CVS commit: pkgsrc/net/dnsmasq

["Adam Ciarcinski" <adam%netbsd.org@localhost>]

Module Name:    pkgsrc
Committed By:   adam
Date:           Fri Jun  5 08:38:30 UTC 2026

Modified Files:
        pkgsrc/net/dnsmasq: Makefile distinfo

Log Message:
dnsmasq: updated to 2.93

version 2.93

Fix a corner-case in DNSSEC validation with wildcards. If we have
a wildcard record *.example.com and receive a query for
a.example.com then that's OK, but we have to check that there isn't
an actual a.example.com record. The corner case is when we get a
query for *.example.com in that case the non-existence check
is not required, was being done. Thanks to Jan Breig for
spotting this.

Enable support for inotify on FreeBSD 15.0-RELEASE, which added
Linux-compatible inotify support.

Fix DNSSEC failure with spurious RRSIGs. The presence of wrong
RRSIG RRs in replies caused DNSSEC validation to fail even
when the RRs do not require validation because the zone is
unsigned. Note that, at the time of this commit, Google
DNS appears to have the same bug, so if you're using 8.8.8.8
or friends as upstream, resolving the broken zones
(eg rivcoed.org) will still fail. Thanks to Petr Menšík
for the bug report.

Fix DNSSEC fail with CNAME replies to DS queries. A CNAME reply
to a DNSSEC query was confusing the validation logic. It now
accepts a signed CNAME reply to a DS query as proof that no DS
exists at the domain. This fixes the DS/zone break detection logic.

Fix regression in 2.92 release which broke DHCPv6 when a DHCP
relay is in use. Many thanks to Jørgen Søvik for help
finding this bug.

Modify the inotify implementation so that inotify watches are
only created after dnsmasq has changed permissions and userid.
This means that the permissions used when creating the watches
are the same as used for accessing watched files, which makes
more sense and avoids odd and confusing error conditions.

Rework storage allocation for domain names.  This fixes a security
bug that can cause heap-overwrite with long domain names.
CVE-2026-2291 covers this and a simple patch for existing
releases was released with the CVE. This patch reworks the whole
code base to make it cleaner and less liable to future
confusions. Either upgrading to 2.93 or applying the patch
to earlier versions is sufficient to close the security hole.
Thanks to Andrew S. Fasano for spotting this problem in the
first place.


To generate a diff of this commit:
cvs rdiff -u -r1.56 -r1.57 pkgsrc/net/dnsmasq/Makefile
cvs rdiff -u -r1.51 -r1.52 pkgsrc/net/dnsmasq/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/net/dnsmasq/Makefile
diff -u pkgsrc/net/dnsmasq/Makefile:1.56 pkgsrc/net/dnsmasq/Makefile:1.57
--- pkgsrc/net/dnsmasq/Makefile:1.56    Thu May 14 16:41:42 2026
+++ pkgsrc/net/dnsmasq/Makefile Fri Jun  5 08:38:30 2026
@@ -1,7 +1,6 @@
-# $NetBSD: Makefile,v 1.56 2026/05/14 16:41:42 ryoon Exp $
+# $NetBSD: Makefile,v 1.57 2026/06/05 08:38:30 adam Exp $
 
-DISTNAME=      dnsmasq-2.92
-PKGREVISION=   2
+DISTNAME=      dnsmasq-2.93
 CATEGORIES=    net
 MASTER_SITES=  https://thekelleys.org.uk/dnsmasq/
 EXTRACT_SUFX=  .tar.xz

Index: pkgsrc/net/dnsmasq/distinfo
diff -u pkgsrc/net/dnsmasq/distinfo:1.51 pkgsrc/net/dnsmasq/distinfo:1.52
--- pkgsrc/net/dnsmasq/distinfo:1.51    Thu Jan 15 18:30:21 2026
+++ pkgsrc/net/dnsmasq/distinfo Fri Jun  5 08:38:30 2026
@@ -1,7 +1,7 @@
-$NetBSD: distinfo,v 1.51 2026/01/15 18:30:21 adam Exp $
+$NetBSD: distinfo,v 1.52 2026/06/05 08:38:30 adam Exp $
 
-BLAKE2s (dnsmasq-2.92.tar.xz) = 3dc5d967d1fc258298e3bcc245f38d7f647e444f94718f1f79e2ce1066434ef1
-SHA512 (dnsmasq-2.92.tar.xz) = 14a4638f4819c88c1214f38ca66622ce618b800dcc0d271d4eec6fd97639611f2317b711f6342c62b1f132acc7c2dec657fbf26c004d0d55ef10786944ad0ad1
-Size (dnsmasq-2.92.tar.xz) = 637752 bytes
+BLAKE2s (dnsmasq-2.93.tar.xz) = 9cbe2a078f6e49e6f7a19f5a3dfa1012d5814c270af219735e5605c93debbf9d
+SHA512 (dnsmasq-2.93.tar.xz) = ee442c634c54f103e034ee5259f1802895f9e9d172891f14c644e260519da73f5dd6f28b75cb84c0b1cc5f9ec464ba8f40c87095fa96719cb0df831eae0887ee
+Size (dnsmasq-2.93.tar.xz) = 642764 bytes
 SHA1 (patch-src_bpf.c) = 4115a5391f57564663bbfc448fbb865c370318a6
 SHA1 (patch-src_dump.c) = e5788d9e3112b1e5b2ef7ce500b0262b95c375c6