The vast majority of vulnerabilities found recently are directly related to being written in memory unsafe languages, it's very difficult to justify that a DNS/DHCP server can't be written in rust or go and without using unsafe (well, maybe a few unsafe calls are still needed, but these will be a very small amount)...
Answer: no, but they're working on it.
https://forum.openwrt.org/t/dnsmasq-set-of-serious-cves/2500...
https://github.com/mirror/dd-wrt/issues/465
https://svn.dd-wrt.com/changeset/64944
https://svn.dd-wrt.com/changeset/64905
The release is "coming soon".
My own MaraDNS has been extensively audited now that we’re in the age of AI-assisted security audits.
Not one single serious security bug has been found since 2023. [1]
The only bugs auditers have been finding are things like “Deadwood, when fully recursive, will take longer than usual to release resources when getting this unusual packet” [2] or “This side utility included with MaraDNS, which hasn’t been able to be compiled since 2022, has a buffer overflow, but only if one’s $HOME is over 50 characters in length” [3]
I’m actually really pleased just how secure MaraDNS is now that it’s getting real in depth security audits.
[1] https://samboy.github.io/MaraDNS/webpage/security.html
I fixed CVE-2014-5461 for Lunacy back in 2021:
https://github.com/samboy/lunacy/commit/4de84e044c1219b06744...
This is discussed here:
https://samboy.github.io/MaraDNS/webpage/security.html#CVE-2...
In addition, I have done other security hardening with Lunacy compared to Lua 5.1:
https://samboy.github.io/MaraDNS/webpage/lunacy/
Now, I should probably explain why I’m using Lua 5.1 instead of the latest “official” version of Lua. Lua has an interesting history; in particular Lua 5.1 is the most popular version and the version which is most commonly used or forked against. Adobe Illustrator uses Lua 5.1, and Roblox uses a fork of Lua 5.1 called “luau”. LuaJIT is based on Lua 5.1, and other independent implementations of Lua (Moonsharp, etc.) are based on versions mostly compatible with Lua 5.1.
Lua 5.1 has a remarkably good security history, and of course I take responsibility for any security bugs in the Lua 5.1 codebase since I use the code with the relatively new coLunacyDNS server (Lua 5.1 isn’t used with the MaraDNS or Deadwood servers).
Lua 5.1 is used to convert documentation, but those scripts are run offline and the converted documents are part of the MaraDNS Git tree.I'm not convinced that vendoring, instead of embedding, is the right way.
The patch landing in 2021, instead of 2014, being one of those concerns.
(And you might want to recheck your assumption of how big 'int' will be, for rg32. C defines it in terms of minimum size, not direct size. int16_t isn't necessarily an alias.)
It's important to look at the actual vulnerability at the context, and not just list any CVE which matches by version.
MaraDNS has three components:
• MaraDNS, the authoritative server, which goes back all the way to 2001
• Deadwood, the recursive server, which was started back in 2007
• coLunacyDNS, which allows a DNS server to use Lua scripting; this didn’t exist until the COVID pandemic
Neither MaraDNS nor Deadwood use Lunacy (except as a scripting engine for converting documents); only coLunacyDNS uses Lunacy. coLunacyDNS uses a sandboxed and security hardened version of Lunacy (and, yes, I would accept bugs where someone could escape that sandbox), and the Lua scripts which coLunacyDNS uses can only be controlled by a local user and there is no capability to run Lua scripts remotely.
Unfortunately, that's not enough. Even if the vulnerable parts of the code are not being built, heck even if they have been completely erased from the source code, the auditors will still insist that you're vulnerable and must immediately upgrade, or else they will give your software a failing grade.
If I can find a CVE that _may_ affect the stack in five minutes, what _actual_ problems lurk there?
You vendor Lua - thus, it _is_ your responsibility to review every Lua CVE. You've set yourself up as the maintainer by vendoring.
"Well, sure, this component is insecure but an attacker can't reach it" is like a 50%+ positive signal for an unexpected privilege elevation bug.
I have several libraries that I've written. Not one single serious security bug in them has been found since 1991. Granted, nobody uses my libraries...
Not to diminish your team's achievement! :D But it's important to contextualize claims like this with information about what your userbase looks like
For example, when the Ghost Domain Name DNS vulnerability was discussed, MaraDNS was audited and named (MaraDNS was immune to the security bug, for the record)
https://web.archive.org/web/20120304054959/https://www.isc.o...
The question is a matter of impact because of how used the software is.
dnsmasq has served me well for like an eternity in multiple setups for different use cases. As all software it has bugs. And once located those get fixed. Its author is also easy to communicate with.
Why should I switch over to something way less proven? I'm quite sure your software also has bugs, many still not located. Maybe because it's less popular/ less well known nobody cares to hunt for those bugs? Which means even if the numbers of found bugs is less in your software at the moment, and it may look more audited for this reason, it may actually be way less secure.
Demonstrably some software has fewer bugs, and its authors are often hated, especially if they are a lone author like Bernstein. Because it must not happen!
Projects with useless churn and many bug reports are more popular because only activity matters, not quality.
I haven’t noticed antipathy, but I have noticed skepticism. I assume people with outlier records in any field get some extra inspection.
If it becomes jealousy-fueled not-picking, those people are insecure jerks. But unusual track records are worth understanding.
It's not! It's the foundation of all dev AI products marketing.
Must they prove their software to you? They're offering an alternative, not bargaining for a deal.
"a remote attacker capable of asking DNS queries or answering DNS queries can cause a large OOB write in the heap."
Malformed DNS response causes "infinite loop and dnsmasq stops responding to all queries."
Malicious DHCP request can cause buffer overlow.
I never understood why some projects get extremely popular and others don't. I also suspect by now that the reports by tools that are "too dangerous to release" scan all projects but selectively only contact those with issues, so that they never have to admit that their tool didn't find anything.
It's in popular projects.
It is a distorted view, because projects become popular by allowing indiscriminate commits, bugs, maintainers.
If I'd start a new project I'd allow anyone in and blog about 100 exploits every year, because that is exactly what people want. I'm serious.
10/10, no regrets, would recommend.
Is that the Linux way you are on about? No obviously not 8)
I think you mean the "unix idealized but never really happened exactly but we are quite close if you squint a bit ... way" where each tool does one job well and the pipeline takes up the slack.
A lot of these systems that are getting hit, and will probably continue to be hit over the next few weeks or months, have a similar story. The Linux kernel's only other potentially viable choice was C++ at the time. OpenSSL, a perennial security offender, was started in 1998. You can look up your own favorite major system library with major security issues and it's probably the same story.
I'm as aggressive as anyone about saying "don't write a new project in C for network access", but cast me back to 1998 and I couldn't tell you what other viable choices there are either. There are safer languages, but they were much, much smaller than the C community, and I couldn't promise you how stable they were either. Java was out, and I don't know when to draw the exact line as to when it became a serious contender for a network server, but late 200Xs would be my guess; certainly what I saw in 1999 wasn't yet.
Example: I ran a Haskell network server in 2011 for something relatively unimportant and it fell over under conditions that would not have been very extreme for a production network; I know it was Haskell and not my code because I reused the same code base in 2013 with no changes in the core run loop and it did about 90% better; still not enough that I would have put that system into a real production use case but enough to show it wasn't my code failing. So while Haskell may have existed in the 200Xs, it wouldn't have qualified as a viable choice for a network server at the time.
There's a lot more viable choices today than there used to be.
Plus of course they are slower and bigger.
Hopefully!
But, ai-deniers are telling us there is nothing to see ...
CVE-2026-2291 Heap buffer overflow, Infinite loop, Integer underflow, Heap buffer overflow ..
What else can they do, assuming the computers behind the router are all patched up.
It's definitely bad.
But I doubt it, they will lazily backport these patches to create some frankenstein one-off version and be done with it.
Before anyone says "tHaT's wHaT sTaBlE iS fOr": they have literally shipped straight-up broken packages before, because fixing it would somehow make it not "stable". They would rather ship useless, broken code than something too new. It's crazy.
The thing to complain about is if the version in testing is ancient.
That whole model dates to before automated testing was even really a thing, and no one knew how to do QA; your QA was all the people willing to run your code and report bugs, and that took time. Not to mention, you think the C of today is bad? Have you looked at old C?
And the disadvantage is that backporting is manual, resource intensive, and prone to error - and the projects that are the most heavily invested in that model are also the projects that are investing the least in writing tests and automated test infrastructure - because engineering time is a finite resource.
On top of that, the backport model heavily discourages the kinds of refactorings and architectural cleanups that would address bugs systemically and encourage a whack-a-mole approach - because in the backport model, people want fixes they can backport. And then things just get worse and worse.
We'd all be a lot better off if certain projects took some of the enthusiasm with which they throw outrageous engineering time at backports, and spent at least some of that on automated testing and converting to Rust.
That's not what it's about.
What it's about is, newer versions change things. A newer version of OpenSSH disables GSSAPI by default when an older version had it enabled. You don't want that as an automatic update because it will break in production for anyone who is actually using it. So instead the change goes into the testing release and the user discovers that in their test environment before rolling out the new release into production.
> On top of that, the backport model heavily discourages the kinds of refactorings and architectural cleanups that would address bugs systemically and encourage a whack-a-mole approach - because in the backport model, people want fixes they can backport.
They're not alternatives to each other. The stable release gets the backported patch, the next release gets the refactor.
But that's also why you want the stable release. The refactor is a larger change, so if it breaks something you want to find it in test rather than production.
Some people will even run Debian on the desktop. I would never, but some people get real upset when anything changes.
Debian does regularly bring newer versions of software: they release about every two years. If you want the latest and greatest Debian experience, upgrade Debian on week one.
From your description, you seem to want Arch but made by Debian?
FWIW the fixes referenced here are already fixed in trixie: https://security-tracker.debian.org/tracker/source-package/d...
why can't machine-learning write a product from scratch that is flawless?
Welcome to the new world order.
