Re: Questionable CVE's reported against dnsmasq

[Demi Marie Obenour <demiobenour () gmail com>]

On 10/27/25 17:40, Michael Orlitzky wrote:
> On 2025-10-27 19:21:54, Moritz Mühlenhoff wrote:
> > On Mon, Oct 27, 2025 at 09:34:03AM -0700, Alan Coopersmith wrote:
> > > Among the new CVE's published this weekend were these from the VulDB CNA:
> > >
> > > For all three bugs, the documented "exploit" requires "Replace the default
> > > configuration file (/etc/dnsmasq.conf) with the provided malicious file."
> > > and if you can replace the server's configuration file you don't need to
> > > play games with putting invalid contents in to break the parser, but can
> > > simply change the configuration directly.
> >
> > The same nonsense also happened for the Kamailio SIP server (CVE-2025-12204,
> > CVE-2025-12205, CVE-2025-12206 and CVE-2025-12207).
>
> Config parser exploits are not necessarily bogus. The admin might
> allow group/ACL edits to the configuration files knowing that it
> allows group members to torch the service in question, while, at the
> same time, not trusting those group members to execute arbitrary
> commands as root.
>
> If the daemon is launched as an unprivileged user (before reading the
> config file) the risk is minimized, but often that isn't the case when
> you want to bind to privileged ports or read private keys that are
> defined in the config file.

Allowing partially trusted users to supply private keys is definitely
a sensible use-case.  I'm not sure if allowing them to supply
an arbitrary config file is sensible, but there are cases where a
system generates a config file from untrusted input.  For instance,
I suspect that OPNsense generates dnsmasq and Unbound configuration
files from data provided in the web UI.
-- 
Sincerely,
Demi Marie Obenour (she/her/hers)

Attachment: OpenPGP_0xB288B55FFF9C22C1.asc
Description: OpenPGP public key

Attachment: OpenPGP_signature.asc
Description: OpenPGP digital signature