** Please note that this issue is confidential and no information should be
disclosed until it is made public, see "Whiteboard" for a date **
Simon Kelley informed us about the following issues in the dnsmasq TFTP code:
A heap buffer can be overflowed by 2+strlen(tftp-prefix) bytes.
The problem is after access control, so only hosts which can do TFTP can attack, that's usually local net, not the wider internet.
It's not clear if that's enough for an attack, but it may well be, on some platforms.
DoS by NULL-pointer dereference, triggered by crafted malformed packet.
The current disclosure date is Aug, 31.
I'll attach a patch we got from upstream. Chutzpah, please prepare an ebuild that applies this patch and attach it to the bug, we can do prestabling here then.
As usual, no commits to CVS before the issue is public, please.
Created attachment 202237 [details, diff]
This is now public per $URL.
+*dnsmasq-2.50 (31 Aug 2009)
+ 31 Aug 2009; Alex Legler <email@example.com> -dnsmasq-2.46.ebuild,
+ -dnsmasq-2.47.ebuild, -dnsmasq-2.49.ebuild, +dnsmasq-2.50.ebuild:
+ Non-maintainer commit: Version bump for security bug 282653. Removing
+ unneded vulnerable versions.
Arches, please test and mark stable:
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
Stable for HPPA.
Heap-based buffer overflow in the tftp_request function in tftp.c in
dnsmasq before 2.50, when --enable-tftp is used, might allow remote
attackers to execute arbitrary code via a long filename in a TFTP
packet, as demonstrated by a read (aka RRQ) request.
The tftp_request function in tftp.c in dnsmasq before 2.50, when
--enable-tftp is used, allows remote attackers to cause a denial of
service (NULL pointer dereference and daemon crash) via a TFTP read
(aka RRQ) request with a malformed blksize option.
If it's any help, net-dns/dnsmasq-2.50 with USE="dhcp ipv6 nls tftp -dbus" builds fine on ppc here, dns and dhcp work fine too (don't know about tftp, haven't used it).
ppc stable. thanks amne :)
GLSA 200909-19, thanks everyone.