On Fri, May 29, 2026 at 3:58 PM Anuj Mittal <[email protected]> wrote: > > I will drop this and proposed patch for 4890 for same reasons as given > for scarthgap: > > https://lists.openembedded.org/g/openembedded-devel/message/127125 > > https://lists.openembedded.org/g/openembedded-devel/message/127126 > > Thanks, >
I somehow missed your scarthgap feedback, sorry about that. Please drop it. > Anuj > > On Sat, May 23, 2026 at 1:01 PM Ankur Tyagi via lists.openembedded.org > <[email protected]> wrote: > > > > From: Abhishek Bachiphale <[email protected]> > > > > dnsmasqs extract_name() function can be abused to cause a heap buffer > > overflow, allowing an attacker to inject false DNS cache entries, > > which could result in DNS lookups to redirect to an attacker-controlled > > IP address, or to cause a DoS. > > > > Reference: > > [ https://nvd.nist.gov/vuln/detail/CVE-2026-2291 ] > > > > Signed-off-by: Abhishek Bachiphale <[email protected]> > > Signed-off-by: Khem Raj <[email protected]> > > (cherry picked from commit a53328688a239e97b8383ffbfd7b4b4eca108d73) > > Signed-off-by: Ankur Tyagi <[email protected]> > > --- > > .../recipes-support/dnsmasq/dnsmasq_2.92.bb | 1 + > > .../dnsmasq/files/CVE-2026-2291.patch | 37 +++++++++++++++++++ > > 2 files changed, 38 insertions(+) > > create mode 100644 > > meta-networking/recipes-support/dnsmasq/files/CVE-2026-2291.patch > > > > diff --git a/meta-networking/recipes-support/dnsmasq/dnsmasq_2.92.bb > > b/meta-networking/recipes-support/dnsmasq/dnsmasq_2.92.bb > > index 59509ecba2..bef058aa3e 100644 > > --- a/meta-networking/recipes-support/dnsmasq/dnsmasq_2.92.bb > > +++ b/meta-networking/recipes-support/dnsmasq/dnsmasq_2.92.bb > > @@ -15,6 +15,7 @@ SRC_URI = > > "http://www.thekelleys.org.uk/dnsmasq/${@['archive/', ''][float(d.getV > > file://dnsmasq-resolvconf.service \ > > file://dnsmasq-noresolvconf.service \ > > file://dnsmasq-resolved.conf \ > > + file://CVE-2026-2291.patch \ > > " > > SRC_URI[sha256sum] = > > "fd908e79ff37f73234afcb6d3363f78353e768703d92abd8e3220ade6819b1e1" > > > > diff --git > > a/meta-networking/recipes-support/dnsmasq/files/CVE-2026-2291.patch > > b/meta-networking/recipes-support/dnsmasq/files/CVE-2026-2291.patch > > new file mode 100644 > > index 0000000000..6e42f32136 > > --- /dev/null > > +++ b/meta-networking/recipes-support/dnsmasq/files/CVE-2026-2291.patch > > @@ -0,0 +1,37 @@ > > +commit ec2fbfbbdaa7d7db1c707dce26ce1a37cfe09660 > > +Author: Simon Kelley <[email protected]> > > +Date: Fri Apr 10 16:29:31 2026 +0100 > > + > > +Fix buffer overflow in struct bigname. CVE-2026-2291 > > + > > +All buffers capable of holding a domain name should be > > +at least MAXDNAME*2 + 1 bytes long, where MAXDNAME is the maximum > > +size of a domain name. The accounts for the trailing zero and the > > +fact that some characters are escaped in the internal representation > > +of a domain name in dnsmasq. > > + > > +The declaration of struct bigname get this wrong, with the effect > > +that a remote attacker capable of asking DNS queries or answering DNS > > +queries can cause a large OOB write in the heap. > > + > > +This was first spotted by Andrew S. Fasano. > > + > > +CVE: CVE-2026-2291 > > + > > +Upstream-Status: Backport [ > > https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=014e909f787e808bb35daa546d3f8f3663918de2 > > ] > > + > > +Signed-off-by: Abhishek Bachiphale <[email protected]> > > + > > +diff --git a/src/dnsmasq.h b/src/dnsmasq.h > > +index 254bacd..58be09f 100644 > > +--- a/src/dnsmasq.h > > ++++ b/src/dnsmasq.h > > +@@ -479,7 +479,7 @@ struct interface_name { > > + }; > > + > > + union bigname { > > +- char name[MAXDNAME]; > > ++ char name[(2*MAXDNAME) + 1]; > > + union bigname *next; /* freelist */ > > + }; > > + > > > > > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#127281): https://lists.openembedded.org/g/openembedded-devel/message/127281 Mute This Topic: https://lists.openembedded.org/mt/119451385/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
