-4893.patch b/meta-networking/recipes-support/dnsmasq/files/CVE-2026-4893.patch
deleted file mode 100644
index af7e4119e1..0000000000
--- a/meta-networking/recipes-support/dnsmasq/files/CVE-2026-4893.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-commit 434d68f2eb1a58744470698483a3ae09b5a9a870
-Author: Simon Kelley <simon@thekelleys.org.uk>
-Date:   Wed Mar 25 23:22:37 2026 +0000
-Fix broken client subnet validation. CVE-2026-4893
-    
-Bug report from Royce M <royce@xchglabs.com>
-    
-Location: forward.c:713, edns0.c:421
-    
-With --add-subnet enabled, process_reply() passes the OPT record
-length (~23 bytes) instead of the packet length to check_source().
-All internal bounds checks fail, and the function always returns 1.
-ECS source validation per RFC 7871 Section 9.2 is completely bypassed.
-CVE: CVE-2026-4893
-Upstream-Status: Backport [ https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=e3a26d092e47bf1d18aeadb758e4ca35c83b5f2d ]
-Signed-off-by: Abhishek Bachiphale <Abhishek.Bachiphale@windriver.com>
-diff --git a/src/forward.c b/src/forward.c
-index e2f64c0..208480d 100644
--- a/src/forward.c
-+++ b/src/forward.c
-@@ -724,7 +724,7 @@ static size_t process_reply(struct dns_header *header, time_t now, struct server
-       /* Get extended RCODE. */
-       rcode |= sizep[2] << 4;
-       
-      if (option_bool(OPT_CLIENT_SUBNET) && !check_source(header, plen, pheader, query_source))
-+      if (option_bool(OPT_CLIENT_SUBNET) && !check_source(header, n, pheader, query_source))
-        {
-          my_syslog(LOG_WARNING, _("discarding DNS reply: subnet option mismatch"));
-          return 0;
diff --git a/meta-networking/recipes-support/dnsmasq/files/CVE-2026-5172.patch b/meta-networking/recipes-support/dnsmasq/files/CVE-2026-5172.patch
deleted file mode 100644
index ce6e0f464b..0000000000
--- a/meta-networking/recipes-support/dnsmasq/files/CVE-2026-5172.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-commit fa3c8ddef6712b52f562813317e6a997e1210123
-Author: Simon Kelley <simon@thekelleys.org.uk>
-Date:   Mon Mar 30 16:24:33 2026 +0100
-Fix buffer overflow vulnerability in extract_addresses() CVE-2026-5172
-    
-Thanks to Hugo Martinez Ray for spotting this.
-    
-The value of rdlen for an RR can be a lie, allowing the
-call to extract_name() at rfc1025.c:952 to advance the value of p1
-past the calculated end of the record. The makes the calculation
-of bytes remaining in the RR underflow to a huge number and results
-in a massive heap OOB read and certain crash.
-CVE: CVE-2026-5172
-Upstream-Status: Backport [ https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=073082ddc0aba7b8efa15a688d6183463b65effa ]
-Signed-off-by: Abhishek Bachiphale <Abhishek.Bachiphale@windriver.com>
-diff --git a/src/rfc1035.c b/src/rfc1035.c
-index f0e1082..7e05fb5 100644
--- a/src/rfc1035.c
-+++ b/src/rfc1035.c
-@@ -943,7 +943,8 @@ int extract_addresses(struct dns_header *header, size_t qlen, char *name, time_t
-                              /* Name, extract it then re-encode. */
-                              int len;
-                              
-                             if (!extract_name(header, qlen, &p1, name, EXTR_NAME_EXTRACT, 0))
-+                             /* rdlen may lie, and extract_name() advances p1 past where it says the record ends. */
-+                             if (!extract_name(header, qlen, &p1, name, EXTR_NAME_EXTRACT, 0) || (p1 > endrr))
-                                {
-                                  blockdata_free(addr.rrblock.rrdata);
-                                  return 2;
author	Abhishek Bachiphale <Abhishek.Bachiphale@windriver.com>	2026-06-05 02:22:57 +0530
committer	Khem Raj <khem.raj@oss.qualcomm.com>	2026-06-07 18:21:50 -0700
commit	44ec3710d58879a7e9e5f2de97cd81c3211b522c (patch)
tree	8c6c0a4e12f1f1ffd9c12febd7011a4e226416f4
parent	b2b319eef3ced83ab03634d87d7d1540af2c18e3 (diff)
download	meta-openembedded-44ec3710d58879a7e9e5f2de97cd81c3211b522c.tar.gz

diff --git a/meta-networking/recipes-support/dnsmasq/dnsmasq_2.92.bb b/meta-networking/recipes-support/dnsmasq/dnsmasq_2.93.bb index c19467aed9..765287018b 100644 --- a/meta-networking/recipes-support/dnsmasq/dnsmasq_2.92.bb +++ b/meta-networking/recipes-support/dnsmasq/dnsmasq_2.93.bb
@@ -15,14 +15,8 @@ SRC_URI = "http://www.thekelleys.org.uk/dnsmasq/${@['archive/', ''][float(d.getV
15	file://dnsmasq-resolvconf.service \	15	file://dnsmasq-resolvconf.service \
16	file://dnsmasq-noresolvconf.service \	16	file://dnsmasq-noresolvconf.service \
17	file://dnsmasq-resolved.conf \	17	file://dnsmasq-resolved.conf \
18	file://CVE-2026-2291.patch \
19	file://CVE-2026-4890.patch \
20	file://CVE-2026-4891.patch \
21	file://CVE-2026-4892.patch \
22	file://CVE-2026-4893.patch \
23	file://CVE-2026-5172.patch \
24	"	18	"
25	SRC_URI[sha256sum] = "fd908e79ff37f73234afcb6d3363f78353e768703d92abd8e3220ade6819b1e1"	19	SRC_URI[sha256sum] = "cc967771abdafeb43d10db18932d6b59fd4bed2c69c22acf8cb96aff6920d55f"
26		20
27	inherit pkgconfig update-rc.d systemd	21	inherit pkgconfig update-rc.d systemd
28		22


diff --git a/meta-networking/recipes-support/dnsmasq/files/CVE-2026-2291.patch b/meta-networking/recipes-support/dnsmasq/files/CVE-2026-2291.patch deleted file mode 100644 index 6e42f32136..0000000000 --- a/meta-networking/recipes-support/dnsmasq/files/CVE-2026-2291.patch +++ /dev/null
@@ -1,37 +0,0 @@
1	commit ec2fbfbbdaa7d7db1c707dce26ce1a37cfe09660
2	Author: Simon Kelley <simon@thekelleys.org.uk>
3	Date: Fri Apr 10 16:29:31 2026 +0100
4
5	Fix buffer overflow in struct bigname. CVE-2026-2291
6
7	All buffers capable of holding a domain name should be
8	at least MAXDNAME*2 + 1 bytes long, where MAXDNAME is the maximum
9	size of a domain name. The accounts for the trailing zero and the
10	fact that some characters are escaped in the internal representation
11	of a domain name in dnsmasq.
12
13	The declaration of struct bigname get this wrong, with the effect
14	that a remote attacker capable of asking DNS queries or answering DNS
15	queries can cause a large OOB write in the heap.
16
17	This was first spotted by Andrew S. Fasano.
18
19	CVE: CVE-2026-2291
20
21	Upstream-Status: Backport [ https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=014e909f787e808bb35daa546d3f8f3663918de2 ]
22
23	Signed-off-by: Abhishek Bachiphale <Abhishek.Bachiphale@windriver.com>
24
25	diff --git a/src/dnsmasq.h b/src/dnsmasq.h
26	index 254bacd..58be09f 100644
27	--- a/src/dnsmasq.h
28	+++ b/src/dnsmasq.h
29	@@ -479,7 +479,7 @@ struct interface_name {
30	};
31
32	union bigname {
33	- char name[MAXDNAME];
34	+ char name[(2*MAXDNAME) + 1];
35	union bigname next; / freelist */
36	};
37


diff --git a/meta-networking/recipes-support/dnsmasq/files/CVE-2026-4890.patch b/meta-networking/recipes-support/dnsmasq/files/CVE-2026-4890.patch deleted file mode 100644 index 4a7673817b..0000000000 --- a/meta-networking/recipes-support/dnsmasq/files/CVE-2026-4890.patch +++ /dev/null
@@ -1,50 +0,0 @@
1	commit 4fdb707633afe8028118bcaf39b4882f634b5999
2	Author: Simon Kelley <simon@thekelleys.org.uk>
3	Date: Fri Apr 10 16:24:02 2026 +0100
4
5	Fix NSEC bitmap parsing infinite loop. CVE-2026-4890
6
7	Report from Royce M <royce@xchglabs.com>.
8
9	Location: dnssec.c:1290-1306, dnssec.c:1450-1463
10
11	The bitmap window iteration advances by p[1] instead of p[1]+2
12	(missing the 2-byte window header). With bitmap_length=0, both rdlen and p are
13	unchanged, causing an infinite loop and dnsmasq stops responding to all queries.
14
15	Reachable before RRSIG validation
16	(confirmed by the source comment at line 2125), so no valid
17	DNSSEC signatures are needed.
18
19	CVE: CVE-2026-4890
20
21	Upstream-Status: Backport [ https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=7b151eb60609a0139474918222806f9bcfb4fe71 ]
22
23	Signed-off-by: Abhishek Bachiphale <Abhishek.Bachiphale@windriver.com>
24
25	diff --git a/src/dnssec.c b/src/dnssec.c
26	index 4bb0495..3951620 100644
27	--- a/src/dnssec.c
28	+++ b/src/dnssec.c
29	@@ -1348,8 +1348,8 @@ static int prove_non_existence_nsec(struct dns_header *header, size_t plen, unsi
30	break; /* finished checking */
31	}
32
33	- rdlen -= p[1];
34	- p += p[1];
35	+ rdlen -= p[1] + 2;
36	+ p += p[1] + 2;
37	}
38
39	return 0;
40	@@ -1512,8 +1512,8 @@ static int check_nsec3_coverage(struct dns_header *header, size_t plen, int dige
41	break; /* finished checking */
42	}
43
44	- rdlen -= p[1];
45	- p += p[1];
46	+ rdlen -= p[1] + 2;
47	+ p += p[1] + 2;
48	}
49
50	return 1;


diff --git a/meta-networking/recipes-support/dnsmasq/files/CVE-2026-4891.patch b/meta-networking/recipes-support/dnsmasq/files/CVE-2026-4891.patch deleted file mode 100644 index e721f5ec0b..0000000000 --- a/meta-networking/recipes-support/dnsmasq/files/CVE-2026-4891.patch +++ /dev/null
@@ -1,40 +0,0 @@
1	commit 2cacea42e4d45717bd0ce3ccfe8e78960245e5da
2	Author: Simon Kelley <simon@thekelleys.org.uk>
3	Date: Wed Mar 25 23:04:08 2026 +0000
4
5	Verify rdlen field in RRSIG packets. CVE-2026-4891
6
7	Bug report from Royce M <royce@xchglabs.com>
8
9	This avoids crafted packets which give a value for rdlen _less_
10	then the space taken up by the fixed data and the signer's name
11	and engender a negative calculated length for the signature.
12
13	CVE: CVE-2026-4891
14
15	Upstream-Status: Backport [ https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=788b4e0f6c05217981b512bed4e5fea6f8855d01 ]
16
17	Signed-off-by: Abhishek Bachiphale <Abhishek.Bachiphale@windriver.com>
18
19	diff --git a/src/dnssec.c b/src/dnssec.c
20	index 0860daa..4bb0495 100644
21	--- a/src/dnssec.c
22	+++ b/src/dnssec.c
23	@@ -546,10 +546,14 @@ static int validate_rrset(time_t now, struct dns_header *header, size_t plen, in
24
25	*ttl_out = ttl;
26	}
27	-
28	+
29	+ /* Don't trust rdlen not to be too small and give us a negative sig_len
30	+ It has already been checked that it doesn't run us off the end
31	+ of the packet. */
32	+ if ((sig_len = rdlen - (p - psav)) <= 0)
33	+ return STAT_BOGUS;
34	+
35	sig = p;
36	- sig_len = rdlen - (p - psav);
37	-
38	nsigttl = htonl(orig_ttl);
39
40	hash->update(ctx, 18, psav);


diff --git a/meta-networking/recipes-support/dnsmasq/files/CVE-2026-4892.patch b/meta-networking/recipes-support/dnsmasq/files/CVE-2026-4892.patch deleted file mode 100644 index 01637601a3..0000000000 --- a/meta-networking/recipes-support/dnsmasq/files/CVE-2026-4892.patch +++ /dev/null
@@ -1,36 +0,0 @@
1	commit 011a36c51438c986535a7248ed2e7f424f8e1078
2	Author: Simon Kelley <simon@thekelleys.org.uk>
3	Date: Wed Mar 25 23:16:35 2026 +0000
4
5	Fix buffer overflow in helper.c with large CLIDs. CVE-2026-4892
6
7	Bug reported bt Royce M <royce@xchglabs.com>
8
9	Location: helper.c:265-270
10	DHCPv6 CLIDs can be up to 65535 bytes. When --dhcp-script is configured,
11	the helper hex-encodes raw CLID bytes via sprintf("%.2x") into daemon->packet (5131 bytes).
12	A 1000-byte CLID writes ~3000 bytes. The helper process retains root privileges.
13
14	Note: log6_packet() correctly caps CLID to 100 bytes for logging, but the helper code path was missed.
15
16	CVE: CVE-2026-4892
17
18	Upstream-Status: Backport [ https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=10e6b5b83e80749cba7b090d7780b29f908f0571 ]
19
20	Signed-off-by: Abhishek Bachiphale <Abhishek.Bachiphale@windriver.com>
21
22	diff --git a/src/helper.c b/src/helper.c
23	index 72f81fe..2c12801 100644
24	--- a/src/helper.c
25	+++ b/src/helper.c
26	@@ -261,8 +261,8 @@ int create_helper(int event_fd, int err_fd, uid_t uid, gid_t gid, long max_fd)
27	data.hostname_len + data.ed_len + data.clid_len, RW_READ))
28	continue;
29
30	- /* CLID into packet */
31	- for (p = daemon->packet, i = 0; i < data.clid_len; i++)
32	+ /* CLID into packet: limit to 100 bytes to avoid overflowing buffer. */
33	+ for (p = daemon->packet, i = 0; i < data.clid_len && i < 100; i++)
34	{
35	p += sprintf(p, "%.2x", buf[i]);
36	if (i != data.clid_len - 1)


diff --git a/meta-networking/recipes-support/dnsmasq/files/CVE-2026-4893.patch b/meta-networking/recipes-support/dnsmasq/files/CVE-2026-4893.patch deleted file mode 100644 index af7e4119e1..0000000000 --- a/meta-networking/recipes-support/dnsmasq/files/CVE-2026-4893.patch +++ /dev/null
@@ -1,34 +0,0 @@
1	commit 434d68f2eb1a58744470698483a3ae09b5a9a870
2	Author: Simon Kelley <simon@thekelleys.org.uk>
3	Date: Wed Mar 25 23:22:37 2026 +0000
4
5	Fix broken client subnet validation. CVE-2026-4893
6
7	Bug report from Royce M <royce@xchglabs.com>
8
9	Location: forward.c:713, edns0.c:421
10
11	With --add-subnet enabled, process_reply() passes the OPT record
12	length (~23 bytes) instead of the packet length to check_source().
13	All internal bounds checks fail, and the function always returns 1.
14	ECS source validation per RFC 7871 Section 9.2 is completely bypassed.
15
16	CVE: CVE-2026-4893
17
18	Upstream-Status: Backport [ https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=e3a26d092e47bf1d18aeadb758e4ca35c83b5f2d ]
19
20	Signed-off-by: Abhishek Bachiphale <Abhishek.Bachiphale@windriver.com>
21
22	diff --git a/src/forward.c b/src/forward.c
23	index e2f64c0..208480d 100644
24	--- a/src/forward.c
25	+++ b/src/forward.c
26	@@ -724,7 +724,7 @@ static size_t process_reply(struct dns_header *header, time_t now, struct server
27	/* Get extended RCODE. */
28	rcode \|= sizep[2] << 4;
29
30	- if (option_bool(OPT_CLIENT_SUBNET) && !check_source(header, plen, pheader, query_source))
31	+ if (option_bool(OPT_CLIENT_SUBNET) && !check_source(header, n, pheader, query_source))
32	{
33	my_syslog(LOG_WARNING, _("discarding DNS reply: subnet option mismatch"));
34	return 0;


diff --git a/meta-networking/recipes-support/dnsmasq/files/CVE-2026-5172.patch b/meta-networking/recipes-support/dnsmasq/files/CVE-2026-5172.patch deleted file mode 100644 index ce6e0f464b..0000000000 --- a/meta-networking/recipes-support/dnsmasq/files/CVE-2026-5172.patch +++ /dev/null
@@ -1,34 +0,0 @@
1	commit fa3c8ddef6712b52f562813317e6a997e1210123
2	Author: Simon Kelley <simon@thekelleys.org.uk>
3	Date: Mon Mar 30 16:24:33 2026 +0100
4
5	Fix buffer overflow vulnerability in extract_addresses() CVE-2026-5172
6
7	Thanks to Hugo Martinez Ray for spotting this.
8
9	The value of rdlen for an RR can be a lie, allowing the
10	call to extract_name() at rfc1025.c:952 to advance the value of p1
11	past the calculated end of the record. The makes the calculation
12	of bytes remaining in the RR underflow to a huge number and results
13	in a massive heap OOB read and certain crash.
14
15	CVE: CVE-2026-5172
16
17	Upstream-Status: Backport [ https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=073082ddc0aba7b8efa15a688d6183463b65effa ]
18
19	Signed-off-by: Abhishek Bachiphale <Abhishek.Bachiphale@windriver.com>
20
21	diff --git a/src/rfc1035.c b/src/rfc1035.c
22	index f0e1082..7e05fb5 100644
23	--- a/src/rfc1035.c
24	+++ b/src/rfc1035.c
25	@@ -943,7 +943,8 @@ int extract_addresses(struct dns_header header, size_t qlen, char name, time_t
26	/* Name, extract it then re-encode. */
27	int len;
28
29	- if (!extract_name(header, qlen, &p1, name, EXTR_NAME_EXTRACT, 0))
30	+ /* rdlen may lie, and extract_name() advances p1 past where it says the record ends. */
31	+ if (!extract_name(header, qlen, &p1, name, EXTR_NAME_EXTRACT, 0) \|\| (p1 > endrr))
32	{
33	blockdata_free(addr.rrblock.rrdata);
34	return 2;