USN-827-1: Dnsmasq vulnerabilities

1 September 2009

dnsmasq vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 9.04
  • Ubuntu 8.10
  • Ubuntu 8.04 LTS

Software Description

  • dnsmasq

Details

IvAin Arce, Pablo HernAin Jorge, Alejandro Pablo Rodriguez, MartA­n Coco, Alberto SoliAto Testa and Pablo Annetta discovered that Dnsmasq did not properly validate its input when processing TFTP requests for files with long names. A remote attacker could cause a denial of service or execute arbitrary code with user privileges. Dnsmasq runs as the ‘dnsmasq’ user by default on Ubuntu. (CVE-2009-2957)

Steve Grubb discovered that Dnsmasq could be made to dereference a NULL pointer when processing certain TFTP requests. A remote attacker could cause a denial of service by sending a crafted TFTP request. (CVE-2009-2958)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 9.04
dnsmasq-base - 2.47-3ubuntu0.1
Ubuntu 8.10
dnsmasq-base - 2.45-1ubuntu1.1
Ubuntu 8.04 LTS
dnsmasq-base - 2.41-2ubuntu2.2

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system upgrade is sufficient to effect the necessary changes.

References