On 10/27/25 17:40, Michael Orlitzky wrote: > On 2025-10-27 19:21:54, Moritz Mühlenhoff wrote: >> On Mon, Oct 27, 2025 at 09:34:03AM -0700, Alan Coopersmith wrote: >>> Among the new CVE's published this weekend were these from the VulDB CNA: >>> >>> For all three bugs, the documented "exploit" requires "Replace the default >>> configuration file (/etc/dnsmasq.conf) with the provided malicious file." >>> and if you can replace the server's configuration file you don't need to >>> play games with putting invalid contents in to break the parser, but can >>> simply change the configuration directly. >> >> The same nonsense also happened for the Kamailio SIP server (CVE-2025-12204, >> CVE-2025-12205, CVE-2025-12206 and CVE-2025-12207). > > Config parser exploits are not necessarily bogus. The admin might > allow group/ACL edits to the configuration files knowing that it > allows group members to torch the service in question, while, at the > same time, not trusting those group members to execute arbitrary > commands as root. > > If the daemon is launched as an unprivileged user (before reading the > config file) the risk is minimized, but often that isn't the case when > you want to bind to privileged ports or read private keys that are > defined in the config file.
Allowing partially trusted users to supply private keys is definitely a sensible use-case. I'm not sure if allowing them to supply an arbitrary config file is sensible, but there are cases where a system generates a config file from untrusted input. For instance, I suspect that OPNsense generates dnsmasq and Unbound configuration files from data provided in the web UI. -- Sincerely, Demi Marie Obenour (she/her/hers)
OpenPGP_0xB288B55FFF9C22C1.asc
Description: OpenPGP public key
OpenPGP_signature.asc
Description: OpenPGP digital signature
