[Dnsmasq-discuss] dnsmasq SECURITY problem.

Simon Kelley simon at thekelleys.org.uk
Mon Aug 31 17:46:23 BST 2009


A couple of security problems have been found in dnsmasq. One by CORE
security and one by Steve Grubb at Red Hat. Both problems affect the
same bit of code and one vulnerability is a subset of the other, so I'm
treating them as a unit for remediation purposes.

Bug dicovered by the Steve Grubb at Red Hat:
    Bugtraq id: 36120
    CVE: 2009-2958

This allows a crafted malformed TFTP packet to crash dnsmasq with a NULL
pointer dereference.


Bug discovered by Core:
    Bugtraq id: 36121
    CVE: 2009-2957

This allows a crafted TFTP packet to overflow the heap by the length of
the tftp-prefix. This may be exploitable to gain control of the daemon
with non-root privileges, depending on the exact layout of memory.


No exploits for either of these are known in the wild: both were found
by code inspection. Only dnsmasq daemons which have TFTP enabled with
--enable-tftp are vulnerable, and an attack must come from an address
which is allowed to do TFTP (ie, NOT the wider internet, in general).



I have made a new release, 2.50, which is available at

http://www.thekelleys.org.uk/dnsmasq/dnsmasq-2.50.tar.gz

and is simply version 2.49 plus the patch required to fix this.

Patches which apply to dnsmasq 2.42 and later, and one for earlier
versions are also available for download from the dnsmasq download
directory.

Major Linux and *BSD distros will be releasing security updates very
soon. The rest will, I hope, follow in due course.

Cheers,

Simon.







More information about the Dnsmasq-discuss mailing list