diff options
| author | Hugo SIMELIERE (Schneider Electric) <hsimeliere.opensource@witekio.com> | 2026-05-20 14:29:05 +0200 |
|---|---|---|
| committer | Anuj Mittal <anuj.mittal@oss.qualcomm.com> | 2026-05-21 09:56:19 +0530 |
| commit | cab6f6c603ee2b35c72f9f7e70bf22e23706c9a0 (patch) | |
| tree | 0489f16d57a57ddd3aa19b89a16d1548d4e57a7a | |
| parent | 59f8c396f936e99770e6876af1e68e27d696857c (diff) | |
| download | meta-openembedded-cab6f6c603ee2b35c72f9f7e70bf22e23706c9a0.tar.gz | |
dnsmasq: Fix CVE-2026-4891
Pick patch from [1] dnsmasq 2.90 debian bookworm pacthes.
[1] https://sources.debian.org/src/dnsmasq/2.90-4~deb12u2/debian/patches/CVE-2026-4891.patch
Signed-off-by: Hugo SIMELIERE (Schneider Electric) <hsimeliere.opensource@witekio.com>
Reviewed-by: Bruno VERNAY <bruno.vernay@se.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
| -rw-r--r-- | meta-networking/recipes-support/dnsmasq/dnsmasq_2.90.bb | 1 | ||||
| -rw-r--r-- | meta-networking/recipes-support/dnsmasq/files/CVE-2026-4891.patch | 44 |
2 files changed, 45 insertions, 0 deletions
diff --git a/meta-networking/recipes-support/dnsmasq/dnsmasq_2.90.bb b/meta-networking/recipes-support/dnsmasq/dnsmasq_2.90.bb index 38fa271dc3..0d20e10712 100644 --- a/meta-networking/recipes-support/dnsmasq/dnsmasq_2.90.bb +++ b/meta-networking/recipes-support/dnsmasq/dnsmasq_2.90.bb | |||
| @@ -16,6 +16,7 @@ SRC_URI = "http://www.thekelleys.org.uk/dnsmasq/${@['archive/', ''][float(d.getV | |||
| 16 | file://dnsmasq-resolvconf.service \ | 16 | file://dnsmasq-resolvconf.service \ |
| 17 | file://dnsmasq-noresolvconf.service \ | 17 | file://dnsmasq-noresolvconf.service \ |
| 18 | file://dnsmasq-resolved.conf \ | 18 | file://dnsmasq-resolved.conf \ |
| 19 | file://CVE-2026-4891.patch \ | ||
| 19 | " | 20 | " |
| 20 | SRC_URI[sha256sum] = "8f6666b542403b5ee7ccce66ea73a4a51cf19dd49392aaccd37231a2c51b303b" | 21 | SRC_URI[sha256sum] = "8f6666b542403b5ee7ccce66ea73a4a51cf19dd49392aaccd37231a2c51b303b" |
| 21 | 22 | ||
diff --git a/meta-networking/recipes-support/dnsmasq/files/CVE-2026-4891.patch b/meta-networking/recipes-support/dnsmasq/files/CVE-2026-4891.patch new file mode 100644 index 0000000000..b566acb286 --- /dev/null +++ b/meta-networking/recipes-support/dnsmasq/files/CVE-2026-4891.patch | |||
| @@ -0,0 +1,44 @@ | |||
| 1 | From 046fe2393ea47622b8e1c3e0c6dcca8347a6c431 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Simon Kelley <simon@thekelleys.org.uk> | ||
| 3 | Date: Wed, 25 Mar 2026 23:04:08 +0000 | ||
| 4 | Subject: [PATCH] Verify rdlen field in RRSIG packets. CVE-2026-4891 | ||
| 5 | |||
| 6 | Bug report from Royce M <royce@xchglabs.com> | ||
| 7 | |||
| 8 | This avoids crafted packets which give a value for rdlen _less_ | ||
| 9 | then the space taken up by the fixed data and the signer's name | ||
| 10 | and engender a negative calculated length for the signature. | ||
| 11 | |||
| 12 | CVE: CVE-2026-4891 | ||
| 13 | Upstream-Status: Backport [https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=788b4e0f6c05217981b512bed4e5fea6f8855d01] | ||
| 14 | |||
| 15 | Signed-off-by: Hugo SIMELIERE (Schneider Electric) <hsimeliere.opensource@witekio.com> | ||
| 16 | --- | ||
| 17 | src/dnssec.c | 10 +++++++--- | ||
| 18 | 1 file changed, 7 insertions(+), 3 deletions(-) | ||
| 19 | |||
| 20 | diff --git a/src/dnssec.c b/src/dnssec.c | ||
| 21 | index 68f1b5d0..d32db5b4 100644 | ||
| 22 | --- a/src/dnssec.c | ||
| 23 | +++ b/src/dnssec.c | ||
| 24 | @@ -546,10 +546,14 @@ static int validate_rrset(time_t now, struct dns_header *header, size_t plen, in | ||
| 25 | |||
| 26 | *ttl_out = ttl; | ||
| 27 | } | ||
| 28 | - | ||
| 29 | + | ||
| 30 | + /* Don't trust rdlen not to be too small and give us a negative sig_len | ||
| 31 | + It has already been checked that it doesn't run us off the end | ||
| 32 | + of the packet. */ | ||
| 33 | + if ((sig_len = rdlen - (p - psav)) <= 0) | ||
| 34 | + return STAT_BOGUS; | ||
| 35 | + | ||
| 36 | sig = p; | ||
| 37 | - sig_len = rdlen - (p - psav); | ||
| 38 | - | ||
| 39 | nsigttl = htonl(orig_ttl); | ||
| 40 | |||
| 41 | hash->update(ctx, 18, psav); | ||
| 42 | -- | ||
| 43 | 2.43.0 | ||
| 44 | |||
