On Wed, May 20, 2026 at 8:30 PM Hugo Simeliere via
lists.openembedded.org
<[email protected]> wrote:
>
> From: "Hugo SIMELIERE (Schneider Electric)" 
> <[email protected]>
>
> Pick patch from [1] dnsmasq 2.90 debian bookworm pacthes.
>
> [1] 
> https://sources.debian.org/src/dnsmasq/2.90-4~deb12u2/debian/patches/CVE-2026-4890.patch
>
> Signed-off-by: Hugo SIMELIERE (Schneider Electric) 
> <[email protected]>
> Reviewed-by: Bruno VERNAY <[email protected]>
> ---
>  .../recipes-support/dnsmasq/dnsmasq_2.90.bb   |  1 +
>  .../dnsmasq/files/CVE-2026-4890.patch         | 75 +++++++++++++++++++
>  2 files changed, 76 insertions(+)
>  create mode 100644 
> meta-networking/recipes-support/dnsmasq/files/CVE-2026-4890.patch
>
> diff --git a/meta-networking/recipes-support/dnsmasq/dnsmasq_2.90.bb 
> b/meta-networking/recipes-support/dnsmasq/dnsmasq_2.90.bb
> index 3281404e42..ecd17fa426 100644
> --- a/meta-networking/recipes-support/dnsmasq/dnsmasq_2.90.bb
> +++ b/meta-networking/recipes-support/dnsmasq/dnsmasq_2.90.bb
> @@ -17,6 +17,7 @@ SRC_URI = 
> "http://www.thekelleys.org.uk/dnsmasq/${@['archive/', ''][float(d.getV
>             file://dnsmasq-noresolvconf.service \
>             file://dnsmasq-resolved.conf \
>             file://CVE-2026-2291.patch \
> +           file://CVE-2026-4890.patch \
>  "
>  SRC_URI[sha256sum] = 
> "8f6666b542403b5ee7ccce66ea73a4a51cf19dd49392aaccd37231a2c51b303b"
>
> diff --git 
> a/meta-networking/recipes-support/dnsmasq/files/CVE-2026-4890.patch 
> b/meta-networking/recipes-support/dnsmasq/files/CVE-2026-4890.patch
> new file mode 100644
> index 0000000000..0b25239a86
> --- /dev/null
> +++ b/meta-networking/recipes-support/dnsmasq/files/CVE-2026-4890.patch
> @@ -0,0 +1,75 @@
> +From 12e5ee3495842ededf8057758ef8da59745bbf33 Mon Sep 17 00:00:00 2001
> +From: Simon Kelley <[email protected]>
> +Date: Fri, 10 Apr 2026 22:16:45 +0100
> +Subject: [PATCH] Fix NSEC bitmap parsing infinite loop. CVE-2026-4890
> +
> +Report from Royce M <[email protected]>.
> +
> +Location: dnssec.c:1290-1306, dnssec.c:1450-1463
> +
> +The bitmap window iteration advances by p[1] instead of p[1]+2 (missing the 
> 2-byte window header). With bitmap_length=0, both rdlen and p are
> +unchanged, causing an infinite loop and dnsmasq stops responding to all 
> queries.
> +
> +The same code accesses p[2] after only checking rdlen >= 2 without verifying 
> p[1] >= 1, causing OOB reads at 6 locations.
> +
> +Both bugs are reachable before RRSIG validation (confirmed by the source 
> comment at line 2125), so no valid DNSSEC signatures are needed.
> +
> +CVE: CVE-2026-4890
> +Upstream-Status: Backport 
> [https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=7b151eb60609a0139474918222806f9bcfb4fe71]

This doesn't look like a simple backport. Can you please add a note
with changes done and why?

Thanks,

Anuj
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#127125): 
https://lists.openembedded.org/g/openembedded-devel/message/127125
Mute This Topic: https://lists.openembedded.org/mt/119406777/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to