RedHat Security Advisory RHSA-2009:1238

# SPDX-FileCopyrightText: 2009 E-Soft Inc.
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-only OR GPL-3.0-only

if(description)
{
  script_oid("1.3.6.1.4.1.25623.1.0.64673");
  script_version("2024-03-21T05:06:54+0000");
  script_tag(name:"last_modification", value:"2024-03-21 05:06:54 +0000 (Thu, 21 Mar 2024)");
  script_tag(name:"creation_date", value:"2009-09-02 04:58:39 +0200 (Wed, 02 Sep 2009)");
  script_cve_id("CVE-2009-2957", "CVE-2009-2958");
  script_tag(name:"cvss_base", value:"6.8");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:M/Au:N/C:P/I:P/A:P");
  script_name("RedHat Security Advisory RHSA-2009:1238");
  script_category(ACT_GATHER_INFO);
  script_copyright("Copyright (C) 2009 E-Soft Inc.");
  script_family("Red Hat Local Security Checks");
  script_dependencies("gather-package-list.nasl");
  script_mandatory_keys("ssh/login/rhel", "ssh/login/rpms", re:"ssh/login/release=RHENT_5");
  script_tag(name:"solution", value:"Please note that this update is available via
Red Hat Network. To use Red Hat Network, launch the Red
Hat Update Agent with the following command: up2date");
  script_tag(name:"summary", value:"The remote host is missing updates announced in
advisory RHSA-2009:1238.

Dnsmasq is a lightweight and easy to configure DNS forwarder and DHCP
server.

Core Security Technologies discovered a heap overflow flaw in dnsmasq when
the TFTP service is enabled (the --enable-tftp command line option, or by
enabling enable-tftp in /etc/dnsmasq.conf). If the configured tftp-root
is sufficiently long, and a remote user sends a request that sends a long
file name, dnsmasq could crash or, possibly, execute arbitrary code with
the privileges of the dnsmasq service (usually the unprivileged nobody
user). (CVE-2009-2957)

A NULL pointer dereference flaw was discovered in dnsmasq when the TFTP
service is enabled. This flaw could allow a malicious TFTP client to crash
the dnsmasq service. (CVE-2009-2958)

Note: The default tftp-root is /var/ftpd, which is short enough to make
it difficult to exploit the CVE-2009-2957 issue. If a longer directory name
is used, arbitrary code execution may be possible. As well, the dnsmasq
package distributed by Red Hat does not have TFTP support enabled by
default.

All users of dnsmasq should upgrade to this updated package, which contains
a backported patch to correct these issues. After installing the updated
package, the dnsmasq service must be restarted for the update to take
effect.");
  script_tag(name:"qod_type", value:"package");
  script_tag(name:"solution_type", value:"VendorFix");
  script_xref(name:"URL", value:"http://rhn.redhat.com/errata/RHSA-2009-1238.html");
  script_xref(name:"URL", value:"http://www.redhat.com/security/updates/classification/#important");

  exit(0);
}

include("revisions-lib.inc");
include("pkg-lib-rpm.inc");

res = "";
report = "";
if ((res = isrpmvuln(pkg:"dnsmasq", rpm:"dnsmasq~2.45~1.1.el5_3", rls:"RHENT_5")) != NULL) {
    report += res;
}
if ((res = isrpmvuln(pkg:"dnsmasq-debuginfo", rpm:"dnsmasq-debuginfo~2.45~1.1.el5_3", rls:"RHENT_5")) != NULL) {
    report += res;
}

if (report != "") {
    security_message(data:report);
} else if (__pkg_match) {
    exit(99);
}