Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 830367 (CVE-2021-45951, CVE-2021-45952, CVE-2021-45953, CVE-2021-45954, CVE-2021-45955, CVE-2021-45956, CVE-2021-45957) - net-dns/dnsmasq: multiple vulnerabilities
Summary: net-dns/dnsmasq: multiple vulnerabilities
Status: RESOLVED INVALID
Alias: CVE-2021-45951, CVE-2021-45952, CVE-2021-45953, CVE-2021-45954, CVE-2021-45955, CVE-2021-45956, CVE-2021-45957
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL:
Whiteboard: B2 [upstream]
Keywords:
Depends on:
Blocks:
 
Reported: 2022-01-01 02:00 UTC by Sam James
Modified: 2022-02-28 15:59 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-01-01 02:00:23 UTC
CVE-2021-45957 (https://github.com/google/oss-fuzz-vulns/blob/main/vulns/dnsmasq/OSV-2021-935.yaml):

Dnsmasq 2.86 has a heap-based buffer overflow in answer_request (called from FuzzAnswerTheRequest and fuzz_rfc1035.c).

CVE-2021-45956 (https://github.com/google/oss-fuzz-vulns/blob/main/vulns/dnsmasq/OSV-2021-933.yaml):

Dnsmasq 2.86 has a heap-based buffer overflow in print_mac (called from log_packet and dhcp_reply).

CVE-2021-45955 (https://github.com/google/oss-fuzz-vulns/blob/main/vulns/dnsmasq/OSV-2021-932.yaml):

Dnsmasq 2.86 has a heap-based buffer overflow in resize_packet (called from FuzzResizePacket and fuzz_rfc1035.c).

CVE-2021-45954 (https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=35861):

Dnsmasq 2.86 has a heap-based buffer overflow in extract_name (called from answer_auth and FuzzAuth).

CVE-2021-45953 (https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=35858):

Dnsmasq 2.86 has a heap-based buffer overflow in extract_name (called from hash_questions and fuzz_util.c).

CVE-2021-45952 (https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=35870):

Dnsmasq 2.86 has a heap-based buffer overflow in dhcp_reply (called from dhcp_packet and FuzzDhcp).

CVE-2021-45951 (https://github.com/google/oss-fuzz-vulns/blob/main/vulns/dnsmasq/OSV-2021-924.yaml):

Dnsmasq 2.86 has a heap-based buffer overflow in check_bad_address (called from check_for_bogus_wildcard and FuzzCheckForBogusWildcard).
Comment 1 Conrad Kostecki gentoo-dev 2022-02-28 13:44:43 UTC
According to upstream, all CVEs are considered invalid. See mailing list.


See: https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2022q1/016160.html

Simons answer: https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2022q1/016161.html
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-02-28 15:59:09 UTC
Thanks, Conrad.