summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorHugo SIMELIERE (Schneider Electric) <hsimeliere.opensource@witekio.com>2026-05-20 14:29:06 +0200
committerAnuj Mittal <anuj.mittal@oss.qualcomm.com>2026-05-21 09:56:20 +0530
commite614003e0af184d59b3eb85658149c8bef2ed50e (patch)
tree9054c17c8cdbfcd9becce620e97582cbd21afcc0
parentcab6f6c603ee2b35c72f9f7e70bf22e23706c9a0 (diff)
downloadmeta-openembedded-e614003e0af184d59b3eb85658149c8bef2ed50e.tar.gz
dnsmasq: Fix CVE-2026-4892
Pick patch from [1] dnsmasq 2.90 debian bookworm pacthes. [1] https://sources.debian.org/src/dnsmasq/2.90-4~deb12u2/debian/patches/CVE-2026-4892.patch Signed-off-by: Hugo SIMELIERE (Schneider Electric) <hsimeliere.opensource@witekio.com> Reviewed-by: Bruno VERNAY <bruno.vernay@se.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
-rw-r--r--meta-networking/recipes-support/dnsmasq/dnsmasq_2.90.bb1
-rw-r--r--meta-networking/recipes-support/dnsmasq/files/CVE-2026-4892.patch41
2 files changed, 42 insertions, 0 deletions
diff --git a/meta-networking/recipes-support/dnsmasq/dnsmasq_2.90.bb b/meta-networking/recipes-support/dnsmasq/dnsmasq_2.90.bb
index 0d20e10712..21411839c7 100644
--- a/meta-networking/recipes-support/dnsmasq/dnsmasq_2.90.bb
+++ b/meta-networking/recipes-support/dnsmasq/dnsmasq_2.90.bb
@@ -17,6 +17,7 @@ SRC_URI = "http://www.thekelleys.org.uk/dnsmasq/${@['archive/', ''][float(d.getV
17 file://dnsmasq-noresolvconf.service \ 17 file://dnsmasq-noresolvconf.service \
18 file://dnsmasq-resolved.conf \ 18 file://dnsmasq-resolved.conf \
19 file://CVE-2026-4891.patch \ 19 file://CVE-2026-4891.patch \
20 file://CVE-2026-4892.patch \
20" 21"
21SRC_URI[sha256sum] = "8f6666b542403b5ee7ccce66ea73a4a51cf19dd49392aaccd37231a2c51b303b" 22SRC_URI[sha256sum] = "8f6666b542403b5ee7ccce66ea73a4a51cf19dd49392aaccd37231a2c51b303b"
22 23
diff --git a/meta-networking/recipes-support/dnsmasq/files/CVE-2026-4892.patch b/meta-networking/recipes-support/dnsmasq/files/CVE-2026-4892.patch
new file mode 100644
index 0000000000..148694a13f
--- /dev/null
+++ b/meta-networking/recipes-support/dnsmasq/files/CVE-2026-4892.patch
@@ -0,0 +1,41 @@
1From 2f029069825270a3b91eb5f50bb8477ed7f761d3 Mon Sep 17 00:00:00 2001
2From: Simon Kelley <simon@thekelleys.org.uk>
3Date: Wed, 25 Mar 2026 23:16:35 +0000
4Subject: [PATCH] Fix buffer overflow in helper.c with large CLIDs.
5 CVE-2026-4892
6
7Bug reported bt Royce M <royce@xchglabs.com>
8
9Location: helper.c:265-270
10DHCPv6 CLIDs can be up to 65535 bytes. When --dhcp-script is configured,
11the helper hex-encodes raw CLID bytes via sprintf("%.2x") into daemon->packet (5131 bytes).
12A 1000-byte CLID writes ~3000 bytes. The helper process retains root privileges.
13
14Note: log6_packet() correctly caps CLID to 100 bytes for logging, but the helper code path was missed.
15
16CVE: CVE-2026-4892
17Upstream-Status: Backport [https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=10e6b5b83e80749cba7b090d7780b29f908f0571]
18
19Signed-off-by: Hugo SIMELIERE (Schneider Electric) <hsimeliere.opensource@witekio.com>
20---
21 src/helper.c | 4 ++--
22 1 file changed, 2 insertions(+), 2 deletions(-)
23
24diff --git a/src/helper.c b/src/helper.c
25index b9da2259..3a31e618 100644
26--- a/src/helper.c
27+++ b/src/helper.c
28@@ -261,8 +261,8 @@ int create_helper(int event_fd, int err_fd, uid_t uid, gid_t gid, long max_fd)
29 data.hostname_len + data.ed_len + data.clid_len, 1))
30 continue;
31
32- /* CLID into packet */
33- for (p = daemon->packet, i = 0; i < data.clid_len; i++)
34+ /* CLID into packet: limit to 100 bytes to avoid overflowing buffer. */
35+ for (p = daemon->packet, i = 0; i < data.clid_len && i < 100; i++)
36 {
37 p += sprintf(p, "%.2x", buf[i]);
38 if (i != data.clid_len - 1)
39--
402.43.0
41