Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 715764 (CVE-2019-14834) - <net-dns/dnsmasq-2.80-r2: Memory leak in the create_helper() function in /src/helper.c (CVE-2019-14834)
Summary: <net-dns/dnsmasq-2.80-r2: Memory leak in the create_helper() function in /src...
Status: RESOLVED FIXED
Alias: CVE-2019-14834
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://github.com/gentoo/gentoo/pull...
Whiteboard: B3 [noglsa cve]
Keywords: PullRequest
Depends on:
Blocks:
 
Reported: 2020-04-01 13:56 UTC by Allen Webb
Modified: 2020-04-25 23:58 UTC (History)
2 users (show)

See Also:
Package list:
net-dns/dnsmasq-2.80-r2 amd64 arm arm64 hppa ppc ppc64 sparc x86
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Allen Webb 2020-04-01 13:56:21 UTC
There is an unpatched memory leak CVE in dnsmasq. Here are some references:
https://nvd.nist.gov/vuln/detail/CVE-2019-14834
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14834

Here is the upstream fix:
http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=69bc94779c2f035a9fffdb5327a54c3aeca73ed5

The fix looks low risk to me.
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-04-01 16:53:37 UTC
Thanks for reporting a security bug. Make sure you put it in the Gentoo Security component next time so that the security team can pick up on it.
Comment 2 Larry the Git Cow gentoo-dev 2020-04-01 17:21:02 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5d2cde891f94eed8019bde4deb0612af08cb0d30

commit 5d2cde891f94eed8019bde4deb0612af08cb0d30
Author:     Allen-Webb <allenwebb@google.com>
AuthorDate: 2020-04-01 14:44:02 +0000
Commit:     Patrick McLean <chutzpah@gentoo.org>
CommitDate: 2020-04-01 17:19:21 +0000

    net-dns/dnsmasq-2.80-r2: Revbump, fix CVE-2019-14834
    
    Bug: https://bugs.gentoo.org/715764
    Signed-off-by: Allen-Webb <allenwebb@google.com>
    Closes: https://github.com/gentoo/gentoo/pull/15197
    Signed-off-by: Patrick McLean <chutzpah@gentoo.org>

 ...smasq-2.80-r1.ebuild => dnsmasq-2.80-r2.ebuild} |  1 +
 .../files/dnsmasq-2.80-cve-2019-14834.patch        | 39 ++++++++++++++++++++++
 2 files changed, 40 insertions(+)
Comment 3 Patrick McLean gentoo-dev 2020-04-01 17:21:40 UTC
security: we should be fine to stabilize this
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-04-01 17:39:17 UTC
(In reply to Patrick McLean from comment #3)
> security: we should be fine to stabilize this

Great, thanks for the quick merge!
Comment 5 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-04-02 00:36:47 UTC
Didn't catch it was already stable on those arches. Tree is clean. Thanks again.

Changing to glsa?
Comment 6 NATTkA bot gentoo-dev 2020-04-12 19:21:11 UTC
Resetting sanity check; package list is empty or all packages are done.
Comment 7 Yury German Gentoo Infrastructure gentoo-dev 2020-04-25 23:58:53 UTC
GLSA Vote: No
Thank you all for you work. 
Closing as [noglsa].