oss-sec mailing list archives

Re: Questionable CVE's reported against dnsmasq

From: Peter Gutmann <pgut001 () cs auckland ac nz>
Date: Fri, 14 Nov 2025 02:58:42 +0000

Jacob Bachmeyer <jcb62281 () gmail com> writes:

Ah yes, the universal arbitrary code execution exploit:  simply replace the
program text with malicious code.  :-)

Can we call it CVE-Zero?  :-P


The best one I've run into is enabling an undocumented internal build option
that turns on extra code for coverage/fuzz testing, then reporting it as a
vuln while ignoring the fact that the debug code also implements SSLKEYLOGFILE
which dumps the plaintext TLS master secret to the diagnostic output.

Aside from the OpenSSH pseudovulnerability that started all this, anyone else
have any interesting stories?

Peter.

Current thread:

Re: Questionable CVE's reported against dnsmasq, (continued)
- - - Re: Questionable CVE's reported against dnsmasq Solar Designer (Nov 01)
    - Re: Questionable CVE's reported against dnsmasq Jeremy Stanley (Nov 02)
    - Re: Questionable CVE's reported against dnsmasq Demi Marie Obenour (Nov 01)
    - Re: Questionable CVE's reported against dnsmasq Russ Allbery (Nov 01)
    - Re: Questionable CVE's reported against dnsmasq Peter Gutmann (Nov 03)
    - Re: Questionable CVE's reported against dnsmasq Russ Allbery (Nov 03)
    - Re: Questionable CVE's reported against dnsmasq Demi Marie Obenour (Nov 03)
    - Re: Questionable CVE's reported against dnsmasq Peter Gutmann (Nov 12)
    - Re: Questionable CVE's reported against dnsmasq Alexander Patrakov (Nov 13)
    - Re: Questionable CVE's reported against dnsmasq Jacob Bachmeyer (Nov 13)
    - Re: Questionable CVE's reported against dnsmasq Peter Gutmann (Nov 13)
    - Re: Questionable CVE's reported against dnsmasq Jeffrey Walton (Nov 14)
    - Re: Questionable CVE's reported against dnsmasq Peter Gutmann (Nov 14)
    - Re: Questionable CVE's reported against dnsmasq Olle E. Johansson (Nov 02)
    - Re: Questionable CVE's reported against dnsmasq Art Manion (Nov 03)
    - Re: Questionable CVE's reported against dnsmasq Olle E. Johansson (Nov 04)
    - Re: Questionable CVE's reported against dnsmasq Art Manion (Nov 04)
    - Re: Questionable CVE's reported against dnsmasq Olle E. Johansson (Nov 05)
    - Re: Questionable CVE's reported against dnsmasq Pedro Sampaio (Nov 05)
    - Re: Questionable CVE's reported against dnsmasq Olle E. Johansson (Nov 06)
    - Re: Questionable CVE's reported against dnsmasq Demi Marie Obenour (Oct 28)

(Thread continues...)