- Update package checksum - Remove obsolete upstreamed patches - Verify successful build and runtime functionality
Include upstream security fixes: - CVE-2026-2291 - CVE-2026-4890 Remove following patches as fixes are now included upstream: - CVE-2026-4891 - CVE-2026-4892 - CVE-2026-4893 - CVE-2026-5172 Signed-off-by: Abhishek Bachiphale <[email protected]> --- .../{dnsmasq_2.92.bb => dnsmasq_2.93.bb} | 6 +-- .../dnsmasq/files/CVE-2026-4891.patch | 40 ------------------- .../dnsmasq/files/CVE-2026-4892.patch | 36 ----------------- .../dnsmasq/files/CVE-2026-4893.patch | 34 ---------------- .../dnsmasq/files/CVE-2026-5172.patch | 34 ---------------- 5 files changed, 1 insertion(+), 149 deletions(-) rename meta-networking/recipes-support/dnsmasq/{dnsmasq_2.92.bb => dnsmasq_2.93.bb} (95%) delete mode 100644 meta-networking/recipes-support/dnsmasq/files/CVE-2026-4891.patch delete mode 100644 meta-networking/recipes-support/dnsmasq/files/CVE-2026-4892.patch delete mode 100644 meta-networking/recipes-support/dnsmasq/files/CVE-2026-4893.patch delete mode 100644 meta-networking/recipes-support/dnsmasq/files/CVE-2026-5172.patch diff --git a/meta-networking/recipes-support/dnsmasq/dnsmasq_2.92.bb b/meta-networking/recipes-support/dnsmasq/dnsmasq_2.93.bb similarity index 95% rename from meta-networking/recipes-support/dnsmasq/dnsmasq_2.92.bb rename to meta-networking/recipes-support/dnsmasq/dnsmasq_2.93.bb index 37a89abed5..765287018b 100644 --- a/meta-networking/recipes-support/dnsmasq/dnsmasq_2.92.bb +++ b/meta-networking/recipes-support/dnsmasq/dnsmasq_2.93.bb @@ -15,12 +15,8 @@ SRC_URI = "http://www.thekelleys.org.uk/dnsmasq/${@['archive/', ''][float(d.getV file://dnsmasq-resolvconf.service \ file://dnsmasq-noresolvconf.service \ file://dnsmasq-resolved.conf \ - file://CVE-2026-4891.patch \ - file://CVE-2026-4892.patch \ - file://CVE-2026-4893.patch \ - file://CVE-2026-5172.patch \ " -SRC_URI[sha256sum] = "fd908e79ff37f73234afcb6d3363f78353e768703d92abd8e3220ade6819b1e1" +SRC_URI[sha256sum] = "cc967771abdafeb43d10db18932d6b59fd4bed2c69c22acf8cb96aff6920d55f" inherit pkgconfig update-rc.d systemd diff --git a/meta-networking/recipes-support/dnsmasq/files/CVE-2026-4891.patch b/meta-networking/recipes-support/dnsmasq/files/CVE-2026-4891.patch deleted file mode 100644 index e721f5ec0b..0000000000 --- a/meta-networking/recipes-support/dnsmasq/files/CVE-2026-4891.patch +++ /dev/null @@ -1,40 +0,0 @@ -commit 2cacea42e4d45717bd0ce3ccfe8e78960245e5da -Author: Simon Kelley <[email protected]> -Date: Wed Mar 25 23:04:08 2026 +0000 - -Verify rdlen field in RRSIG packets. CVE-2026-4891 - -Bug report from Royce M <[email protected]> - -This avoids crafted packets which give a value for rdlen _less_ -then the space taken up by the fixed data and the signer's name -and engender a negative calculated length for the signature. - -CVE: CVE-2026-4891 - -Upstream-Status: Backport [ https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=788b4e0f6c05217981b512bed4e5fea6f8855d01 ] - -Signed-off-by: Abhishek Bachiphale <[email protected]> - -diff --git a/src/dnssec.c b/src/dnssec.c -index 0860daa..4bb0495 100644 ---- a/src/dnssec.c -+++ b/src/dnssec.c -@@ -546,10 +546,14 @@ static int validate_rrset(time_t now, struct dns_header *header, size_t plen, in - - *ttl_out = ttl; - } -- -+ -+ /* Don't trust rdlen not to be too small and give us a negative sig_len -+ It has already been checked that it doesn't run us off the end -+ of the packet. */ -+ if ((sig_len = rdlen - (p - psav)) <= 0) -+ return STAT_BOGUS; -+ - sig = p; -- sig_len = rdlen - (p - psav); -- - nsigttl = htonl(orig_ttl); - - hash->update(ctx, 18, psav); diff --git a/meta-networking/recipes-support/dnsmasq/files/CVE-2026-4892.patch b/meta-networking/recipes-support/dnsmasq/files/CVE-2026-4892.patch deleted file mode 100644 index 01637601a3..0000000000 --- a/meta-networking/recipes-support/dnsmasq/files/CVE-2026-4892.patch +++ /dev/null @@ -1,36 +0,0 @@ -commit 011a36c51438c986535a7248ed2e7f424f8e1078 -Author: Simon Kelley <[email protected]> -Date: Wed Mar 25 23:16:35 2026 +0000 - -Fix buffer overflow in helper.c with large CLIDs. CVE-2026-4892 - -Bug reported bt Royce M <[email protected]> - -Location: helper.c:265-270 -DHCPv6 CLIDs can be up to 65535 bytes. When --dhcp-script is configured, -the helper hex-encodes raw CLID bytes via sprintf("%.2x") into daemon->packet (5131 bytes). -A 1000-byte CLID writes ~3000 bytes. The helper process retains root privileges. - -Note: log6_packet() correctly caps CLID to 100 bytes for logging, but the helper code path was missed. - -CVE: CVE-2026-4892 - -Upstream-Status: Backport [ https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=10e6b5b83e80749cba7b090d7780b29f908f0571 ] - -Signed-off-by: Abhishek Bachiphale <[email protected]> - -diff --git a/src/helper.c b/src/helper.c -index 72f81fe..2c12801 100644 ---- a/src/helper.c -+++ b/src/helper.c -@@ -261,8 +261,8 @@ int create_helper(int event_fd, int err_fd, uid_t uid, gid_t gid, long max_fd) - data.hostname_len + data.ed_len + data.clid_len, RW_READ)) - continue; - -- /* CLID into packet */ -- for (p = daemon->packet, i = 0; i < data.clid_len; i++) -+ /* CLID into packet: limit to 100 bytes to avoid overflowing buffer. */ -+ for (p = daemon->packet, i = 0; i < data.clid_len && i < 100; i++) - { - p += sprintf(p, "%.2x", buf[i]); - if (i != data.clid_len - 1) diff --git a/meta-networking/recipes-support/dnsmasq/files/CVE-2026-4893.patch b/meta-networking/recipes-support/dnsmasq/files/CVE-2026-4893.patch deleted file mode 100644 index af7e4119e1..0000000000 --- a/meta-networking/recipes-support/dnsmasq/files/CVE-2026-4893.patch +++ /dev/null @@ -1,34 +0,0 @@ -commit 434d68f2eb1a58744470698483a3ae09b5a9a870 -Author: Simon Kelley <[email protected]> -Date: Wed Mar 25 23:22:37 2026 +0000 - -Fix broken client subnet validation. CVE-2026-4893 - -Bug report from Royce M <[email protected]> - -Location: forward.c:713, edns0.c:421 - -With --add-subnet enabled, process_reply() passes the OPT record -length (~23 bytes) instead of the packet length to check_source(). -All internal bounds checks fail, and the function always returns 1. -ECS source validation per RFC 7871 Section 9.2 is completely bypassed. - -CVE: CVE-2026-4893 - -Upstream-Status: Backport [ https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=e3a26d092e47bf1d18aeadb758e4ca35c83b5f2d ] - -Signed-off-by: Abhishek Bachiphale <[email protected]> - -diff --git a/src/forward.c b/src/forward.c -index e2f64c0..208480d 100644 ---- a/src/forward.c -+++ b/src/forward.c -@@ -724,7 +724,7 @@ static size_t process_reply(struct dns_header *header, time_t now, struct server - /* Get extended RCODE. */ - rcode |= sizep[2] << 4; - -- if (option_bool(OPT_CLIENT_SUBNET) && !check_source(header, plen, pheader, query_source)) -+ if (option_bool(OPT_CLIENT_SUBNET) && !check_source(header, n, pheader, query_source)) - { - my_syslog(LOG_WARNING, _("discarding DNS reply: subnet option mismatch")); - return 0; diff --git a/meta-networking/recipes-support/dnsmasq/files/CVE-2026-5172.patch b/meta-networking/recipes-support/dnsmasq/files/CVE-2026-5172.patch deleted file mode 100644 index ce6e0f464b..0000000000 --- a/meta-networking/recipes-support/dnsmasq/files/CVE-2026-5172.patch +++ /dev/null @@ -1,34 +0,0 @@ -commit fa3c8ddef6712b52f562813317e6a997e1210123 -Author: Simon Kelley <[email protected]> -Date: Mon Mar 30 16:24:33 2026 +0100 - -Fix buffer overflow vulnerability in extract_addresses() CVE-2026-5172 - -Thanks to Hugo Martinez Ray for spotting this. - -The value of rdlen for an RR can be a lie, allowing the -call to extract_name() at rfc1025.c:952 to advance the value of p1 -past the calculated end of the record. The makes the calculation -of bytes remaining in the RR underflow to a huge number and results -in a massive heap OOB read and certain crash. - -CVE: CVE-2026-5172 - -Upstream-Status: Backport [ https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=073082ddc0aba7b8efa15a688d6183463b65effa ] - -Signed-off-by: Abhishek Bachiphale <[email protected]> - -diff --git a/src/rfc1035.c b/src/rfc1035.c -index f0e1082..7e05fb5 100644 ---- a/src/rfc1035.c -+++ b/src/rfc1035.c -@@ -943,7 +943,8 @@ int extract_addresses(struct dns_header *header, size_t qlen, char *name, time_t - /* Name, extract it then re-encode. */ - int len; - -- if (!extract_name(header, qlen, &p1, name, EXTR_NAME_EXTRACT, 0)) -+ /* rdlen may lie, and extract_name() advances p1 past where it says the record ends. */ -+ if (!extract_name(header, qlen, &p1, name, EXTR_NAME_EXTRACT, 0) || (p1 > endrr)) - { - blockdata_free(addr.rrblock.rrdata); - return 2; -- 2.40.0
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#127515): https://lists.openembedded.org/g/openembedded-devel/message/127515 Mute This Topic: https://lists.openembedded.org/mt/119738138/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
