FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

dnsmasq -- data exposure and denial of service

Affected packages
dnsmasq < 2.72_1
dnsmasq-devel < 2.73rc4

Details

VuXML ID 37569eb7-0125-11e5-9d98-080027ef73ec
Discovery 2015-04-07
Entry 2015-05-23

Nick Sampanis reported a potential memory exposure and denial of service vulnerability against dnsmasq 2.72. The CVE entry summarizes this as:

The tcp_request function in Dnsmasq before 2.73rc4 does not properly handle the return value of the setup_reply function, which allows remote attackers to read process memory and cause a denial of service (out-of-bounds read and crash) via a malformed DNS request."

References

CVE Name CVE-2015-3294
URL http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2015q2/009382.html
URL http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commitdiff;h=ad4a8ff7d9097008d7623df8543df435bfddeac8