Bug 1226091 (CVE-2023-49441) - VUL-0: CVE-2023-49441: dnsmasq: integer overflow via forward_query
Summary: VUL-0: CVE-2023-49441: dnsmasq: integer overflow via forward_query
Status: RESOLVED FIXED
Alias: CVE-2023-49441
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Major
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/409009/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-49441:7.5:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2024-06-07 11:32 UTC by SMASH SMASH
Modified: 2024-07-02 13:44 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Reinhard Max 2024-06-07 14:54:52 UTC 
Version 2.9 got released in 2004 and is NOT the one affected by this bug.
The CVE description and the RH bug also got this wrong.

I found the affected line of code in Versions 2.83 (where the respective source file got introduced) through 2.89, but in the current version 2.90 it is already fixed.

We already have 2.90 in Factory, SLE-15-SP2 and SLE-15-SP4.
Version 2.78 on SLE-12-SP1 does not yet contain the affected piece of code.

Only ALP and SLFO contain the affected version 2.89. I just submitted 2.90 to SUSE:SLFO:Main. Please let me know if I shall also submit it to ALP.

BTW, in the mail thread linked above upstream did not consider this to be a security issue.
Comment 2 OBSbugzilla Bot 2024-06-07 15:15:04 UTC 
This is an autogenerated message for OBS integration:
This bug (1226091) was mentioned in
https://build.opensuse.org/request/show/1179330 Factory / dnsmasq