similarity index 94%
rename from meta-networking/recipes-support/dnsmasq/dnsmasq_2.92.bb
rename to meta-networking/recipes-support/dnsmasq/dnsmasq_2.93.bb
@@ -15,14 +15,8 @@ SRC_URI = "http://www.thekelleys.org.uk/dnsmasq/${@['archive/', ''][float(d.getV
file://dnsmasq-resolvconf.service \
file://dnsmasq-noresolvconf.service \
file://dnsmasq-resolved.conf \
- file://CVE-2026-2291.patch \
- file://CVE-2026-4890.patch \
- file://CVE-2026-4891.patch \
- file://CVE-2026-4892.patch \
- file://CVE-2026-4893.patch \
- file://CVE-2026-5172.patch \
"
-SRC_URI[sha256sum] = "fd908e79ff37f73234afcb6d3363f78353e768703d92abd8e3220ade6819b1e1"
+SRC_URI[sha256sum] = "cc967771abdafeb43d10db18932d6b59fd4bed2c69c22acf8cb96aff6920d55f"
inherit pkgconfig update-rc.d systemd
deleted file mode 100644
@@ -1,37 +0,0 @@
-commit ec2fbfbbdaa7d7db1c707dce26ce1a37cfe09660
-Author: Simon Kelley <simon@thekelleys.org.uk>
-Date: Fri Apr 10 16:29:31 2026 +0100
-
-Fix buffer overflow in struct bigname. CVE-2026-2291
-
-All buffers capable of holding a domain name should be
-at least MAXDNAME*2 + 1 bytes long, where MAXDNAME is the maximum
-size of a domain name. The accounts for the trailing zero and the
-fact that some characters are escaped in the internal representation
-of a domain name in dnsmasq.
-
-The declaration of struct bigname get this wrong, with the effect
-that a remote attacker capable of asking DNS queries or answering DNS
-queries can cause a large OOB write in the heap.
-
-This was first spotted by Andrew S. Fasano.
-
-CVE: CVE-2026-2291
-
-Upstream-Status: Backport [ https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=014e909f787e808bb35daa546d3f8f3663918de2 ]
-
-Signed-off-by: Abhishek Bachiphale <Abhishek.Bachiphale@windriver.com>
-
-diff --git a/src/dnsmasq.h b/src/dnsmasq.h
-index 254bacd..58be09f 100644
---- a/src/dnsmasq.h
-+++ b/src/dnsmasq.h
-@@ -479,7 +479,7 @@ struct interface_name {
- };
-
- union bigname {
-- char name[MAXDNAME];
-+ char name[(2*MAXDNAME) + 1];
- union bigname *next; /* freelist */
- };
-
deleted file mode 100644
@@ -1,50 +0,0 @@
-commit 4fdb707633afe8028118bcaf39b4882f634b5999
-Author: Simon Kelley <simon@thekelleys.org.uk>
-Date: Fri Apr 10 16:24:02 2026 +0100
-
-Fix NSEC bitmap parsing infinite loop. CVE-2026-4890
-
-Report from Royce M <royce@xchglabs.com>.
-
-Location: dnssec.c:1290-1306, dnssec.c:1450-1463
-
-The bitmap window iteration advances by p[1] instead of p[1]+2
-(missing the 2-byte window header). With bitmap_length=0, both rdlen and p are
-unchanged, causing an infinite loop and dnsmasq stops responding to all queries.
-
-Reachable before RRSIG validation
-(confirmed by the source comment at line 2125), so no valid
-DNSSEC signatures are needed.
-
-CVE: CVE-2026-4890
-
-Upstream-Status: Backport [ https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=7b151eb60609a0139474918222806f9bcfb4fe71 ]
-
-Signed-off-by: Abhishek Bachiphale <Abhishek.Bachiphale@windriver.com>
-
-diff --git a/src/dnssec.c b/src/dnssec.c
-index 4bb0495..3951620 100644
---- a/src/dnssec.c
-+++ b/src/dnssec.c
-@@ -1348,8 +1348,8 @@ static int prove_non_existence_nsec(struct dns_header *header, size_t plen, unsi
- break; /* finished checking */
- }
-
-- rdlen -= p[1];
-- p += p[1];
-+ rdlen -= p[1] + 2;
-+ p += p[1] + 2;
- }
-
- return 0;
-@@ -1512,8 +1512,8 @@ static int check_nsec3_coverage(struct dns_header *header, size_t plen, int dige
- break; /* finished checking */
- }
-
-- rdlen -= p[1];
-- p += p[1];
-+ rdlen -= p[1] + 2;
-+ p += p[1] + 2;
- }
-
- return 1;
deleted file mode 100644
@@ -1,40 +0,0 @@
-commit 2cacea42e4d45717bd0ce3ccfe8e78960245e5da
-Author: Simon Kelley <simon@thekelleys.org.uk>
-Date: Wed Mar 25 23:04:08 2026 +0000
-
-Verify rdlen field in RRSIG packets. CVE-2026-4891
-
-Bug report from Royce M <royce@xchglabs.com>
-
-This avoids crafted packets which give a value for rdlen _less_
-then the space taken up by the fixed data and the signer's name
-and engender a negative calculated length for the signature.
-
-CVE: CVE-2026-4891
-
-Upstream-Status: Backport [ https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=788b4e0f6c05217981b512bed4e5fea6f8855d01 ]
-
-Signed-off-by: Abhishek Bachiphale <Abhishek.Bachiphale@windriver.com>
-
-diff --git a/src/dnssec.c b/src/dnssec.c
-index 0860daa..4bb0495 100644
---- a/src/dnssec.c
-+++ b/src/dnssec.c
-@@ -546,10 +546,14 @@ static int validate_rrset(time_t now, struct dns_header *header, size_t plen, in
-
- *ttl_out = ttl;
- }
--
-+
-+ /* Don't trust rdlen not to be too small and give us a negative sig_len
-+ It has already been checked that it doesn't run us off the end
-+ of the packet. */
-+ if ((sig_len = rdlen - (p - psav)) <= 0)
-+ return STAT_BOGUS;
-+
- sig = p;
-- sig_len = rdlen - (p - psav);
--
- nsigttl = htonl(orig_ttl);
-
- hash->update(ctx, 18, psav);
deleted file mode 100644
@@ -1,36 +0,0 @@
-commit 011a36c51438c986535a7248ed2e7f424f8e1078
-Author: Simon Kelley <simon@thekelleys.org.uk>
-Date: Wed Mar 25 23:16:35 2026 +0000
-
-Fix buffer overflow in helper.c with large CLIDs. CVE-2026-4892
-
-Bug reported bt Royce M <royce@xchglabs.com>
-
-Location: helper.c:265-270
-DHCPv6 CLIDs can be up to 65535 bytes. When --dhcp-script is configured,
-the helper hex-encodes raw CLID bytes via sprintf("%.2x") into daemon->packet (5131 bytes).
-A 1000-byte CLID writes ~3000 bytes. The helper process retains root privileges.
-
-Note: log6_packet() correctly caps CLID to 100 bytes for logging, but the helper code path was missed.
-
-CVE: CVE-2026-4892
-
-Upstream-Status: Backport [ https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=10e6b5b83e80749cba7b090d7780b29f908f0571 ]
-
-Signed-off-by: Abhishek Bachiphale <Abhishek.Bachiphale@windriver.com>
-
-diff --git a/src/helper.c b/src/helper.c
-index 72f81fe..2c12801 100644
---- a/src/helper.c
-+++ b/src/helper.c
-@@ -261,8 +261,8 @@ int create_helper(int event_fd, int err_fd, uid_t uid, gid_t gid, long max_fd)
- data.hostname_len + data.ed_len + data.clid_len, RW_READ))
- continue;
-
-- /* CLID into packet */
-- for (p = daemon->packet, i = 0; i < data.clid_len; i++)
-+ /* CLID into packet: limit to 100 bytes to avoid overflowing buffer. */
-+ for (p = daemon->packet, i = 0; i < data.clid_len && i < 100; i++)
- {
- p += sprintf(p, "%.2x", buf[i]);
- if (i != data.clid_len - 1)
deleted file mode 100644
@@ -1,34 +0,0 @@
-commit 434d68f2eb1a58744470698483a3ae09b5a9a870
-Author: Simon Kelley <simon@thekelleys.org.uk>
-Date: Wed Mar 25 23:22:37 2026 +0000
-
-Fix broken client subnet validation. CVE-2026-4893
-
-Bug report from Royce M <royce@xchglabs.com>
-
-Location: forward.c:713, edns0.c:421
-
-With --add-subnet enabled, process_reply() passes the OPT record
-length (~23 bytes) instead of the packet length to check_source().
-All internal bounds checks fail, and the function always returns 1.
-ECS source validation per RFC 7871 Section 9.2 is completely bypassed.
-
-CVE: CVE-2026-4893
-
-Upstream-Status: Backport [ https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=e3a26d092e47bf1d18aeadb758e4ca35c83b5f2d ]
-
-Signed-off-by: Abhishek Bachiphale <Abhishek.Bachiphale@windriver.com>
-
-diff --git a/src/forward.c b/src/forward.c
-index e2f64c0..208480d 100644
---- a/src/forward.c
-+++ b/src/forward.c
-@@ -724,7 +724,7 @@ static size_t process_reply(struct dns_header *header, time_t now, struct server
- /* Get extended RCODE. */
- rcode |= sizep[2] << 4;
-
-- if (option_bool(OPT_CLIENT_SUBNET) && !check_source(header, plen, pheader, query_source))
-+ if (option_bool(OPT_CLIENT_SUBNET) && !check_source(header, n, pheader, query_source))
- {
- my_syslog(LOG_WARNING, _("discarding DNS reply: subnet option mismatch"));
- return 0;
deleted file mode 100644
@@ -1,34 +0,0 @@
-commit fa3c8ddef6712b52f562813317e6a997e1210123
-Author: Simon Kelley <simon@thekelleys.org.uk>
-Date: Mon Mar 30 16:24:33 2026 +0100
-
-Fix buffer overflow vulnerability in extract_addresses() CVE-2026-5172
-
-Thanks to Hugo Martinez Ray for spotting this.
-
-The value of rdlen for an RR can be a lie, allowing the
-call to extract_name() at rfc1025.c:952 to advance the value of p1
-past the calculated end of the record. The makes the calculation
-of bytes remaining in the RR underflow to a huge number and results
-in a massive heap OOB read and certain crash.
-
-CVE: CVE-2026-5172
-
-Upstream-Status: Backport [ https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=073082ddc0aba7b8efa15a688d6183463b65effa ]
-
-Signed-off-by: Abhishek Bachiphale <Abhishek.Bachiphale@windriver.com>
-
-diff --git a/src/rfc1035.c b/src/rfc1035.c
-index f0e1082..7e05fb5 100644
---- a/src/rfc1035.c
-+++ b/src/rfc1035.c
-@@ -943,7 +943,8 @@ int extract_addresses(struct dns_header *header, size_t qlen, char *name, time_t
- /* Name, extract it then re-encode. */
- int len;
-
-- if (!extract_name(header, qlen, &p1, name, EXTR_NAME_EXTRACT, 0))
-+ /* rdlen may lie, and extract_name() advances p1 past where it says the record ends. */
-+ if (!extract_name(header, qlen, &p1, name, EXTR_NAME_EXTRACT, 0) || (p1 > endrr))
- {
- blockdata_free(addr.rrblock.rrdata);
- return 2;
ChangeLog: https://dnsmasq.org/CHANGELOG - Update checksum - Remove obsolete patches - Verified build and runtime functionality Security fixes (included upstream in 2.93) : - CVE-2026-2291 - CVE-2026-4890 - CVE-2026-4891 - CVE-2026-4892 - CVE-2026-4893 - CVE-2026-5172 - Removed patches corresponding to the above CVEs as fixes are now part of upstream release Signed-off-by: Abhishek Bachiphale <Abhishek.Bachiphale@windriver.com> --- .../{dnsmasq_2.92.bb => dnsmasq_2.93.bb} | 8 +-- .../dnsmasq/files/CVE-2026-2291.patch | 37 -------------- .../dnsmasq/files/CVE-2026-4890.patch | 50 ------------------- .../dnsmasq/files/CVE-2026-4891.patch | 40 --------------- .../dnsmasq/files/CVE-2026-4892.patch | 36 ------------- .../dnsmasq/files/CVE-2026-4893.patch | 34 ------------- .../dnsmasq/files/CVE-2026-5172.patch | 34 ------------- 7 files changed, 1 insertion(+), 238 deletions(-) rename meta-networking/recipes-support/dnsmasq/{dnsmasq_2.92.bb => dnsmasq_2.93.bb} (94%) delete mode 100644 meta-networking/recipes-support/dnsmasq/files/CVE-2026-2291.patch delete mode 100644 meta-networking/recipes-support/dnsmasq/files/CVE-2026-4890.patch delete mode 100644 meta-networking/recipes-support/dnsmasq/files/CVE-2026-4891.patch delete mode 100644 meta-networking/recipes-support/dnsmasq/files/CVE-2026-4892.patch delete mode 100644 meta-networking/recipes-support/dnsmasq/files/CVE-2026-4893.patch delete mode 100644 meta-networking/recipes-support/dnsmasq/files/CVE-2026-5172.patch