diff --git a/backport-Fix-buffer-overflow-when-configured-lease-change-scr.patch b/backport-Fix-buffer-overflow-when-configured-lease-change-scr.patch new file mode 100644 index 0000000000000000000000000000000000000000..06089ec4e71411924a744f897d8093698f8a2cff --- /dev/null +++ b/backport-Fix-buffer-overflow-when-configured-lease-change-scr.patch @@ -0,0 +1,32 @@ +From ae85ea38581e97445622d2dad79cd09775cb201a Mon Sep 17 00:00:00 2001 +From: Simon Kelley +Date: Thu, 21 Nov 2024 15:42:49 +0000 +Subject: [PATCH] Fix buffer overflow when configured lease-change script name + is too long. + +Thanks to Daniel Rhea for finding this one. + +Reference:https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=patch;h=ae85ea38581e97445622d2dad79cd09775cb201a +Conflict:NA +--- + src/lease.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/lease.c b/src/lease.c +index 1a9f1c6..a944fbb 100644 +--- a/src/lease.c ++++ b/src/lease.c +@@ -155,6 +155,10 @@ void lease_init(time_t now) + #ifdef HAVE_SCRIPT + if (daemon->lease_change_command) + { ++ /* 6 == strlen(" init") plus terminator */ ++ if (strlen(daemon->lease_change_command) + 6 > DHCP_BUFF_SZ) ++ die(_("lease-change script name is too long"), NULL, EC_FILE); ++ + strcpy(daemon->dhcp_buff, daemon->lease_change_command); + strcat(daemon->dhcp_buff, " init"); + leasestream = popen(daemon->dhcp_buff, "r"); +-- +2.33.0 + diff --git a/backport-Fix-out-of-bounds-heap-read-in-order_qsort.patch b/backport-Fix-out-of-bounds-heap-read-in-order_qsort.patch new file mode 100644 index 0000000000000000000000000000000000000000..c74de9cfe646ac7fdfd00d2d099b959e41dda112 --- /dev/null +++ b/backport-Fix-out-of-bounds-heap-read-in-order_qsort.patch @@ -0,0 +1,35 @@ +From b087cf4a6c3dd4c323a099770a44c24812381bf4 Mon Sep 17 00:00:00 2001 +From: Simon Kelley +Date: Thu, 21 Nov 2024 15:28:31 +0000 +Subject: [PATCH] Fix out-of-bounds heap read in order_qsort(). + +We only need to order two server records on the ->serial field. +Literal address records are smaller and don't have +this field and don't need to be ordered on it. +To actually provoke this bug seems to need the same server-literal +to be repeated twice, eg --address=/a/1.1.1.1 --address-/a/1.1.1.1 +which is clearly rare in the wild, but if it did exist it could +provoke a SIGSEV. Thanks to Daniel Rhea for fuzzing this one. + +Reference:https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=patch;h=b087cf4a6c3dd4c323a099770a44c24812381bf4 +Conflict:NA +--- + src/domain-match.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/domain-match.c b/src/domain-match.c +index e0f4313..d79967f 100644 +--- a/src/domain-match.c ++++ b/src/domain-match.c +@@ -540,7 +540,7 @@ static int order_qsort(const void *a, const void *b) + + /* Finally, order by appearance in /etc/resolv.conf etc, for --strict-order */ + if (rc == 0) +- if (!(s1->flags & SERV_LITERAL_ADDRESS)) ++ if (!(s1->flags & SERV_IS_LOCAL) && !(s2->flags & SERV_IS_LOCAL)) + rc = s1->serial - s2->serial; + + return rc; +-- +2.33.0 + diff --git a/dnsmasq.spec b/dnsmasq.spec index 507bac91b82a0088a05ad51545da9c0dac42a425..5e7ce94084f28f3c2fc2f82085b4f95a3890fd22 100644 --- a/dnsmasq.spec +++ b/dnsmasq.spec @@ -1,6 +1,6 @@ Name: dnsmasq Version: 2.86 -Release: 9 +Release: 10 Summary: Dnsmasq provides network infrastructure for small networks License: GPLv2 or GPLv3 URL: http://www.thekelleys.org.uk/dnsmasq/ @@ -49,6 +49,8 @@ Patch38: backport-Fix-use-after-free-in-mark_servers.patch Patch39: backport-Fix-memory-leak-when-using-dhcp-optsfile-with-DHCPv6.patch Patch40: backport-CVE-2023-49441-Fix-standalone-SHA256-implementation.patch Patch41: backport-Fix-crash-when-reloading-DHCP-config-on-SIGHUP.patch +Patch42: backport-Fix-out-of-bounds-heap-read-in-order_qsort.patch +Patch43: backport-Fix-buffer-overflow-when-configured-lease-change-scr.patch BuildRequires: gcc BuildRequires: dbus-devel pkgconfig libidn2-devel nettle-devel systemd @@ -138,6 +140,12 @@ install -Dpm644 %{SOURCE2} $RPM_BUILD_ROOT%{_sysusersdir}/dnsmasq.conf %{_mandir}/man8/dnsmasq* %changelog +* Thu Dec 12 2024 huyizhen - 2.86-10 +- Type:bugfix +- CVE: +- SUG:NA +- DESC:backport upstream patches + * Sat Oct 12 2024 huyizhen - 2.86-9 - Type:bugfix - CVE: