Shlomi Oberman

**Name of the Vulnerable Software and Affected Versions** dnsmasq versions prior to 2.83 **Description** A heap-based buffer overflow was discovered in the way RRSets are sorted before validating with DNSSEC data. An attacker on the network, who can forge DNS replies such as that they are accepted as valid, could use this flaw to cause a buffer overflow with arbitrary data in a heap memory segment, possibly executing code on the machine. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. **Recommendations** For versions prior to 2.83, update to version 2.83 or later to resolve the issue. As a temporary workaround, consider restricting access to the DNS server to minimize the risk of exploitation. Avoid using the `sort rrset()` function in the `dnssec.c` file until a patch is available.

**Name of the Vulnerable Software and Affected Versions** dnsmasq versions prior to 2.83 **Description** A buffer overflow vulnerability was discovered in the way dnsmasq extracts names from DNS packets before validating them with DNSSEC data. An attacker on the network, who can create valid DNS replies, could use this flaw to cause an overflow with arbitrary data in a heap-allocated memory, possibly executing code on the machine. The flaw is in the `extract name()` function, which writes data to the memory pointed by `name` assuming `MAXDNAME*2` bytes are available in the buffer. However, in some code execution paths, it is possible `extract name()` gets passed an offset from the base buffer, thus reducing, in practice, the number of available bytes that can be written in the buffer. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. **Recommendations** As a temporary workaround, consider disabling the `extract name()` function until a patch is available. Update to version 2.83 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** dnsmasq versions prior to 2.83 **Description** A heap-based buffer overflow was discovered in dnsmasq when DNSSEC is enabled and before it validates the received DNS entries. This flaw allows a remote attacker, who can create valid DNS replies, to cause an overflow in a heap-allocated memory. The issue is caused by the lack of length checks in `extract name()` function in rfc1035.c, which could be abused to make the code execute `memcpy()` with a negative size in `sort rrset()` and cause a crash in dnsmasq, resulting in a denial of service. The highest threat from this issue is to system availability. **Recommendations** For dnsmasq versions prior to 2.83, update to version 2.83 or later to resolve the issue. As a temporary workaround, consider disabling DNSSEC until a patch is available. Restrict access to the `extract name()` function in rfc1035.c to minimize the risk of exploitation. Avoid using the `sort rrset()` function with unvalidated input until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 5.1-rc1 **Description** A heap data infoleak was found in multiple locations, including the `L2CAP PARSE CONF RSP` function, in the Linux kernel. This issue is related to a buffer overflow in the heap, which can be exploited by a remote attacker to gain access to confidential data. **Recommendations** For Linux kernel versions prior to 5.1-rc1, update to a version 5.1-rc1 or later to resolve the issue. As a temporary workaround, consider restricting access to the `L2CAP PARSE CONF RSP` function to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 5.1-rc1 **Description** A heap address information leak was discovered in the Linux kernel, related to the function L2CAP GET CONF OPT. This issue is associated with a buffer overflow in the heap, which can be exploited by a remote attacker to access confidential data. **Recommendations** For Linux kernel versions prior to 5.1-rc1, update to version 5.1-rc1 or later to resolve the issue. As a temporary workaround, consider restricting access to the L2CAP GET CONF OPT function until a patch is available.