On Wed, May 20, 2026 at 8:30 PM Hugo Simeliere via lists.openembedded.org <[email protected]> wrote: > > From: "Hugo SIMELIERE (Schneider Electric)" > <[email protected]> > > Pick patch from [1] dnsmasq 2.90 debian bookworm pacthes. > > [1] > https://sources.debian.org/src/dnsmasq/2.90-4~deb12u2/debian/patches/CVE-2026-4890.patch > > Signed-off-by: Hugo SIMELIERE (Schneider Electric) > <[email protected]> > Reviewed-by: Bruno VERNAY <[email protected]> > --- > .../recipes-support/dnsmasq/dnsmasq_2.90.bb | 1 + > .../dnsmasq/files/CVE-2026-4890.patch | 75 +++++++++++++++++++ > 2 files changed, 76 insertions(+) > create mode 100644 > meta-networking/recipes-support/dnsmasq/files/CVE-2026-4890.patch > > diff --git a/meta-networking/recipes-support/dnsmasq/dnsmasq_2.90.bb > b/meta-networking/recipes-support/dnsmasq/dnsmasq_2.90.bb > index 3281404e42..ecd17fa426 100644 > --- a/meta-networking/recipes-support/dnsmasq/dnsmasq_2.90.bb > +++ b/meta-networking/recipes-support/dnsmasq/dnsmasq_2.90.bb > @@ -17,6 +17,7 @@ SRC_URI = > "http://www.thekelleys.org.uk/dnsmasq/${@['archive/', ''][float(d.getV > file://dnsmasq-noresolvconf.service \ > file://dnsmasq-resolved.conf \ > file://CVE-2026-2291.patch \ > + file://CVE-2026-4890.patch \ > " > SRC_URI[sha256sum] = > "8f6666b542403b5ee7ccce66ea73a4a51cf19dd49392aaccd37231a2c51b303b" > > diff --git > a/meta-networking/recipes-support/dnsmasq/files/CVE-2026-4890.patch > b/meta-networking/recipes-support/dnsmasq/files/CVE-2026-4890.patch > new file mode 100644 > index 0000000000..0b25239a86 > --- /dev/null > +++ b/meta-networking/recipes-support/dnsmasq/files/CVE-2026-4890.patch > @@ -0,0 +1,75 @@ > +From 12e5ee3495842ededf8057758ef8da59745bbf33 Mon Sep 17 00:00:00 2001 > +From: Simon Kelley <[email protected]> > +Date: Fri, 10 Apr 2026 22:16:45 +0100 > +Subject: [PATCH] Fix NSEC bitmap parsing infinite loop. CVE-2026-4890 > + > +Report from Royce M <[email protected]>. > + > +Location: dnssec.c:1290-1306, dnssec.c:1450-1463 > + > +The bitmap window iteration advances by p[1] instead of p[1]+2 (missing the > 2-byte window header). With bitmap_length=0, both rdlen and p are > +unchanged, causing an infinite loop and dnsmasq stops responding to all > queries. > + > +The same code accesses p[2] after only checking rdlen >= 2 without verifying > p[1] >= 1, causing OOB reads at 6 locations. > + > +Both bugs are reachable before RRSIG validation (confirmed by the source > comment at line 2125), so no valid DNSSEC signatures are needed. > + > +CVE: CVE-2026-4890 > +Upstream-Status: Backport > [https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=7b151eb60609a0139474918222806f9bcfb4fe71]
This doesn't look like a simple backport. Can you please add a note with changes done and why? Thanks, Anuj
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#127125): https://lists.openembedded.org/g/openembedded-devel/message/127125 Mute This Topic: https://lists.openembedded.org/mt/119406777/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
