oss-sec mailing list archives

Re: Questionable CVE's reported against dnsmasq

From: Collin Funk <collin.funk1 () gmail com>
Date: Mon, 27 Oct 2025 14:33:49 -0700

Moritz Mühlenhoff <jmm () inutil org> writes:

On Mon, Oct 27, 2025 at 09:34:03AM -0700, Alan Coopersmith wrote:

Among the new CVE's published this weekend were these from the VulDB CNA:

For all three bugs, the documented "exploit" requires "Replace the default
configuration file (/etc/dnsmasq.conf) with the provided malicious file."
and if you can replace the server's configuration file you don't need to
play games with putting invalid contents in to break the parser, but can
simply change the configuration directly.


The same nonsense also happened for the Kamailio SIP server (CVE-2025-12204,
CVE-2025-12205, CVE-2025-12206 and CVE-2025-12207).


GNU Bison got 2 CVEs assigned that are bogus, CVE-2025-8734 and
CVE-2025-8733.

The report for CVE-2025-8733 has a stack trace that references files
that do not exist in Bison. I'm pretty sure it is some AI hallucination
mixing up Gnulib and glibc, since the stack trace looks like an ancient
glibc version which had assertions there.

Collin

Current thread:

Re: Questionable CVE's reported against dnsmasq, (continued)
- - - Re: Questionable CVE's reported against dnsmasq Stuart Henderson (Oct 27)
    - Re: Questionable CVE's reported against dnsmasq Sebastian Pipping (Oct 27)
    - Re: Questionable CVE's reported against dnsmasq Matthew Fernandez (Oct 27)
    - Re: Questionable CVE's reported against dnsmasq Eli Schwartz (Oct 27)
    - Re: Questionable CVE's reported against dnsmasq Stuart Henderson (Oct 28)
    - Re: Questionable CVE's reported against dnsmasq Salvatore Bonaccorso (Oct 29)
    - Re: Questionable CVE's reported against dnsmasq Petr Menšík (Oct 31)
    - Re: Questionable CVE's reported against dnsmasq Sebastian Pipping (Oct 31)
  - Re: Questionable CVE's reported against dnsmasq Jeffrey Walton (Oct 27)
- Re: Questionable CVE's reported against dnsmasq Moritz Mühlenhoff (Oct 27)
  - Re: Questionable CVE's reported against dnsmasq Collin Funk (Oct 27)
  - Re: Questionable CVE's reported against dnsmasq Michael Orlitzky (Oct 27)
    - Re: Questionable CVE's reported against dnsmasq Hank Leininger (Oct 27)
    - Re: Questionable CVE's reported against dnsmasq Solar Designer (Oct 27)
    - Re: Questionable CVE's reported against dnsmasq Douglas Bagnall (Oct 29)
    - Re: Questionable CVE's reported against dnsmasq Art Manion (Oct 31)
    - Re: Questionable CVE's reported against dnsmasq Solar Designer (Oct 31)
    - Re: Questionable CVE's reported against dnsmasq Art Manion (Nov 01)
    - Re: Questionable CVE's reported against dnsmasq Russ Allbery (Nov 01)
    - Re: Questionable CVE's reported against dnsmasq Collin Funk (Nov 01)
    - Re: Questionable CVE's reported against dnsmasq Solar Designer (Nov 01)

(Thread continues...)