oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Questionable CVE's reported against dnsmasq

From: Art Manion <zmanion () protonmail com>
Date: Sat, 01 Nov 2025 17:33:37 +0000
On 2025-10-31 20:00, Solar Designer wrote:

On Fri, Oct 31, 2025 at 09:06:09PM +0000, Art Manion wrote:



Does dnsmasq read the config file before dropping privileges?  I
think so, since dnsmasq needs to know what interfaces and ports to
bind to?

Does dnsmasq check that the config file is root-owned and not user-
writable?  In my brief testing, no.

Can a regular user call dnsmasq with '-C dnsmasq_malicious.conf'
and achieve memory corruption under root privileges?  Even if it's
unlikely to result in code execution, that privilege escalation
may qualify as a CVE-worthy vulnerability.

I don't think a "check that the config file is root-owned and not
user-writable" would be relevant since a maybe-relevant threat model
involves config files intentionally created by other software such as a
web UI, which would set permissions such that the file is processed, and
since such checks are uncommon and the lack of them does not mean the
software supports untrusted config files.

About an hour after posting this I slightly regretted it, my line of
thinking was along the lines of dnsmasq being setuid (it is not on
the systems I have at hand).  A agree that some other system that
uses dnsmasq should be responsible for managing privilege separation
if that system allowed low-privileged users to modify config files
that influenced the behavior of privileged programs.

 - Art
Previous By Date Next
Previous By Thread Next

Current thread: