Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <76f8e74c-d9cc-4f20-8061-488598f85fe7@protonmail.com>
Date: Fri, 31 Oct 2025 21:06:09 +0000
From: Art Manion <zmanion@...tonmail.com>
To: oss-security@...ts.openwall.com
Subject: Re: Questionable CVE's reported against dnsmasq

On 2025-10-27 18:49, Solar Designer wrote:

> What's common about the CVEs mentioned in this thread, including those
> against GNU Bison (so not config file parsing, but just bogus CVEs), is
> that all of them were assigned by VulDB as the CNA.  VulDB even went to
> the effort (or automation?) to generate CVSS 2.0, 3.0, 3.1, and 4.0
> vectors for all of these.  It's pretty ridiculous for a CNA not only to
> assign bogus CVEs, but also have CVSS vectors and scores for them
> without realizing the error.  This suggests a lack of proper process
> and/or expertise.
> 
> At this point, I think we want to hear from VulDB on this, and from
> MITRE on their requirements for CNAs in general and VulDB in particular
> to review CVE requests before assignment.  Maybe VulDB is in violation.

Speaking as a CVE Board member, but not for MITRE, I suggest that somebody dispute the dnsmasq (and Bison) CVE IDs.  I'll do this unless somebody else wants to.  There is room for improvements to CVE assignment, but the current path is to file disputes.  Perhaps CNAs with "high" dispute counts or ratios warrant some sort of action.

Considering the CVE vulnerability determination rules, if there is no net security impact or gain to the attacker, then:

"4.1.2 Conditions or behaviors that do not lead to a security impact SHOULD NOT be determined to be Vulnerabilities. Examples of security impacts include an increase in access for an attacker, a decrease in availability of a target, or another violation of security policy."

https://www.cve.org/resourcessupport/allresources/cnarules#section_4-1_Vulnerability_Determination

Does dnsmasq read the config file before dropping privileges?  I think so, since dnsmasq needs to know what interfaces and ports to bind to?

Does dnsmasq check that the config file is root-owned and not user-writable?  In my brief testing, no.

Can a regular user call dnsmasq with '-C dnsmasq_malicious.conf' and achieve memory corruption under root privileges?  Even if it's unlikely to result in code execution, that privilege escalation may qualify as a CVE-worthy vulnerability.

Regards,

 - Art

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.