summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorHugo SIMELIERE (Schneider Electric) <hsimeliere.opensource@witekio.com>2026-05-20 14:29:05 +0200
committerAnuj Mittal <anuj.mittal@oss.qualcomm.com>2026-05-21 09:56:19 +0530
commitcab6f6c603ee2b35c72f9f7e70bf22e23706c9a0 (patch)
tree0489f16d57a57ddd3aa19b89a16d1548d4e57a7a
parent59f8c396f936e99770e6876af1e68e27d696857c (diff)
downloadmeta-openembedded-cab6f6c603ee2b35c72f9f7e70bf22e23706c9a0.tar.gz
dnsmasq: Fix CVE-2026-4891
Pick patch from [1] dnsmasq 2.90 debian bookworm pacthes. [1] https://sources.debian.org/src/dnsmasq/2.90-4~deb12u2/debian/patches/CVE-2026-4891.patch Signed-off-by: Hugo SIMELIERE (Schneider Electric) <hsimeliere.opensource@witekio.com> Reviewed-by: Bruno VERNAY <bruno.vernay@se.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
-rw-r--r--meta-networking/recipes-support/dnsmasq/dnsmasq_2.90.bb1
-rw-r--r--meta-networking/recipes-support/dnsmasq/files/CVE-2026-4891.patch44
2 files changed, 45 insertions, 0 deletions
diff --git a/meta-networking/recipes-support/dnsmasq/dnsmasq_2.90.bb b/meta-networking/recipes-support/dnsmasq/dnsmasq_2.90.bb
index 38fa271dc3..0d20e10712 100644
--- a/meta-networking/recipes-support/dnsmasq/dnsmasq_2.90.bb
+++ b/meta-networking/recipes-support/dnsmasq/dnsmasq_2.90.bb
@@ -16,6 +16,7 @@ SRC_URI = "http://www.thekelleys.org.uk/dnsmasq/${@['archive/', ''][float(d.getV
16 file://dnsmasq-resolvconf.service \ 16 file://dnsmasq-resolvconf.service \
17 file://dnsmasq-noresolvconf.service \ 17 file://dnsmasq-noresolvconf.service \
18 file://dnsmasq-resolved.conf \ 18 file://dnsmasq-resolved.conf \
19 file://CVE-2026-4891.patch \
19" 20"
20SRC_URI[sha256sum] = "8f6666b542403b5ee7ccce66ea73a4a51cf19dd49392aaccd37231a2c51b303b" 21SRC_URI[sha256sum] = "8f6666b542403b5ee7ccce66ea73a4a51cf19dd49392aaccd37231a2c51b303b"
21 22
diff --git a/meta-networking/recipes-support/dnsmasq/files/CVE-2026-4891.patch b/meta-networking/recipes-support/dnsmasq/files/CVE-2026-4891.patch
new file mode 100644
index 0000000000..b566acb286
--- /dev/null
+++ b/meta-networking/recipes-support/dnsmasq/files/CVE-2026-4891.patch
@@ -0,0 +1,44 @@
1From 046fe2393ea47622b8e1c3e0c6dcca8347a6c431 Mon Sep 17 00:00:00 2001
2From: Simon Kelley <simon@thekelleys.org.uk>
3Date: Wed, 25 Mar 2026 23:04:08 +0000
4Subject: [PATCH] Verify rdlen field in RRSIG packets. CVE-2026-4891
5
6Bug report from Royce M <royce@xchglabs.com>
7
8This avoids crafted packets which give a value for rdlen _less_
9then the space taken up by the fixed data and the signer's name
10and engender a negative calculated length for the signature.
11
12CVE: CVE-2026-4891
13Upstream-Status: Backport [https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=788b4e0f6c05217981b512bed4e5fea6f8855d01]
14
15Signed-off-by: Hugo SIMELIERE (Schneider Electric) <hsimeliere.opensource@witekio.com>
16---
17 src/dnssec.c | 10 +++++++---
18 1 file changed, 7 insertions(+), 3 deletions(-)
19
20diff --git a/src/dnssec.c b/src/dnssec.c
21index 68f1b5d0..d32db5b4 100644
22--- a/src/dnssec.c
23+++ b/src/dnssec.c
24@@ -546,10 +546,14 @@ static int validate_rrset(time_t now, struct dns_header *header, size_t plen, in
25
26 *ttl_out = ttl;
27 }
28-
29+
30+ /* Don't trust rdlen not to be too small and give us a negative sig_len
31+ It has already been checked that it doesn't run us off the end
32+ of the packet. */
33+ if ((sig_len = rdlen - (p - psav)) <= 0)
34+ return STAT_BOGUS;
35+
36 sig = p;
37- sig_len = rdlen - (p - psav);
38-
39 nsigttl = htonl(orig_ttl);
40
41 hash->update(ctx, 18, psav);
42--
432.43.0
44