CVE-2021-45955: 
NixOS vulnerability analysis and mitigation

Dnsmasq version 2.86 contains a heap-based buffer overflow vulnerability in the resize_packet function (CVE-2021-45955). The vulnerability exists due to the lack of proper bounds checking when performing pseudo header re-insertion. This vulnerability is disputed by the vendor, who states that CVE-2021-45951 through CVE-2021-45957 'do not represent real vulnerabilities.' However, security researchers have indicated that a security patch is needed (NVD, Dnsmasq Discuss).

The vulnerability is present in the resizepacket function, which is called from FuzzResizePacket and fuzzrfc1035.c. The issue stems from insufficient bounds checking during pseudo header re-insertion operations. The vulnerability has been assigned a CVSS v3.1 Base Score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The weakness is classified as CWE-787 (Out-of-bounds Write) (NVD, OSS-Fuzz).

If successfully exploited, this heap-based buffer overflow vulnerability could potentially allow attackers to cause a denial of service condition or possibly execute arbitrary code on affected systems. The vulnerability is rated as HIGH severity in the context of ecosystem-specific impact (OSS-Fuzz).

A security patch has been developed to prevent writing beyond packet size in resize_packet. The fix implements proper bounds checking for packet resizing operations. The patch was submitted by Red Hat engineer Petr Menšík, who confirmed that CVE-2021-45955 might be a valid vulnerability requiring remediation (Dnsmasq Discuss).

There has been some controversy regarding this vulnerability, with the vendor (Simon Kelley) submitting a request to MITRE to cancel the CVE, stating that it does not represent a real vulnerability. However, security researchers, particularly from Red Hat, have investigated the issue and determined that CVE-2021-45955 might be legitimate, unlike other related CVEs in the same batch (Dnsmasq Discuss).