Pi-hole Ad-Blocker FTL < 5.5 Multiple Vulnerabilities in Dnsmasq (DNSpooq)

Dnsmasq as used in the 'FTL' component of the Pi-hole Ad-Blocker is prone to multiple vulnerabilities dubbed 'DNSpooq'.

The following flaws exist in Dnsmasq versions prior to 2.83 as used in the 'FTL' component: - A heap-based buffer overflow in sort_rrset() when DNSSEC is used. (CVE-2020-25681) - A buffer overflow in extract_name() function due to missing length check, when DNSSEC is enabled. (CVE-2020-25682) - A heap-based buffer overflow when DNSSEC is enabled. This flaw is caused by the lack of length checks in rfc1035.c:extract_name(), which could be abused to make the code execute memcpy() with a negative size in get_rdata(). (CVE-2020-25683) - A lack of proper address/port check implemented in the reply_query function. (CVE-2020-25684) - A lack of query resource name (RRNAME) checks implemented in the reply_query function. (CVE-2020-25685) - Multiple DNS query requests for the same resource name (RRNAME) allows for remote attackers to spoof DNS traffic, using a birthday attack (RFC 5452). (CVE-2020-25686) - A heap-based buffer overflow with large memcpy in sort_rrset() when DNSSEC is enabled. This flaw is caused by the lack of length checks in rfc1035.c:extract_name(), which could be abused to make the code execute memcpy() with a negative size in sort_rrset(). (CVE-2020-25687)

Pi-hole Ad-Blocker FTL versions prior to 5.5.

Checks if a vulnerable version is present on the target host.

Update to FTL version 5.5 or later.