Fix dnsmasq CVE publications#2888
Merged
Merged
Conversation
All buffers capable of holding a domain name should be at least MAXDNAME*2 + 1 bytes long, where MAXDNAME is the maximum size of a domain name. The accounts for the trailing zero and the fact that some characters are escaped in the internal representation of a domain name in dnsmasq. The declaration of struct bigname get this wrong, with the effect that a remote attacker capable of asking DNS queries or answering DNS queries can cause a large OOB write in the heap. This was first spotted by Andrew S. Fasano.
Report from Royce M <royce@xchglabs.com>. Location: dnssec.c:1290-1306, dnssec.c:1450-1463 The bitmap window iteration advances by p[1] instead of p[1]+2 (missing the 2-byte window header). With bitmap_length=0, both rdlen and p are unchanged, causing an infinite loop and dnsmasq stops responding to all queries. Reachable before RRSIG validation (confirmed by the source comment at line 2125), so no valid DNSSEC signatures are needed.
Bug report from Royce M <royce@xchglabs.com> This avoids crafted packets which give a value for rdlen _less_ then the space taken up by the fixed data and the signer's name and engender a negative calculated length for the signature.
Bug reported bt Royce M <royce@xchglabs.com>
Location: helper.c:265-270
DHCPv6 CLIDs can be up to 65535 bytes. When --dhcp-script is configured,
the helper hex-encodes raw CLID bytes via sprintf("%.2x") into daemon->packet (5131 bytes).
A 1000-byte CLID writes ~3000 bytes. The helper process retains root privileges.
Note: log6_packet() correctly caps CLID to 100 bytes for logging, but the helper code path was missed.
Bug report from Royce M <royce@xchglabs.com> Location: forward.c:713, edns0.c:421 With --add-subnet enabled, process_reply() passes the OPT record length (~23 bytes) instead of the packet length to check_source(). All internal bounds checks fail, and the function always returns 1. ECS source validation per RFC 7871 Section 9.2 is completely bypassed.
Thanks to Hugo Martinez Ray for spotting this. The value of rdlen for an RR can be a lie, allowing the call to extract_name() at rfc1025.c:952 to advance the value of p1 past the calculated end of the record. The makes the calculation of bytes remaining in the RR underflow to a huge number and results in a massive heap OOB read and certain crash.
Signed-off-by: Dominik <dl6er@dl6er.de>
dschaper
approved these changes
May 11, 2026
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates the embedded dnsmasq code within FTL to incorporate upstream security fixes referenced on the dnsmasq CVE publication page, and bumps related version/build metadata accordingly.
Changes:
- Harden DNS/DNSSEC parsing against malformed lengths/pointers (e.g.,
rdlen-related bounds issues) to prevent out-of-bounds behavior. - Fix reply processing to validate ECS source checking against the full packet length.
- Update embedded dnsmasq version identifier and CI build container base image tag.
Reviewed changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
src/dnsmasq/rfc1035.c |
Adds an additional bound check after name extraction to detect rdlen/pointer inconsistencies. |
src/dnsmasq/helper.c |
Limits CLID hex string generation to reduce overflow risk when formatting client IDs. |
src/dnsmasq/forward.c |
Passes the correct packet length into check_source() when validating ECS responses. |
src/dnsmasq/dnssec.c |
Adds validation for computed signature length and corrects typemap iteration step sizing. |
src/dnsmasq/dnsmasq.h |
Expands union bigname storage to accommodate worst-case presentation-format name expansion. |
CMakeLists.txt |
Bumps the embedded dnsmasq version string to pi-hole-v2.92.2. |
.github/Dockerfile |
Updates the CI build image from ftl-build:v2.17 to ftl-build:v2.18. |
Comments suppressed due to low confidence (1)
src/dnsmasq/helper.c:281
- The CLID hex formatting loop truncates at 100 bytes, but the separator condition still uses
data.clid_len - 1. Whendata.clid_len > 100, this will append a trailing ':' after the last emitted byte (sinceinever reachesdata.clid_len - 1). Consider computing anemit_len = min(data.clid_len, <safe_max_based_on_packet_buff_sz>)and usingemit_lenboth for the loop bound and the ':' condition to avoid a trailing separator and remove the hard-coded magic number.
/* CLID into packet: limit to 100 bytes to avoid overflowing buffer. */
for (p = daemon->packet, i = 0; i < data.clid_len && i < 100; i++)
{
p += sprintf(p, "%.2x", buf[i]);
if (i != data.clid_len - 1)
p += sprintf(p, ":");
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
yubiuser
approved these changes
May 11, 2026
github-actions Bot
pushed a commit
to bigbeartechworld/big-bear-universal-apps
that referenced
this pull request
May 12, 2026
This PR contains the following updates: | Package | Update | Change | |---|---|---| | [pihole/pihole](https://redirect.github.com/pi-hole/docker-pi-hole) | minor | `2026.04.1` → `2026.05.0` | --- ### Release Notes <details> <summary>pi-hole/docker-pi-hole (pihole/pihole)</summary> ### [`v2026.05.0`](https://redirect.github.com/pi-hole/docker-pi-hole/releases/tag/2026.05.0) [Compare Source](https://redirect.github.com/pi-hole/docker-pi-hole/compare/2026.04.1...2026.05.0) <!-- Release notes generated using configuration in .github/release.yml at master --> This tag includes the FTL v6.6.2 release which imports six upstream `dnsmasq` security fixes, covering all publicly disclosed CVEs against the dnsmasq 2.92/2.93 line. Patches are taken verbatim from <https://thekelleys.org.uk/dnsmasq/CVE/> Details here: <https://github.com/pi-hole/FTL/releases/tag/v6.6.2> #### Upgrade impact All six fixes are minimal, self-contained changes to the embedded dnsmasq sources. No FTL-side configuration or API changes; users should see no observable behavior change beyond the closed vulnerabilities. Fix dnsmasq CVE publications by [@​DL6ER](https://redirect.github.com/DL6ER) in [pi-hole/FTL#2888](https://redirect.github.com/pi-hole/FTL/pull/2888) This furthermore indirectly fixes [#​2871](https://redirect.github.com/pi-hole/docker-pi-hole/issues/2871) due to [pi-hole/docker-base-images#158](https://redirect.github.com/pi-hole/docker-base-images/pull/158) **Full Changelog**: <pi-hole/FTL@v6.6.1...v6.6.2> *** #### What's Changed (Docker Specific) - docs: update capability documentation links by [@​SirRGB](https://redirect.github.com/SirRGB) in [#​2025](https://redirect.github.com/pi-hole/docker-pi-hole/pull/2025) #### New Contributors - [@​SirRGB](https://redirect.github.com/SirRGB) made their first contribution in [#​2025](https://redirect.github.com/pi-hole/docker-pi-hole/pull/2025) **Full Changelog**: <pi-hole/docker-pi-hole@2026.04.0...2026.05.0> </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - At any time (no schedule defined) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/bigbeartechworld/big-bear-universal-apps). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNTkuMiIsInVwZGF0ZWRJblZlciI6IjQzLjE1OS4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiLCJyZW5vdmF0ZSJdfQ==-->
truecharts-admin
added a commit
to trueforge-org/truecharts
that referenced
this pull request
May 13, 2026
….0 (#48140) This PR contains the following updates: | Package | Update | Change | |---|---|---| | [ghcr.io/pi-hole/pihole](https://redirect.github.com/pi-hole/docker-pi-hole) | minor | `1c32c36` → `70a9c11` | --- > [!WARNING] > Some dependencies could not be looked up. Check the [Dependency Dashboard](../issues/18710) for more information. Add the preset `:preserveSemverRanges` to your config if you don't want to pin your dependencies. --- ### Release Notes <details> <summary>pi-hole/docker-pi-hole (ghcr.io/pi-hole/pihole)</summary> ### [`v2026.05.0`](https://redirect.github.com/pi-hole/docker-pi-hole/releases/tag/2026.05.0) [Compare Source](https://redirect.github.com/pi-hole/docker-pi-hole/compare/2026.04.1...2026.05.0) <!-- Release notes generated using configuration in .github/release.yml at master --> This tag includes the FTL v6.6.2 release which imports six upstream `dnsmasq` security fixes, covering all publicly disclosed CVEs against the dnsmasq 2.92/2.93 line. Patches are taken verbatim from <https://thekelleys.org.uk/dnsmasq/CVE/> Details here: <https://github.com/pi-hole/FTL/releases/tag/v6.6.2> #### Upgrade impact All six fixes are minimal, self-contained changes to the embedded dnsmasq sources. No FTL-side configuration or API changes; users should see no observable behavior change beyond the closed vulnerabilities. Fix dnsmasq CVE publications by [@​DL6ER](https://redirect.github.com/DL6ER) in [pi-hole/FTL#2888](https://redirect.github.com/pi-hole/FTL/pull/2888) This furthermore indirectly fixes [#​2871](https://redirect.github.com/pi-hole/docker-pi-hole/issues/2871) due to [pi-hole/docker-base-images#158](https://redirect.github.com/pi-hole/docker-base-images/pull/158) **Full Changelog**: <pi-hole/FTL@v6.6.1...v6.6.2> *** #### What's Changed (Docker Specific) - docs: update capability documentation links by [@​SirRGB](https://redirect.github.com/SirRGB) in [#​2025](https://redirect.github.com/pi-hole/docker-pi-hole/pull/2025) #### New Contributors - [@​SirRGB](https://redirect.github.com/SirRGB) made their first contribution in [#​2025](https://redirect.github.com/pi-hole/docker-pi-hole/pull/2025) **Full Changelog**: <pi-hole/docker-pi-hole@2026.04.0...2026.05.0> </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - At any time (no schedule defined) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xMzAuMSIsInVwZGF0ZWRJblZlciI6IjQzLjEzMC4xIiwidGFyZ2V0QnJhbmNoIjoibWFzdGVyIiwibGFiZWxzIjpbImFwcC9waWhvbGUiLCJhdXRvbWVyZ2UiLCJyZW5vdmF0ZS9jb250YWluZXIiLCJ0eXBlL21pbm9yIl19-->
github-actions Bot
pushed a commit
to bigbeartechworld/big-bear-universal-apps
that referenced
this pull request
May 16, 2026
This PR contains the following updates: | Package | Update | Change | |---|---|---| | [jacklul/pihole](https://redirect.github.com/pi-hole/docker-pi-hole) | minor | `2026.04.1` → `2026.05.0` | --- ### Release Notes <details> <summary>pi-hole/docker-pi-hole (jacklul/pihole)</summary> ### [`v2026.05.0`](https://redirect.github.com/pi-hole/docker-pi-hole/releases/tag/2026.05.0) [Compare Source](https://redirect.github.com/pi-hole/docker-pi-hole/compare/2026.04.1...2026.05.0) <!-- Release notes generated using configuration in .github/release.yml at master --> This tag includes the FTL v6.6.2 release which imports six upstream `dnsmasq` security fixes, covering all publicly disclosed CVEs against the dnsmasq 2.92/2.93 line. Patches are taken verbatim from <https://thekelleys.org.uk/dnsmasq/CVE/> Details here: <https://github.com/pi-hole/FTL/releases/tag/v6.6.2> #### Upgrade impact All six fixes are minimal, self-contained changes to the embedded dnsmasq sources. No FTL-side configuration or API changes; users should see no observable behavior change beyond the closed vulnerabilities. Fix dnsmasq CVE publications by [@​DL6ER](https://redirect.github.com/DL6ER) in [pi-hole/FTL#2888](https://redirect.github.com/pi-hole/FTL/pull/2888) This furthermore indirectly fixes [#​2871](https://redirect.github.com/pi-hole/docker-pi-hole/issues/2871) due to [pi-hole/docker-base-images#158](https://redirect.github.com/pi-hole/docker-base-images/pull/158) **Full Changelog**: <pi-hole/FTL@v6.6.1...v6.6.2> *** #### What's Changed (Docker Specific) - docs: update capability documentation links by [@​SirRGB](https://redirect.github.com/SirRGB) in [#​2025](https://redirect.github.com/pi-hole/docker-pi-hole/pull/2025) #### New Contributors - [@​SirRGB](https://redirect.github.com/SirRGB) made their first contribution in [#​2025](https://redirect.github.com/pi-hole/docker-pi-hole/pull/2025) **Full Changelog**: <pi-hole/docker-pi-hole@2026.04.0...2026.05.0> </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - At any time (no schedule defined) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/bigbeartechworld/big-bear-universal-apps). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNzkuMyIsInVwZGF0ZWRJblZlciI6IjQzLjE3OS4zIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiLCJyZW5vdmF0ZSJdfQ==-->
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What does this implement/fix?
See https://thekelleys.org.uk/dnsmasq/CVE/ for reference. This is a security release.
Related issue or feature (if applicable): N/A
Pull request in docs with documentation (if applicable): N/A
By submitting this pull request, I confirm the following:
git rebase)Checklist:
developmentbranch.