Version in base suite: 2.91-1

Base version: dnsmasq_2.91-1
Target version: dnsmasq_2.91-1+deb13u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/d/dnsmasq/dnsmasq_2.91-1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/d/dnsmasq/dnsmasq_2.91-1+deb13u1.dsc

 changelog                   |   13 ++++++++
 patches/CVE-2026-2291.patch |   29 +++++++++++++++++++
 patches/CVE-2026-4890.patch |   65 ++++++++++++++++++++++++++++++++++++++++++++
 patches/CVE-2026-4891.patch |   34 +++++++++++++++++++++++
 patches/CVE-2026-4892.patch |   30 ++++++++++++++++++++
 patches/CVE-2026-4893.patch |   26 +++++++++++++++++
 patches/CVE-2026-5172.patch |   26 +++++++++++++++++
 patches/series              |    6 ++++
 8 files changed, 229 insertions(+)

dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmp7xawaxdg/dnsmasq_2.91-1.dsc: no acceptable signature found
dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmp7xawaxdg/dnsmasq_2.91-1+deb13u1.dsc: no acceptable signature found
diff -Nru dnsmasq-2.91/debian/changelog dnsmasq-2.91/debian/changelog
--- dnsmasq-2.91/debian/changelog	2025-03-20 17:22:04.000000000 +0000
+++ dnsmasq-2.91/debian/changelog	2026-05-02 16:50:46.000000000 +0000
@@ -1,3 +1,16 @@
+dnsmasq (2.91-1+deb13u1) trixie-security; urgency=high
+
+  * d/p/*:
+    - CVE-2026-2291.patch: Fix buffer overflow in struct bigname.
+    - CVE-2026-4890.patch: Fix NSEC bitmap parsing infinite loop.
+    - CVE-2026-4891.patch: Verify rdlen field in RRSIG packets.
+    - CVE-2026-4892.patch: Fix buffer overflow in helper.c with large CLIDs.
+    - CVE-2026-4893.patch: Fix broken client subnet validation.
+    - CVE-2026-5172.patch: Fix buffer overflow vulnerability in
+      extract_addresses().
+
+ -- Sven Geuer <sge@debian.org>  Sat, 02 May 2026 18:50:46 +0200
+
 dnsmasq (2.91-1) unstable; urgency=medium
 
   * New upstream version 2.91
diff -Nru dnsmasq-2.91/debian/patches/CVE-2026-2291.patch dnsmasq-2.91/debian/patches/CVE-2026-2291.patch
--- dnsmasq-2.91/debian/patches/CVE-2026-2291.patch	1970-01-01 00:00:00.000000000 +0000
+++ dnsmasq-2.91/debian/patches/CVE-2026-2291.patch	2026-05-02 16:50:46.000000000 +0000
@@ -0,0 +1,29 @@
+commit ec2fbfbbdaa7d7db1c707dce26ce1a37cfe09660
+Author: Simon Kelley <simon@thekelleys.org.uk>
+Date:   Fri Apr 10 16:29:31 2026 +0100
+
+    Fix buffer overflow in struct bigname.  CVE-2026-2291
+    
+    All buffers capable of holding a domain name should be
+    at least MAXDNAME*2 + 1 bytes long, where MAXDNAME is the maximum
+    size of a domain name. The accounts for the trailing zero and the
+    fact that some characters are escaped in the internal representation
+    of a domain name in dnsmasq.
+    
+    The declaration of struct bigname get this wrong, with the effect
+    that a remote attacker capable of asking DNS queries or answering DNS
+    queries can cause a large OOB write in the heap.
+    
+    This was first spotted by Andrew S. Fasano.
+
+--- a/src/dnsmasq.h
++++ b/src/dnsmasq.h
+@@ -471,7 +471,7 @@
+ };
+ 
+ union bigname {
+-  char name[MAXDNAME];
++  char name[(2*MAXDNAME) + 1];
+   union bigname *next; /* freelist */
+ };
+ 
diff -Nru dnsmasq-2.91/debian/patches/CVE-2026-4890.patch dnsmasq-2.91/debian/patches/CVE-2026-4890.patch
--- dnsmasq-2.91/debian/patches/CVE-2026-4890.patch	1970-01-01 00:00:00.000000000 +0000
+++ dnsmasq-2.91/debian/patches/CVE-2026-4890.patch	2026-05-02 16:50:46.000000000 +0000
@@ -0,0 +1,65 @@
+commit de76f21e115c451cf0653790fc4b209cd4778a07
+Author: Simon Kelley <simon@thekelleys.org.uk>
+Date:   Fri Apr 10 22:16:45 2026 +0100
+
+    Fix NSEC bitmap parsing infinite loop. CVE-2026-4890
+    
+    Report from Royce M <royce@xchglabs.com>.
+    
+    Location: dnssec.c:1290-1306, dnssec.c:1450-1463
+    
+    The bitmap window iteration advances by p[1] instead of p[1]+2 (missing the 2-byte window header). With bitmap_length=0, both rdlen and p are
+    unchanged, causing an infinite loop and dnsmasq stops responding to all queries.
+    
+    The same code accesses p[2] after only checking rdlen >= 2 without verifying p[1] >= 1, causing OOB reads at 6 locations.
+    
+    Both bugs are reachable before RRSIG validation (confirmed by the source comment at line 2125), so no valid DNSSEC signatures are needed.
+
+diff --git a/src/dnssec.c b/src/dnssec.c
+index 415c4e5..8672444 100644
+--- a/src/dnssec.c
++++ b/src/dnssec.c
+@@ -1274,10 +1274,10 @@ static int prove_non_existence_nsec(struct dns_header *header, size_t plen, unsi
+ 	     packet checked to be as long as rdlen implies in prove_non_existence() */
+ 	  
+ 	  /* If we can prove that there's no NS record, return that information. */
+-	  if (nons && rdlen >= 2 && p[0] == 0 && (p[2] & (0x80 >> T_NS)) != 0)
++	  if (nons && rdlen >= 2 && p[0] == 0 && p[1] >= 1  && (p[2] & (0x80 >> T_NS)) != 0)
+ 	    *nons = 0;
+ 	  
+-	  if (rdlen >= 2 && p[0] == 0)
++	  if (rdlen >= 2 && p[0] == 0 && p[1] >= 1)
+ 	    {
+ 	      /* A CNAME answer would also be valid, so if there's a CNAME is should 
+ 		 have been returned. */
+@@ -1305,8 +1305,8 @@ static int prove_non_existence_nsec(struct dns_header *header, size_t plen, unsi
+ 		  break; /* finished checking */
+ 		}
+ 	      
+-	      rdlen -= p[1];
+-	      p +=  p[1];
++	      rdlen -= p[1] + 2;
++	      p +=  p[1] + 2;
+ 	    }
+ 	  
+ 	  return 0;
+@@ -1433,7 +1433,7 @@ static int check_nsec3_coverage(struct dns_header *header, size_t plen, int dige
+ 		p += hash_len; /* skip next-domain hash */
+ 		rdlen -= p - psave;
+ 
+-		if (rdlen >= 2 && p[0] == 0)
++		if (rdlen >= 2 && p[0] == 0 && p[1] >= 1)
+ 		  {
+ 		    /* If we can prove that there's no NS record, return that information. */
+ 		    if (nons && (p[2] & (0x80 >> T_NS)) != 0)
+@@ -1462,8 +1462,8 @@ static int check_nsec3_coverage(struct dns_header *header, size_t plen, int dige
+ 			break; /* finished checking */
+ 		      }
+ 		    
+-		    rdlen -= p[1];
+-		    p +=  p[1];
++		    rdlen -= p[1] + 2;
++		    p +=  p[1] + 2;
+ 		  }
+ 		
+ 		return 1;
diff -Nru dnsmasq-2.91/debian/patches/CVE-2026-4891.patch dnsmasq-2.91/debian/patches/CVE-2026-4891.patch
--- dnsmasq-2.91/debian/patches/CVE-2026-4891.patch	1970-01-01 00:00:00.000000000 +0000
+++ dnsmasq-2.91/debian/patches/CVE-2026-4891.patch	2026-05-02 16:50:46.000000000 +0000
@@ -0,0 +1,34 @@
+commit 2cacea42e4d45717bd0ce3ccfe8e78960245e5da
+Author: Simon Kelley <simon@thekelleys.org.uk>
+Date:   Wed Mar 25 23:04:08 2026 +0000
+
+    Verify rdlen field in RRSIG packets. CVE-2026-4891
+    
+    Bug report from Royce M <royce@xchglabs.com>
+    
+    This avoids crafted packets which give a value for rdlen _less_
+    then the space taken up by the fixed data and the signer's name
+    and engender a negative calculated length for the signature.
+
+diff --git a/src/dnssec.c b/src/dnssec.c
+index 0860daa..4bb0495 100644
+--- a/src/dnssec.c
++++ b/src/dnssec.c
+@@ -546,10 +546,14 @@ static int validate_rrset(time_t now, struct dns_header *header, size_t plen, in
+ 
+ 	   *ttl_out = ttl;
+ 	 }
+-       
++
++      /* Don't trust rdlen not to be too small and give us a negative sig_len
++	 It has already been checked that it doesn't run us off the end
++	 of the packet. */
++      if ((sig_len = rdlen - (p - psav)) <= 0)
++	return STAT_BOGUS;
++
+       sig = p;
+-      sig_len = rdlen - (p - psav);
+-              
+       nsigttl = htonl(orig_ttl);
+       
+       hash->update(ctx, 18, psav);
diff -Nru dnsmasq-2.91/debian/patches/CVE-2026-4892.patch dnsmasq-2.91/debian/patches/CVE-2026-4892.patch
--- dnsmasq-2.91/debian/patches/CVE-2026-4892.patch	1970-01-01 00:00:00.000000000 +0000
+++ dnsmasq-2.91/debian/patches/CVE-2026-4892.patch	2026-05-02 16:50:46.000000000 +0000
@@ -0,0 +1,30 @@
+commit 011a36c51438c986535a7248ed2e7f424f8e1078
+Author: Simon Kelley <simon@thekelleys.org.uk>
+Date:   Wed Mar 25 23:16:35 2026 +0000
+
+    Fix buffer overflow in helper.c with large CLIDs. CVE-2026-4892
+    
+    Bug reported bt Royce M <royce@xchglabs.com>
+    
+    Location: helper.c:265-270
+    DHCPv6 CLIDs can be up to 65535 bytes. When --dhcp-script is configured,
+    the helper hex-encodes raw CLID bytes via sprintf("%.2x") into daemon->packet (5131 bytes).
+    A 1000-byte CLID writes ~3000 bytes. The helper process retains root privileges.
+    
+    Note: log6_packet() correctly caps CLID to 100 bytes for logging, but the helper code path was missed.
+
+diff --git a/src/helper.c b/src/helper.c
+index 72f81fe..2c12801 100644
+--- a/src/helper.c
++++ b/src/helper.c
+@@ -261,8 +261,8 @@ int create_helper(int event_fd, int err_fd, uid_t uid, gid_t gid, long max_fd)
+ 		      data.hostname_len + data.ed_len + data.clid_len, RW_READ))
+ 	continue;
+ 
+-      /* CLID into packet */
+-      for (p = daemon->packet, i = 0; i < data.clid_len; i++)
++      /* CLID into packet: limit to 100 bytes to avoid overflowing buffer. */
++      for (p = daemon->packet, i = 0; i < data.clid_len && i < 100; i++)
+ 	{
+ 	  p += sprintf(p, "%.2x", buf[i]);
+ 	  if (i != data.clid_len - 1) 
diff -Nru dnsmasq-2.91/debian/patches/CVE-2026-4893.patch dnsmasq-2.91/debian/patches/CVE-2026-4893.patch
--- dnsmasq-2.91/debian/patches/CVE-2026-4893.patch	1970-01-01 00:00:00.000000000 +0000
+++ dnsmasq-2.91/debian/patches/CVE-2026-4893.patch	2026-05-02 16:50:46.000000000 +0000
@@ -0,0 +1,26 @@
+commit 434d68f2eb1a58744470698483a3ae09b5a9a870
+Author: Simon Kelley <simon@thekelleys.org.uk>
+Date:   Wed Mar 25 23:22:37 2026 +0000
+
+    Fix broken client subnet validation. CVE-2026-4893
+    
+    Bug report from Royce M <royce@xchglabs.com>
+    
+    Location: forward.c:713, edns0.c:421
+    
+    With --add-subnet enabled, process_reply() passes the OPT record
+    length (~23 bytes) instead of the packet length to check_source().
+    All internal bounds checks fail, and the function always returns 1.
+    ECS source validation per RFC 7871 Section 9.2 is completely bypassed.
+
+--- a/src/forward.c
++++ b/src/forward.c
+@@ -722,7 +722,7 @@
+       /* Get extended RCODE. */
+       rcode |= sizep[2] << 4;
+       
+-      if (option_bool(OPT_CLIENT_SUBNET) && !check_source(header, plen, pheader, query_source))
++      if (option_bool(OPT_CLIENT_SUBNET) && !check_source(header, n, pheader, query_source))
+ 	{
+ 	  my_syslog(LOG_WARNING, _("discarding DNS reply: subnet option mismatch"));
+ 	  return 0;
diff -Nru dnsmasq-2.91/debian/patches/CVE-2026-5172.patch dnsmasq-2.91/debian/patches/CVE-2026-5172.patch
--- dnsmasq-2.91/debian/patches/CVE-2026-5172.patch	1970-01-01 00:00:00.000000000 +0000
+++ dnsmasq-2.91/debian/patches/CVE-2026-5172.patch	2026-05-02 16:50:46.000000000 +0000
@@ -0,0 +1,26 @@
+commit fa3c8ddef6712b52f562813317e6a997e1210123
+Author: Simon Kelley <simon@thekelleys.org.uk>
+Date:   Mon Mar 30 16:24:33 2026 +0100
+
+    Fix buffer overflow vulnerability in extract_addresses() CVE-2026-5172
+    
+    Thanks to Hugo Martinez Ray for spotting this.
+    
+    The value of rdlen for an RR can be a lie, allowing the
+    call to extract_name() at rfc1025.c:952 to advance the value of p1
+    past the calculated end of the record. The makes the calculation
+    of bytes remaining in the RR underflow to a huge number and results
+    in a massive heap OOB read and certain crash.
+
+--- a/src/rfc1035.c
++++ b/src/rfc1035.c
+@@ -985,7 +985,8 @@
+ 			      /* Name, extract it then re-encode. */
+ 			      int len;
+ 			      
+-			      if (!extract_name(header, qlen, &p1, name, EXTR_NAME_EXTRACT, 0))
++			      /* rdlen may lie, and extract_name() advances p1 past where it says the record ends. */
++			      if (!extract_name(header, qlen, &p1, name, EXTR_NAME_EXTRACT, 0) || (p1 > endrr))
+ 				{
+ 				  blockdata_free(addr.rrblock.rrdata);
+ 				  return 2;
diff -Nru dnsmasq-2.91/debian/patches/series dnsmasq-2.91/debian/patches/series
--- dnsmasq-2.91/debian/patches/series	2025-03-20 17:22:04.000000000 +0000
+++ dnsmasq-2.91/debian/patches/series	2026-05-02 16:50:46.000000000 +0000
@@ -1,2 +1,8 @@
 eliminate-privacy-breaches.patch
 trailing-white-space.patch
+CVE-2026-2291.patch
+CVE-2026-4890.patch
+CVE-2026-4891.patch
+CVE-2026-4892.patch
+CVE-2026-4893.patch
+CVE-2026-5172.patch