Bug 519020 – CVE-2009-2957, CVE-2009-2958 dnsmasq: multiple vulnerabilities in TFTP server

Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.

Bug 519020 - (CVE-2009-2957, CVE-2009-2958) CVE-2009-2957, CVE-2009-2958 dnsmasq: multiple vulnerabilities in TFTP server

Summary:	CVE-2009-2957, CVE-2009-2958 dnsmasq: multiple vulnerabilities in TFTP server

Status:	CLOSED ERRATA

Aliases:	CVE-2009-2957, CVE-2009-2958

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	high Severity high
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=important,source=secalert,repo...
Keywords:	Security

Depends On:	519021 519022 520512 833889
Blocks:
	Show dependency tree / graph

Reported:	2009-08-24 12:09 EDT by Vincent Danen
Modified:	2012-06-20 10:04 EDT (History)
CC List:	3 users (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2010-03-29 06:11:17 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2009:1238	normal	SHIPPED_LIVE	Important: dnsmasq security update	2009-08-31 20:18:44 EDT

Groups: None (edit)

Description Vincent Danen 2009-08-24 12:09:49 EDT

Core Security Technologies discovered a heap overflow vulnerability in dnsmasq when the TFTP service is enabled ('--enable-tftp').  If the configured tftp-prefix is sufficiently long, and a remote user sent a request which sends a long file name, dnsmasq could crash or, possibly, execute arbitrary code with root privileges.

The default tftp-prefix is /var/tftpd, which is short enough to make this difficult to exploit; if a longer prefix is used then arbitrary code execution may be possible.  As well, Red Hat does not have TFTP support enabled by default.

Comment 7 Vincent Danen 2009-08-24 18:26:44 EDT

CORE has provided two CVE names:

CVE-2009-2957 for the heap overflow issue they found (possibly arbitrary code execution).

CVE-2009-2958 for the NULL-pointer dereference Steve found (remote DoS).

The disclosure date is August 31st.

Comment 9 Vincent Danen 2009-08-25 10:22:49 EDT

This is not a critical issue.  dnsmasq starts up as root but by default drops privileges to run as user nobody.  Because it runs non-privileged, and because of the non-default configuration requirements (i.e. enabling TFTP requires running dnsmasq without the initscript or modifying the initscript to enable it), as well as the fact that dnsmasq should realistically only ever be available to the local area network and not the internet-at-large, makes this an important impact issue.

Comment 10 Vincent Danen 2009-08-31 16:53:37 EDT

Embargo is lifted; 2.50 is available:

http://www.thekelleys.org.uk/dnsmasq/

Comment 12 errata-xmlrpc 2009-08-31 20:18:47 EDT

This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2009:1238 https://rhn.redhat.com/errata/RHSA-2009-1238.html

Comment 13 Tomas Hoger 2009-09-02 03:42:58 EDT

Core Security advisory:
  http://www.coresecurity.com/content/dnsmasq-vulnerabilities

Comment 14 Fedora Update System 2009-10-13 21:33:47 EDT

dnsmasq-2.46-3.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 15 Fedora Update System 2009-10-13 21:58:52 EDT

dnsmasq-2.46-2.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.