oss-sec mailing list archives

Re: Questionable CVE's reported against dnsmasq

From: Art Manion <zmanion () protonmail com>
Date: Fri, 31 Oct 2025 21:06:09 +0000

On 2025-10-27 18:49, Solar Designer wrote:

What's common about the CVEs mentioned in this thread, including those
against GNU Bison (so not config file parsing, but just bogus CVEs), is
that all of them were assigned by VulDB as the CNA.  VulDB even went to
the effort (or automation?) to generate CVSS 2.0, 3.0, 3.1, and 4.0
vectors for all of these.  It's pretty ridiculous for a CNA not only to
assign bogus CVEs, but also have CVSS vectors and scores for them
without realizing the error.  This suggests a lack of proper process
and/or expertise.

At this point, I think we want to hear from VulDB on this, and from
MITRE on their requirements for CNAs in general and VulDB in particular
to review CVE requests before assignment.  Maybe VulDB is in violation.


Speaking as a CVE Board member, but not for MITRE, I suggest that somebody dispute the dnsmasq (and Bison) CVE IDs.  
I'll do this unless somebody else wants to.  There is room for improvements to CVE assignment, but the current path is 
to file disputes.  Perhaps CNAs with "high" dispute counts or ratios warrant some sort of action.

Considering the CVE vulnerability determination rules, if there is no net security impact or gain to the attacker, then:

"4.1.2 Conditions or behaviors that do not lead to a security impact SHOULD NOT be determined to be Vulnerabilities. 
Examples of security impacts include an increase in access for an attacker, a decrease in availability of a target, or 
another violation of security policy."

https://www.cve.org/resourcessupport/allresources/cnarules#section_4-1_Vulnerability_Determination

Does dnsmasq read the config file before dropping privileges?  I think so, since dnsmasq needs to know what interfaces 
and ports to bind to?

Does dnsmasq check that the config file is root-owned and not user-writable?  In my brief testing, no.

Can a regular user call dnsmasq with '-C dnsmasq_malicious.conf' and achieve memory corruption under root privileges?  
Even if it's unlikely to result in code execution, that privilege escalation may qualify as a CVE-worthy vulnerability.

Regards,

 - Art

Current thread:

Re: Questionable CVE's reported against dnsmasq, (continued)
- - - Re: Questionable CVE's reported against dnsmasq Salvatore Bonaccorso (Oct 29)
    - Re: Questionable CVE's reported against dnsmasq Petr Menšík (Oct 31)
    - Re: Questionable CVE's reported against dnsmasq Sebastian Pipping (Oct 31)
  - Re: Questionable CVE's reported against dnsmasq Jeffrey Walton (Oct 27)
- Re: Questionable CVE's reported against dnsmasq Moritz Mühlenhoff (Oct 27)
  - Re: Questionable CVE's reported against dnsmasq Collin Funk (Oct 27)
  - Re: Questionable CVE's reported against dnsmasq Michael Orlitzky (Oct 27)
    - Re: Questionable CVE's reported against dnsmasq Hank Leininger (Oct 27)
    - Re: Questionable CVE's reported against dnsmasq Solar Designer (Oct 27)
    - Re: Questionable CVE's reported against dnsmasq Douglas Bagnall (Oct 29)
    - Re: Questionable CVE's reported against dnsmasq Art Manion (Oct 31)
    - Re: Questionable CVE's reported against dnsmasq Solar Designer (Oct 31)
    - Re: Questionable CVE's reported against dnsmasq Art Manion (Nov 01)
    - Re: Questionable CVE's reported against dnsmasq Russ Allbery (Nov 01)
    - Re: Questionable CVE's reported against dnsmasq Collin Funk (Nov 01)
    - Re: Questionable CVE's reported against dnsmasq Solar Designer (Nov 01)
    - Re: Questionable CVE's reported against dnsmasq Jeremy Stanley (Nov 02)
    - Re: Questionable CVE's reported against dnsmasq Demi Marie Obenour (Nov 01)
    - Re: Questionable CVE's reported against dnsmasq Russ Allbery (Nov 01)
    - Re: Questionable CVE's reported against dnsmasq Peter Gutmann (Nov 03)
    - Re: Questionable CVE's reported against dnsmasq Russ Allbery (Nov 03)

(Thread continues...)