CVE-2021-45957 (https://github.com/google/oss-fuzz-vulns/blob/main/vulns/dnsmasq/OSV-2021-935.yaml): Dnsmasq 2.86 has a heap-based buffer overflow in answer_request (called from FuzzAnswerTheRequest and fuzz_rfc1035.c). CVE-2021-45956 (https://github.com/google/oss-fuzz-vulns/blob/main/vulns/dnsmasq/OSV-2021-933.yaml): Dnsmasq 2.86 has a heap-based buffer overflow in print_mac (called from log_packet and dhcp_reply). CVE-2021-45955 (https://github.com/google/oss-fuzz-vulns/blob/main/vulns/dnsmasq/OSV-2021-932.yaml): Dnsmasq 2.86 has a heap-based buffer overflow in resize_packet (called from FuzzResizePacket and fuzz_rfc1035.c). CVE-2021-45954 (https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=35861): Dnsmasq 2.86 has a heap-based buffer overflow in extract_name (called from answer_auth and FuzzAuth). CVE-2021-45953 (https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=35858): Dnsmasq 2.86 has a heap-based buffer overflow in extract_name (called from hash_questions and fuzz_util.c). CVE-2021-45952 (https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=35870): Dnsmasq 2.86 has a heap-based buffer overflow in dhcp_reply (called from dhcp_packet and FuzzDhcp). CVE-2021-45951 (https://github.com/google/oss-fuzz-vulns/blob/main/vulns/dnsmasq/OSV-2021-924.yaml): Dnsmasq 2.86 has a heap-based buffer overflow in check_bad_address (called from check_for_bogus_wildcard and FuzzCheckForBogusWildcard).
According to upstream, all CVEs are considered invalid. See mailing list. See: https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2022q1/016160.html Simons answer: https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2022q1/016161.html
Thanks, Conrad.
