diff options
| author | Hugo SIMELIERE (Schneider Electric) <hsimeliere.opensource@witekio.com> | 2026-05-20 14:29:06 +0200 |
|---|---|---|
| committer | Anuj Mittal <anuj.mittal@oss.qualcomm.com> | 2026-05-21 09:56:20 +0530 |
| commit | e614003e0af184d59b3eb85658149c8bef2ed50e (patch) | |
| tree | 9054c17c8cdbfcd9becce620e97582cbd21afcc0 | |
| parent | cab6f6c603ee2b35c72f9f7e70bf22e23706c9a0 (diff) | |
| download | meta-openembedded-e614003e0af184d59b3eb85658149c8bef2ed50e.tar.gz | |
dnsmasq: Fix CVE-2026-4892
Pick patch from [1] dnsmasq 2.90 debian bookworm pacthes.
[1] https://sources.debian.org/src/dnsmasq/2.90-4~deb12u2/debian/patches/CVE-2026-4892.patch
Signed-off-by: Hugo SIMELIERE (Schneider Electric) <hsimeliere.opensource@witekio.com>
Reviewed-by: Bruno VERNAY <bruno.vernay@se.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
| -rw-r--r-- | meta-networking/recipes-support/dnsmasq/dnsmasq_2.90.bb | 1 | ||||
| -rw-r--r-- | meta-networking/recipes-support/dnsmasq/files/CVE-2026-4892.patch | 41 |
2 files changed, 42 insertions, 0 deletions
diff --git a/meta-networking/recipes-support/dnsmasq/dnsmasq_2.90.bb b/meta-networking/recipes-support/dnsmasq/dnsmasq_2.90.bb index 0d20e10712..21411839c7 100644 --- a/meta-networking/recipes-support/dnsmasq/dnsmasq_2.90.bb +++ b/meta-networking/recipes-support/dnsmasq/dnsmasq_2.90.bb | |||
| @@ -17,6 +17,7 @@ SRC_URI = "http://www.thekelleys.org.uk/dnsmasq/${@['archive/', ''][float(d.getV | |||
| 17 | file://dnsmasq-noresolvconf.service \ | 17 | file://dnsmasq-noresolvconf.service \ |
| 18 | file://dnsmasq-resolved.conf \ | 18 | file://dnsmasq-resolved.conf \ |
| 19 | file://CVE-2026-4891.patch \ | 19 | file://CVE-2026-4891.patch \ |
| 20 | file://CVE-2026-4892.patch \ | ||
| 20 | " | 21 | " |
| 21 | SRC_URI[sha256sum] = "8f6666b542403b5ee7ccce66ea73a4a51cf19dd49392aaccd37231a2c51b303b" | 22 | SRC_URI[sha256sum] = "8f6666b542403b5ee7ccce66ea73a4a51cf19dd49392aaccd37231a2c51b303b" |
| 22 | 23 | ||
diff --git a/meta-networking/recipes-support/dnsmasq/files/CVE-2026-4892.patch b/meta-networking/recipes-support/dnsmasq/files/CVE-2026-4892.patch new file mode 100644 index 0000000000..148694a13f --- /dev/null +++ b/meta-networking/recipes-support/dnsmasq/files/CVE-2026-4892.patch | |||
| @@ -0,0 +1,41 @@ | |||
| 1 | From 2f029069825270a3b91eb5f50bb8477ed7f761d3 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Simon Kelley <simon@thekelleys.org.uk> | ||
| 3 | Date: Wed, 25 Mar 2026 23:16:35 +0000 | ||
| 4 | Subject: [PATCH] Fix buffer overflow in helper.c with large CLIDs. | ||
| 5 | CVE-2026-4892 | ||
| 6 | |||
| 7 | Bug reported bt Royce M <royce@xchglabs.com> | ||
| 8 | |||
| 9 | Location: helper.c:265-270 | ||
| 10 | DHCPv6 CLIDs can be up to 65535 bytes. When --dhcp-script is configured, | ||
| 11 | the helper hex-encodes raw CLID bytes via sprintf("%.2x") into daemon->packet (5131 bytes). | ||
| 12 | A 1000-byte CLID writes ~3000 bytes. The helper process retains root privileges. | ||
| 13 | |||
| 14 | Note: log6_packet() correctly caps CLID to 100 bytes for logging, but the helper code path was missed. | ||
| 15 | |||
| 16 | CVE: CVE-2026-4892 | ||
| 17 | Upstream-Status: Backport [https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=10e6b5b83e80749cba7b090d7780b29f908f0571] | ||
| 18 | |||
| 19 | Signed-off-by: Hugo SIMELIERE (Schneider Electric) <hsimeliere.opensource@witekio.com> | ||
| 20 | --- | ||
| 21 | src/helper.c | 4 ++-- | ||
| 22 | 1 file changed, 2 insertions(+), 2 deletions(-) | ||
| 23 | |||
| 24 | diff --git a/src/helper.c b/src/helper.c | ||
| 25 | index b9da2259..3a31e618 100644 | ||
| 26 | --- a/src/helper.c | ||
| 27 | +++ b/src/helper.c | ||
| 28 | @@ -261,8 +261,8 @@ int create_helper(int event_fd, int err_fd, uid_t uid, gid_t gid, long max_fd) | ||
| 29 | data.hostname_len + data.ed_len + data.clid_len, 1)) | ||
| 30 | continue; | ||
| 31 | |||
| 32 | - /* CLID into packet */ | ||
| 33 | - for (p = daemon->packet, i = 0; i < data.clid_len; i++) | ||
| 34 | + /* CLID into packet: limit to 100 bytes to avoid overflowing buffer. */ | ||
| 35 | + for (p = daemon->packet, i = 0; i < data.clid_len && i < 100; i++) | ||
| 36 | { | ||
| 37 | p += sprintf(p, "%.2x", buf[i]); | ||
| 38 | if (i != data.clid_len - 1) | ||
| 39 | -- | ||
| 40 | 2.43.0 | ||
| 41 | |||
