On Fri, May 29, 2026 at 3:58 PM Anuj Mittal
<[email protected]> wrote:
>
> I will drop this and proposed patch for 4890 for same reasons as given
> for scarthgap:
>
> https://lists.openembedded.org/g/openembedded-devel/message/127125
>
> https://lists.openembedded.org/g/openembedded-devel/message/127126
>
> Thanks,
>

I somehow missed your scarthgap feedback, sorry about that.
Please drop it.

> Anuj
>
> On Sat, May 23, 2026 at 1:01 PM Ankur Tyagi via lists.openembedded.org
> <[email protected]> wrote:
> >
> > From: Abhishek Bachiphale <[email protected]>
> >
> > dnsmasqs extract_name() function can be abused to cause a heap buffer
> > overflow, allowing an attacker to inject false DNS cache entries,
> > which could result in DNS lookups to redirect to an attacker-controlled
> > IP address, or to cause a DoS.
> >
> > Reference:
> > [ https://nvd.nist.gov/vuln/detail/CVE-2026-2291 ]
> >
> > Signed-off-by: Abhishek Bachiphale <[email protected]>
> > Signed-off-by: Khem Raj <[email protected]>
> > (cherry picked from commit a53328688a239e97b8383ffbfd7b4b4eca108d73)
> > Signed-off-by: Ankur Tyagi <[email protected]>
> > ---
> >  .../recipes-support/dnsmasq/dnsmasq_2.92.bb   |  1 +
> >  .../dnsmasq/files/CVE-2026-2291.patch         | 37 +++++++++++++++++++
> >  2 files changed, 38 insertions(+)
> >  create mode 100644 
> > meta-networking/recipes-support/dnsmasq/files/CVE-2026-2291.patch
> >
> > diff --git a/meta-networking/recipes-support/dnsmasq/dnsmasq_2.92.bb 
> > b/meta-networking/recipes-support/dnsmasq/dnsmasq_2.92.bb
> > index 59509ecba2..bef058aa3e 100644
> > --- a/meta-networking/recipes-support/dnsmasq/dnsmasq_2.92.bb
> > +++ b/meta-networking/recipes-support/dnsmasq/dnsmasq_2.92.bb
> > @@ -15,6 +15,7 @@ SRC_URI = 
> > "http://www.thekelleys.org.uk/dnsmasq/${@['archive/', ''][float(d.getV
> >             file://dnsmasq-resolvconf.service \
> >             file://dnsmasq-noresolvconf.service \
> >             file://dnsmasq-resolved.conf \
> > +           file://CVE-2026-2291.patch \
> >  "
> >  SRC_URI[sha256sum] = 
> > "fd908e79ff37f73234afcb6d3363f78353e768703d92abd8e3220ade6819b1e1"
> >
> > diff --git 
> > a/meta-networking/recipes-support/dnsmasq/files/CVE-2026-2291.patch 
> > b/meta-networking/recipes-support/dnsmasq/files/CVE-2026-2291.patch
> > new file mode 100644
> > index 0000000000..6e42f32136
> > --- /dev/null
> > +++ b/meta-networking/recipes-support/dnsmasq/files/CVE-2026-2291.patch
> > @@ -0,0 +1,37 @@
> > +commit ec2fbfbbdaa7d7db1c707dce26ce1a37cfe09660
> > +Author: Simon Kelley <[email protected]>
> > +Date:   Fri Apr 10 16:29:31 2026 +0100
> > +
> > +Fix buffer overflow in struct bigname.  CVE-2026-2291
> > +
> > +All buffers capable of holding a domain name should be
> > +at least MAXDNAME*2 + 1 bytes long, where MAXDNAME is the maximum
> > +size of a domain name. The accounts for the trailing zero and the
> > +fact that some characters are escaped in the internal representation
> > +of a domain name in dnsmasq.
> > +
> > +The declaration of struct bigname get this wrong, with the effect
> > +that a remote attacker capable of asking DNS queries or answering DNS
> > +queries can cause a large OOB write in the heap.
> > +
> > +This was first spotted by Andrew S. Fasano.
> > +
> > +CVE: CVE-2026-2291
> > +
> > +Upstream-Status: Backport [ 
> > https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=014e909f787e808bb35daa546d3f8f3663918de2
> >  ]
> > +
> > +Signed-off-by: Abhishek Bachiphale <[email protected]>
> > +
> > +diff --git a/src/dnsmasq.h b/src/dnsmasq.h
> > +index 254bacd..58be09f 100644
> > +--- a/src/dnsmasq.h
> > ++++ b/src/dnsmasq.h
> > +@@ -479,7 +479,7 @@ struct interface_name {
> > + };
> > +
> > + union bigname {
> > +-  char name[MAXDNAME];
> > ++  char name[(2*MAXDNAME) + 1];
> > +   union bigname *next; /* freelist */
> > + };
> > +
> >
> > 
> >
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#127281): 
https://lists.openembedded.org/g/openembedded-devel/message/127281
Mute This Topic: https://lists.openembedded.org/mt/119451385/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to