** Please note that this issue is confidential and no information should be disclosed until it is made public, see "Whiteboard" for a date ** Simon Kelley informed us about the following issues in the dnsmasq TFTP code: CVE-2009-2957: A heap buffer can be overflowed by 2+strlen(tftp-prefix) bytes. The problem is after access control, so only hosts which can do TFTP can attack, that's usually local net, not the wider internet. It's not clear if that's enough for an attack, but it may well be, on some platforms. CVE-2009-2958: DoS by NULL-pointer dereference, triggered by crafted malformed packet. The current disclosure date is Aug, 31.
I'll attach a patch we got from upstream. Chutzpah, please prepare an ebuild that applies this patch and attach it to the bug, we can do prestabling here then. As usual, no commits to CVS before the issue is public, please.
Created attachment 202237 [details, diff] dnsmasq-CVE-2009-2957+2958.patch
This is now public per $URL. Adapting whiteboard. +*dnsmasq-2.50 (31 Aug 2009) + + 31 Aug 2009; Alex Legler <a3li@gentoo.org> -dnsmasq-2.46.ebuild, + -dnsmasq-2.47.ebuild, -dnsmasq-2.49.ebuild, +dnsmasq-2.50.ebuild: + Non-maintainer commit: Version bump for security bug 282653. Removing + unneded vulnerable versions. +
Arches, please test and mark stable: =net-dns/dnsmasq-2.50 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
x86 stable
Stable for HPPA.
alpha/arm/ia64/s390/sh/sparc stable
CVE-2009-2957 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2957): Heap-based buffer overflow in the tftp_request function in tftp.c in dnsmasq before 2.50, when --enable-tftp is used, might allow remote attackers to execute arbitrary code via a long filename in a TFTP packet, as demonstrated by a read (aka RRQ) request. CVE-2009-2958 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2958): The tftp_request function in tftp.c in dnsmasq before 2.50, when --enable-tftp is used, allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a TFTP read (aka RRQ) request with a malformed blksize option.
amd64 stable
ppc64 done
If it's any help, net-dns/dnsmasq-2.50 with USE="dhcp ipv6 nls tftp -dbus" builds fine on ppc here, dns and dhcp work fine too (don't know about tftp, haven't used it).
ppc stable. thanks amne :)
GLSA 200909-19, thanks everyone.