Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <97ec62c1-fc1f-4025-8f7d-daf3a26065f1@protonmail.com>
Date: Sat, 01 Nov 2025 17:33:37 +0000
From: Art Manion <zmanion@...tonmail.com>
To: oss-security@...ts.openwall.com
Subject: Re: Questionable CVE's reported against dnsmasq

On 2025-10-31 20:00, Solar Designer wrote:
> On Fri, Oct 31, 2025 at 09:06:09PM +0000, Art Manion wrote:

>> Does dnsmasq read the config file before dropping privileges?  I
>> think so, since dnsmasq needs to know what interfaces and ports to
>> bind to?
>> 
>> Does dnsmasq check that the config file is root-owned and not user-
>> writable?  In my brief testing, no.
>> 
>> Can a regular user call dnsmasq with '-C dnsmasq_malicious.conf'
>> and achieve memory corruption under root privileges?  Even if it's
>> unlikely to result in code execution, that privilege escalation
>> may qualify as a CVE-worthy vulnerability.
> I don't think a "check that the config file is root-owned and not
> user-writable" would be relevant since a maybe-relevant threat model
> involves config files intentionally created by other software such as a
> web UI, which would set permissions such that the file is processed, and
> since such checks are uncommon and the lack of them does not mean the
> software supports untrusted config files.
About an hour after posting this I slightly regretted it, my line of
thinking was along the lines of dnsmasq being setuid (it is not on
the systems I have at hand).  A agree that some other system that
uses dnsmasq should be responsible for managing privilege separation
if that system allowed low-privileged users to modify config files
that influenced the behavior of privileged programs.

 - Art

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.