Fix stack buffer overflow in get_process_name()#2821
Merged
Conversation
readlink() was called with PROC_PATH_SIZ (32) as the buffer size limit, allowing it to fill all 32 bytes. The subsequent null-termination `name[len] = '\0'` then wrote one byte past the buffer end when the symlink target was >= 32 characters, corrupting the stack canary and causing a SIGSEGV via __stack_chk_fail. This was triggered in set_dnsmasq_debug() which allocates exactly PROC_PATH_SIZ bytes for the name buffer. The housekeeper thread would crash immediately when a debugger (gdb/valgrind) was attached, because it tries to read the debugger's process name via /proc/<pid>/exe. This is not the root cause of #2786 (heap corruption in civetweb-worker threads) but it blocks anyone from debugging that issue under gdb. Fix: pass PROC_PATH_SIZ - 1 to readlink(), reserving one byte for the null terminator. See #2786 Signed-off-by: Dominik <dl6er@dl6er.de>
Signed-off-by: Dominik <dl6er@dl6er.de>
yubiuser
approved these changes
Mar 28, 2026
|
This pull request has been mentioned on Pi-hole Userspace. There might be relevant details there: https://discourse.pi-hole.net/t/pi-hole-ftl-v6-6-web-v6-5-and-core-v6-4-1-released/85626/1 |
github-actions Bot
pushed a commit
to bigbeartechworld/big-bear-universal-apps
that referenced
this pull request
Apr 5, 2026
This PR contains the following updates: | Package | Update | Change | |---|---|---| | [jacklul/pihole](https://redirect.github.com/pi-hole/docker-pi-hole) | minor | `2026.02.0` → `2026.04.0` | --- ### Release Notes <details> <summary>pi-hole/docker-pi-hole (jacklul/pihole)</summary> ### [`v2026.04.0`](https://redirect.github.com/pi-hole/docker-pi-hole/releases/tag/2026.04.0) [Compare Source](https://redirect.github.com/pi-hole/docker-pi-hole/compare/2026.02.0...2026.04.0) <!-- Release notes generated using configuration in .github/release.yml at master --> #### What's Changed (Docker Specific - all related to CI/build) - Group dependabot PRs to reduce PR spam by [@​yubiuser](https://redirect.github.com/yubiuser) in [#​2004](https://redirect.github.com/pi-hole/docker-pi-hole/pull/2004) - ci: switch image publishing to docker/github-builder by [@​crazy-max](https://redirect.github.com/crazy-max) in [#​2008](https://redirect.github.com/pi-hole/docker-pi-hole/pull/2008) - Readme Rework by [@​PromoFaux](https://redirect.github.com/PromoFaux) in [#​1958](https://redirect.github.com/pi-hole/docker-pi-hole/pull/1958) - Replace Python test suite with BATS and consolidate workflows by [@​PromoFaux](https://redirect.github.com/PromoFaux) in [#​2009](https://redirect.github.com/pi-hole/docker-pi-hole/pull/2009) - Add timeout to curl command in branch validation by [@​RynoCODE](https://redirect.github.com/RynoCODE) in [#​2011](https://redirect.github.com/pi-hole/docker-pi-hole/pull/2011) - Use bats-assert library functions in BATS test suite by [@​Copilot](https://redirect.github.com/Copilot) in [#​2018](https://redirect.github.com/pi-hole/docker-pi-hole/pull/2018) - ci: run build job on pull request event by [@​crazy-max](https://redirect.github.com/crazy-max) in [#​2021](https://redirect.github.com/pi-hole/docker-pi-hole/pull/2021) - Update github-builder to v1.5.0 and enable fail-fast by [@​yubiuser](https://redirect.github.com/yubiuser) in [#​2022](https://redirect.github.com/pi-hole/docker-pi-hole/pull/2022) #### New Contributors - [@​crazy-max](https://redirect.github.com/crazy-max) made their first contribution in [#​2008](https://redirect.github.com/pi-hole/docker-pi-hole/pull/2008) - [@​RynoCODE](https://redirect.github.com/RynoCODE) made their first contribution in [#​2011](https://redirect.github.com/pi-hole/docker-pi-hole/pull/2011) - [@​Copilot](https://redirect.github.com/Copilot) made their first contribution in [#​2018](https://redirect.github.com/pi-hole/docker-pi-hole/pull/2018) **Full Changelog**: <pi-hole/docker-pi-hole@2026.02.0...2026.04.0> #### Component Release Notes <!-- Release notes generated using configuration in .github/release.yml at development --> #### What's Changed (FTL v6.6) - Fix possible resolver issue on armv5tel by [@​DL6ER](https://redirect.github.com/DL6ER) in [pi-hole/FTL#2781](https://redirect.github.com/pi-hole/FTL/pull/2781) - Introduce CMake options for optional dependencies by [@​aeolio](https://redirect.github.com/aeolio) in [pi-hole/FTL#2795](https://redirect.github.com/pi-hole/FTL/pull/2795) - Fix build without mbedtls \[v2] by [@​aeolio](https://redirect.github.com/aeolio) in [pi-hole/FTL#2796](https://redirect.github.com/pi-hole/FTL/pull/2796) - Fix overTime data when database.DBimport = false by [@​DL6ER](https://redirect.github.com/DL6ER) in [pi-hole/FTL#2788](https://redirect.github.com/pi-hole/FTL/pull/2788) - Fix cross-compilation issues w/ custom toolchain by [@​aeolio](https://redirect.github.com/aeolio) in [pi-hole/FTL#2797](https://redirect.github.com/pi-hole/FTL/pull/2797) - Add new option for controling name resolution via MAC address by [@​DL6ER](https://redirect.github.com/DL6ER) in [pi-hole/FTL#2790](https://redirect.github.com/pi-hole/FTL/pull/2790) - Fix obtaining client groups by name by [@​DL6ER](https://redirect.github.com/DL6ER) in [pi-hole/FTL#2791](https://redirect.github.com/pi-hole/FTL/pull/2791) - Ensure API sessions are restored before starting the HTTP server by [@​DL6ER](https://redirect.github.com/DL6ER) in [pi-hole/FTL#2803](https://redirect.github.com/pi-hole/FTL/pull/2803) - Add form-action 'self' to Content-Security-Policy by [@​yubiuser](https://redirect.github.com/yubiuser) in [pi-hole/FTL#2804](https://redirect.github.com/pi-hole/FTL/pull/2804) - Add query\_frequency to /padd endpoint by [@​yubiuser](https://redirect.github.com/yubiuser) in [pi-hole/FTL#2806](https://redirect.github.com/pi-hole/FTL/pull/2806) - Guard query-count counters against unsigned underflow by [@​DL6ER](https://redirect.github.com/DL6ER) in [pi-hole/FTL#2815](https://redirect.github.com/pi-hole/FTL/pull/2815) - Add universal crash backtrace via \_Unwind\_Backtrace by [@​DL6ER](https://redirect.github.com/DL6ER) in [pi-hole/FTL#2811](https://redirect.github.com/pi-hole/FTL/pull/2811) - config: show totp\_secret presence in CLI output by [@​DL6ER](https://redirect.github.com/DL6ER) in [pi-hole/FTL#2813](https://redirect.github.com/pi-hole/FTL/pull/2813) - Fix client count inflation for rate-limited queries by [@​DL6ER](https://redirect.github.com/DL6ER) in [pi-hole/FTL#2814](https://redirect.github.com/pi-hole/FTL/pull/2814) - Fix stack buffer overflow in get\_process\_name() by [@​DL6ER](https://redirect.github.com/DL6ER) in [pi-hole/FTL#2821](https://redirect.github.com/pi-hole/FTL/pull/2821) - Do not restart FTL while `pihole -g` is still ongoing by [@​DL6ER](https://redirect.github.com/DL6ER) in [pi-hole/FTL#2419](https://redirect.github.com/pi-hole/FTL/pull/2419) #### Security Advisories - [GHSA-r7g8-3fj7-m5qq - Authorization bypass: CLI API sessions can import Teleporter archives and modify configuration](https://redirect.github.com/pi-hole/FTL/security/advisories/GHSA-r7g8-3fj7-m5qq) reported by [@​mzalzahrani](https://redirect.github.com/mzalzahrani) - Remote Code Execution (RCE) via Newline Injection in Multiple Configuration Parameters reported by [@​T0X1Cx](https://redirect.github.com/T0X1Cx) - [pi-hole/FTL/security/advisories/GHSA-vfmq-jrx3-wv3c](https://redirect.github.com/pi-hole/FTL/security/advisories/GHSA-vfmq-jrx3-wv3c) - [pi-hole/FTL/security/advisories/GHSA-wxhv-w77q-6qwp](https://redirect.github.com/pi-hole/FTL/security/advisories/GHSA-wxhv-w77q-6qwp) - [pi-hole/FTL/security/advisories/GHSA-28g5-gg88-wh5m](https://redirect.github.com/pi-hole/FTL/security/advisories/GHSA-28g5-gg88-wh5m) - [pi-hole/FTL/security/advisories/GHSA-fqv2-qhfh-ghcj](https://redirect.github.com/pi-hole/FTL/security/advisories/GHSA-fqv2-qhfh-ghcj) - [pi-hole/FTL/security/advisories/GHSA-23w8-7333-p9fj](https://redirect.github.com/pi-hole/FTL/security/advisories/GHSA-23w8-7333-p9fj) #### New Contributors - [@​aeolio](https://redirect.github.com/aeolio) made their first contribution in [pi-hole/FTL#2795](https://redirect.github.com/pi-hole/FTL/pull/2795) **Full Changelog**: <pi-hole/FTL@v6.5...v6.6> <!-- Release notes generated using configuration in .github/release.yml at development --> #### What's Changed (Web v6.5) - Amend teleporter help text that the long-term data is not included by [@​yubiuser](https://redirect.github.com/yubiuser) in [pi-hole/web#3721](https://redirect.github.com/pi-hole/web/pull/3721) - Do not use 3 columns when boxed layout is used by [@​rdwebdesign](https://redirect.github.com/rdwebdesign) in [pi-hole/web#3722](https://redirect.github.com/pi-hole/web/pull/3722) - Use <kbd>ENTER</kbd> instead of <kbd>⏎</kbd> by [@​yubiuser](https://redirect.github.com/yubiuser) in [pi-hole/web#3727](https://redirect.github.com/pi-hole/web/pull/3727) - Don't link to github releases if docker tag is nightly by [@​yubiuser](https://redirect.github.com/yubiuser) in [pi-hole/web#3718](https://redirect.github.com/pi-hole/web/pull/3718) - Do not try to compare component version when remote version info is not available by [@​yubiuser](https://redirect.github.com/yubiuser) in [pi-hole/web#3729](https://redirect.github.com/pi-hole/web/pull/3729) - Show loading overlay when adding/removing CNAME records as it requires a FTL restart by [@​yubiuser](https://redirect.github.com/yubiuser) in [pi-hole/web#3742](https://redirect.github.com/pi-hole/web/pull/3742) - fix: check on responseJSON when wrong password by [@​guybrush2105](https://redirect.github.com/guybrush2105) in [pi-hole/web#3693](https://redirect.github.com/pi-hole/web/pull/3693) - Remove the loggingButton from Settings > System > Actions by [@​yubiuser](https://redirect.github.com/yubiuser) in [pi-hole/web#3747](https://redirect.github.com/pi-hole/web/pull/3747) #### Security Advisories - Multiple Stored HTML Injections and XSS in different web interface pages reported by [@​andrejtomci](https://redirect.github.com/andrejtomci) - [GHSA-jx8x-mj2r-62vq - Stored HTML Injection in queries.js](https://redirect.github.com/pi-hole/web/security/advisories/GHSA-jx8x-mj2r-62vq) - [GHSA-9rfm-c5g6-538p - Stored HTML attribute injection](https://redirect.github.com/pi-hole/web/security/advisories/GHSA-9rfm-c5g6-538p) - [GHSA-px6w-85wp-ww9v - Stored XSS / HTML injection in the Network page/Dashboard](https://redirect.github.com/pi-hole/web/security/advisories/GHSA-px6w-85wp-ww9v) - [GHSA-7xqw-r9pr-qv59 - Reflected XSS / HTML injection in taillog.js](https://redirect.github.com/pi-hole/web/security/advisories/GHSA-7xqw-r9pr-qv59) (Also reported by [@​n1rwhex](https://redirect.github.com/n1rwhex) and [@​mzalzahrani](https://redirect.github.com/mzalzahrani)) #### New Contributors - [@​guybrush2105](https://redirect.github.com/guybrush2105) made their first contribution in [pi-hole/web#3693](https://redirect.github.com/pi-hole/web/pull/3693) **Full Changelog**: <pi-hole/web@v6.4.1...v6.5> <!-- Release notes generated using configuration in .github/release.yml at development --> #### What's Changed (Core v6.4.1) - Remove additional ':' from debug log system time output by [@​yubiuser](https://redirect.github.com/yubiuser) in [pi-hole/pi-hole#6551](https://redirect.github.com/pi-hole/pi-hole/pull/6551) - Remove `readonly` from piholeNetworkFlush.sh to avoid error message by [@​rdwebdesign](https://redirect.github.com/rdwebdesign) in [pi-hole/pi-hole#6554](https://redirect.github.com/pi-hole/pi-hole/pull/6554) - Add antigravity index by [@​DL6ER](https://redirect.github.com/DL6ER) in [pi-hole/pi-hole#6573](https://redirect.github.com/pi-hole/pi-hole/pull/6573) - Fix return status capture of FTL check\_download exists by [@​yubiuser](https://redirect.github.com/yubiuser) in [pi-hole/pi-hole#6572](https://redirect.github.com/pi-hole/pi-hole/pull/6572) - Remove misleading TODO comment for SetWebPassword by [@​10adnan75](https://redirect.github.com/10adnan75) in [pi-hole/pi-hole#6531](https://redirect.github.com/pi-hole/pi-hole/pull/6531) #### Security Advisories - [GHSA-c935-8g63-qp74 – Local Privilege Escalation](https://redirect.github.com/pi-hole/pi-hole/security/advisories/GHSA-c935-8g63-qp74) reported by [@​smittix](https://redirect.github.com/smittix) #### New Contributors - [@​10adnan75](https://redirect.github.com/10adnan75) made their first contribution in [pi-hole/pi-hole#6531](https://redirect.github.com/pi-hole/pi-hole/pull/6531) - [@​Copilot](https://redirect.github.com/Copilot) made their first contribution in [pi-hole/pi-hole#6580](https://redirect.github.com/pi-hole/pi-hole/pull/6580) **Full Changelog**: <pi-hole/pi-hole@v6.4...v6.4.1> </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/bigbeartechworld/big-bear-universal-apps). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xMDIuMTEiLCJ1cGRhdGVkSW5WZXIiOiI0My4xMDIuMTEiLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbImRlcGVuZGVuY2llcyIsInJlbm92YXRlIl19-->
github-actions Bot
pushed a commit
to bigbeartechworld/big-bear-universal-apps
that referenced
this pull request
Apr 5, 2026
This PR contains the following updates: | Package | Update | Change | |---|---|---| | [pihole/pihole](https://redirect.github.com/pi-hole/docker-pi-hole) | minor | `2026.02.0` → `2026.04.0` | --- ### Release Notes <details> <summary>pi-hole/docker-pi-hole (pihole/pihole)</summary> ### [`v2026.04.0`](https://redirect.github.com/pi-hole/docker-pi-hole/releases/tag/2026.04.0) [Compare Source](https://redirect.github.com/pi-hole/docker-pi-hole/compare/2026.02.0...2026.04.0) <!-- Release notes generated using configuration in .github/release.yml at master --> #### What's Changed (Docker Specific - all related to CI/build) - Group dependabot PRs to reduce PR spam by [@​yubiuser](https://redirect.github.com/yubiuser) in [#​2004](https://redirect.github.com/pi-hole/docker-pi-hole/pull/2004) - ci: switch image publishing to docker/github-builder by [@​crazy-max](https://redirect.github.com/crazy-max) in [#​2008](https://redirect.github.com/pi-hole/docker-pi-hole/pull/2008) - Readme Rework by [@​PromoFaux](https://redirect.github.com/PromoFaux) in [#​1958](https://redirect.github.com/pi-hole/docker-pi-hole/pull/1958) - Replace Python test suite with BATS and consolidate workflows by [@​PromoFaux](https://redirect.github.com/PromoFaux) in [#​2009](https://redirect.github.com/pi-hole/docker-pi-hole/pull/2009) - Add timeout to curl command in branch validation by [@​RynoCODE](https://redirect.github.com/RynoCODE) in [#​2011](https://redirect.github.com/pi-hole/docker-pi-hole/pull/2011) - Use bats-assert library functions in BATS test suite by [@​Copilot](https://redirect.github.com/Copilot) in [#​2018](https://redirect.github.com/pi-hole/docker-pi-hole/pull/2018) - ci: run build job on pull request event by [@​crazy-max](https://redirect.github.com/crazy-max) in [#​2021](https://redirect.github.com/pi-hole/docker-pi-hole/pull/2021) - Update github-builder to v1.5.0 and enable fail-fast by [@​yubiuser](https://redirect.github.com/yubiuser) in [#​2022](https://redirect.github.com/pi-hole/docker-pi-hole/pull/2022) #### New Contributors - [@​crazy-max](https://redirect.github.com/crazy-max) made their first contribution in [#​2008](https://redirect.github.com/pi-hole/docker-pi-hole/pull/2008) - [@​RynoCODE](https://redirect.github.com/RynoCODE) made their first contribution in [#​2011](https://redirect.github.com/pi-hole/docker-pi-hole/pull/2011) - [@​Copilot](https://redirect.github.com/Copilot) made their first contribution in [#​2018](https://redirect.github.com/pi-hole/docker-pi-hole/pull/2018) **Full Changelog**: <pi-hole/docker-pi-hole@2026.02.0...2026.04.0> #### Component Release Notes <!-- Release notes generated using configuration in .github/release.yml at development --> #### What's Changed (FTL v6.6) - Fix possible resolver issue on armv5tel by [@​DL6ER](https://redirect.github.com/DL6ER) in [pi-hole/FTL#2781](https://redirect.github.com/pi-hole/FTL/pull/2781) - Introduce CMake options for optional dependencies by [@​aeolio](https://redirect.github.com/aeolio) in [pi-hole/FTL#2795](https://redirect.github.com/pi-hole/FTL/pull/2795) - Fix build without mbedtls \[v2] by [@​aeolio](https://redirect.github.com/aeolio) in [pi-hole/FTL#2796](https://redirect.github.com/pi-hole/FTL/pull/2796) - Fix overTime data when database.DBimport = false by [@​DL6ER](https://redirect.github.com/DL6ER) in [pi-hole/FTL#2788](https://redirect.github.com/pi-hole/FTL/pull/2788) - Fix cross-compilation issues w/ custom toolchain by [@​aeolio](https://redirect.github.com/aeolio) in [pi-hole/FTL#2797](https://redirect.github.com/pi-hole/FTL/pull/2797) - Add new option for controling name resolution via MAC address by [@​DL6ER](https://redirect.github.com/DL6ER) in [pi-hole/FTL#2790](https://redirect.github.com/pi-hole/FTL/pull/2790) - Fix obtaining client groups by name by [@​DL6ER](https://redirect.github.com/DL6ER) in [pi-hole/FTL#2791](https://redirect.github.com/pi-hole/FTL/pull/2791) - Ensure API sessions are restored before starting the HTTP server by [@​DL6ER](https://redirect.github.com/DL6ER) in [pi-hole/FTL#2803](https://redirect.github.com/pi-hole/FTL/pull/2803) - Add form-action 'self' to Content-Security-Policy by [@​yubiuser](https://redirect.github.com/yubiuser) in [pi-hole/FTL#2804](https://redirect.github.com/pi-hole/FTL/pull/2804) - Add query\_frequency to /padd endpoint by [@​yubiuser](https://redirect.github.com/yubiuser) in [pi-hole/FTL#2806](https://redirect.github.com/pi-hole/FTL/pull/2806) - Guard query-count counters against unsigned underflow by [@​DL6ER](https://redirect.github.com/DL6ER) in [pi-hole/FTL#2815](https://redirect.github.com/pi-hole/FTL/pull/2815) - Add universal crash backtrace via \_Unwind\_Backtrace by [@​DL6ER](https://redirect.github.com/DL6ER) in [pi-hole/FTL#2811](https://redirect.github.com/pi-hole/FTL/pull/2811) - config: show totp\_secret presence in CLI output by [@​DL6ER](https://redirect.github.com/DL6ER) in [pi-hole/FTL#2813](https://redirect.github.com/pi-hole/FTL/pull/2813) - Fix client count inflation for rate-limited queries by [@​DL6ER](https://redirect.github.com/DL6ER) in [pi-hole/FTL#2814](https://redirect.github.com/pi-hole/FTL/pull/2814) - Fix stack buffer overflow in get\_process\_name() by [@​DL6ER](https://redirect.github.com/DL6ER) in [pi-hole/FTL#2821](https://redirect.github.com/pi-hole/FTL/pull/2821) - Do not restart FTL while `pihole -g` is still ongoing by [@​DL6ER](https://redirect.github.com/DL6ER) in [pi-hole/FTL#2419](https://redirect.github.com/pi-hole/FTL/pull/2419) #### Security Advisories - [GHSA-r7g8-3fj7-m5qq - Authorization bypass: CLI API sessions can import Teleporter archives and modify configuration](https://redirect.github.com/pi-hole/FTL/security/advisories/GHSA-r7g8-3fj7-m5qq) reported by [@​mzalzahrani](https://redirect.github.com/mzalzahrani) - Remote Code Execution (RCE) via Newline Injection in Multiple Configuration Parameters reported by [@​T0X1Cx](https://redirect.github.com/T0X1Cx) - [pi-hole/FTL/security/advisories/GHSA-vfmq-jrx3-wv3c](https://redirect.github.com/pi-hole/FTL/security/advisories/GHSA-vfmq-jrx3-wv3c) - [pi-hole/FTL/security/advisories/GHSA-wxhv-w77q-6qwp](https://redirect.github.com/pi-hole/FTL/security/advisories/GHSA-wxhv-w77q-6qwp) - [pi-hole/FTL/security/advisories/GHSA-28g5-gg88-wh5m](https://redirect.github.com/pi-hole/FTL/security/advisories/GHSA-28g5-gg88-wh5m) - [pi-hole/FTL/security/advisories/GHSA-fqv2-qhfh-ghcj](https://redirect.github.com/pi-hole/FTL/security/advisories/GHSA-fqv2-qhfh-ghcj) - [pi-hole/FTL/security/advisories/GHSA-23w8-7333-p9fj](https://redirect.github.com/pi-hole/FTL/security/advisories/GHSA-23w8-7333-p9fj) #### New Contributors - [@​aeolio](https://redirect.github.com/aeolio) made their first contribution in [pi-hole/FTL#2795](https://redirect.github.com/pi-hole/FTL/pull/2795) **Full Changelog**: <pi-hole/FTL@v6.5...v6.6> <!-- Release notes generated using configuration in .github/release.yml at development --> #### What's Changed (Web v6.5) - Amend teleporter help text that the long-term data is not included by [@​yubiuser](https://redirect.github.com/yubiuser) in [pi-hole/web#3721](https://redirect.github.com/pi-hole/web/pull/3721) - Do not use 3 columns when boxed layout is used by [@​rdwebdesign](https://redirect.github.com/rdwebdesign) in [pi-hole/web#3722](https://redirect.github.com/pi-hole/web/pull/3722) - Use <kbd>ENTER</kbd> instead of <kbd>⏎</kbd> by [@​yubiuser](https://redirect.github.com/yubiuser) in [pi-hole/web#3727](https://redirect.github.com/pi-hole/web/pull/3727) - Don't link to github releases if docker tag is nightly by [@​yubiuser](https://redirect.github.com/yubiuser) in [pi-hole/web#3718](https://redirect.github.com/pi-hole/web/pull/3718) - Do not try to compare component version when remote version info is not available by [@​yubiuser](https://redirect.github.com/yubiuser) in [pi-hole/web#3729](https://redirect.github.com/pi-hole/web/pull/3729) - Show loading overlay when adding/removing CNAME records as it requires a FTL restart by [@​yubiuser](https://redirect.github.com/yubiuser) in [pi-hole/web#3742](https://redirect.github.com/pi-hole/web/pull/3742) - fix: check on responseJSON when wrong password by [@​guybrush2105](https://redirect.github.com/guybrush2105) in [pi-hole/web#3693](https://redirect.github.com/pi-hole/web/pull/3693) - Remove the loggingButton from Settings > System > Actions by [@​yubiuser](https://redirect.github.com/yubiuser) in [pi-hole/web#3747](https://redirect.github.com/pi-hole/web/pull/3747) #### Security Advisories - Multiple Stored HTML Injections and XSS in different web interface pages reported by [@​andrejtomci](https://redirect.github.com/andrejtomci) - [GHSA-jx8x-mj2r-62vq - Stored HTML Injection in queries.js](https://redirect.github.com/pi-hole/web/security/advisories/GHSA-jx8x-mj2r-62vq) - [GHSA-9rfm-c5g6-538p - Stored HTML attribute injection](https://redirect.github.com/pi-hole/web/security/advisories/GHSA-9rfm-c5g6-538p) - [GHSA-px6w-85wp-ww9v - Stored XSS / HTML injection in the Network page/Dashboard](https://redirect.github.com/pi-hole/web/security/advisories/GHSA-px6w-85wp-ww9v) - [GHSA-7xqw-r9pr-qv59 - Reflected XSS / HTML injection in taillog.js](https://redirect.github.com/pi-hole/web/security/advisories/GHSA-7xqw-r9pr-qv59) (Also reported by [@​n1rwhex](https://redirect.github.com/n1rwhex) and [@​mzalzahrani](https://redirect.github.com/mzalzahrani)) #### New Contributors - [@​guybrush2105](https://redirect.github.com/guybrush2105) made their first contribution in [pi-hole/web#3693](https://redirect.github.com/pi-hole/web/pull/3693) **Full Changelog**: <pi-hole/web@v6.4.1...v6.5> <!-- Release notes generated using configuration in .github/release.yml at development --> #### What's Changed (Core v6.4.1) - Remove additional ':' from debug log system time output by [@​yubiuser](https://redirect.github.com/yubiuser) in [pi-hole/pi-hole#6551](https://redirect.github.com/pi-hole/pi-hole/pull/6551) - Remove `readonly` from piholeNetworkFlush.sh to avoid error message by [@​rdwebdesign](https://redirect.github.com/rdwebdesign) in [pi-hole/pi-hole#6554](https://redirect.github.com/pi-hole/pi-hole/pull/6554) - Add antigravity index by [@​DL6ER](https://redirect.github.com/DL6ER) in [pi-hole/pi-hole#6573](https://redirect.github.com/pi-hole/pi-hole/pull/6573) - Fix return status capture of FTL check\_download exists by [@​yubiuser](https://redirect.github.com/yubiuser) in [pi-hole/pi-hole#6572](https://redirect.github.com/pi-hole/pi-hole/pull/6572) - Remove misleading TODO comment for SetWebPassword by [@​10adnan75](https://redirect.github.com/10adnan75) in [pi-hole/pi-hole#6531](https://redirect.github.com/pi-hole/pi-hole/pull/6531) #### Security Advisories - [GHSA-c935-8g63-qp74 – Local Privilege Escalation](https://redirect.github.com/pi-hole/pi-hole/security/advisories/GHSA-c935-8g63-qp74) reported by [@​smittix](https://redirect.github.com/smittix) #### New Contributors - [@​10adnan75](https://redirect.github.com/10adnan75) made their first contribution in [pi-hole/pi-hole#6531](https://redirect.github.com/pi-hole/pi-hole/pull/6531) - [@​Copilot](https://redirect.github.com/Copilot) made their first contribution in [pi-hole/pi-hole#6580](https://redirect.github.com/pi-hole/pi-hole/pull/6580) **Full Changelog**: <pi-hole/pi-hole@v6.4...v6.4.1> </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/bigbeartechworld/big-bear-universal-apps). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xMDIuMTEiLCJ1cGRhdGVkSW5WZXIiOiI0My4xMDIuMTEiLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbImRlcGVuZGVuY2llcyIsInJlbm92YXRlIl19-->
github-actions Bot
pushed a commit
to bigbeartechworld/big-bear-universal-apps
that referenced
this pull request
Apr 7, 2026
…ag to v2026.04.0 This PR contains the following updates: | Package | Update | Change | |---|---|---| | [bigbeartechworld/big-bear-pihole-unbound](https://redirect.github.com/pi-hole/docker-pi-hole) | minor | `2026.02.0` → `2026.04.0` | --- ### Release Notes <details> <summary>pi-hole/docker-pi-hole (bigbeartechworld/big-bear-pihole-unbound)</summary> ### [`v2026.04.0`](https://redirect.github.com/pi-hole/docker-pi-hole/releases/tag/2026.04.0) [Compare Source](https://redirect.github.com/pi-hole/docker-pi-hole/compare/2026.02.0...2026.04.0) <!-- Release notes generated using configuration in .github/release.yml at master --> #### What's Changed (Docker Specific - all related to CI/build) - Group dependabot PRs to reduce PR spam by [@​yubiuser](https://redirect.github.com/yubiuser) in [#​2004](https://redirect.github.com/pi-hole/docker-pi-hole/pull/2004) - ci: switch image publishing to docker/github-builder by [@​crazy-max](https://redirect.github.com/crazy-max) in [#​2008](https://redirect.github.com/pi-hole/docker-pi-hole/pull/2008) - Readme Rework by [@​PromoFaux](https://redirect.github.com/PromoFaux) in [#​1958](https://redirect.github.com/pi-hole/docker-pi-hole/pull/1958) - Replace Python test suite with BATS and consolidate workflows by [@​PromoFaux](https://redirect.github.com/PromoFaux) in [#​2009](https://redirect.github.com/pi-hole/docker-pi-hole/pull/2009) - Add timeout to curl command in branch validation by [@​RynoCODE](https://redirect.github.com/RynoCODE) in [#​2011](https://redirect.github.com/pi-hole/docker-pi-hole/pull/2011) - Use bats-assert library functions in BATS test suite by [@​Copilot](https://redirect.github.com/Copilot) in [#​2018](https://redirect.github.com/pi-hole/docker-pi-hole/pull/2018) - ci: run build job on pull request event by [@​crazy-max](https://redirect.github.com/crazy-max) in [#​2021](https://redirect.github.com/pi-hole/docker-pi-hole/pull/2021) - Update github-builder to v1.5.0 and enable fail-fast by [@​yubiuser](https://redirect.github.com/yubiuser) in [#​2022](https://redirect.github.com/pi-hole/docker-pi-hole/pull/2022) #### New Contributors - [@​crazy-max](https://redirect.github.com/crazy-max) made their first contribution in [#​2008](https://redirect.github.com/pi-hole/docker-pi-hole/pull/2008) - [@​RynoCODE](https://redirect.github.com/RynoCODE) made their first contribution in [#​2011](https://redirect.github.com/pi-hole/docker-pi-hole/pull/2011) - [@​Copilot](https://redirect.github.com/Copilot) made their first contribution in [#​2018](https://redirect.github.com/pi-hole/docker-pi-hole/pull/2018) **Full Changelog**: <pi-hole/docker-pi-hole@2026.02.0...2026.04.0> #### Component Release Notes <!-- Release notes generated using configuration in .github/release.yml at development --> #### What's Changed (FTL v6.6) - Fix possible resolver issue on armv5tel by [@​DL6ER](https://redirect.github.com/DL6ER) in [pi-hole/FTL#2781](https://redirect.github.com/pi-hole/FTL/pull/2781) - Introduce CMake options for optional dependencies by [@​aeolio](https://redirect.github.com/aeolio) in [pi-hole/FTL#2795](https://redirect.github.com/pi-hole/FTL/pull/2795) - Fix build without mbedtls \[v2] by [@​aeolio](https://redirect.github.com/aeolio) in [pi-hole/FTL#2796](https://redirect.github.com/pi-hole/FTL/pull/2796) - Fix overTime data when database.DBimport = false by [@​DL6ER](https://redirect.github.com/DL6ER) in [pi-hole/FTL#2788](https://redirect.github.com/pi-hole/FTL/pull/2788) - Fix cross-compilation issues w/ custom toolchain by [@​aeolio](https://redirect.github.com/aeolio) in [pi-hole/FTL#2797](https://redirect.github.com/pi-hole/FTL/pull/2797) - Add new option for controling name resolution via MAC address by [@​DL6ER](https://redirect.github.com/DL6ER) in [pi-hole/FTL#2790](https://redirect.github.com/pi-hole/FTL/pull/2790) - Fix obtaining client groups by name by [@​DL6ER](https://redirect.github.com/DL6ER) in [pi-hole/FTL#2791](https://redirect.github.com/pi-hole/FTL/pull/2791) - Ensure API sessions are restored before starting the HTTP server by [@​DL6ER](https://redirect.github.com/DL6ER) in [pi-hole/FTL#2803](https://redirect.github.com/pi-hole/FTL/pull/2803) - Add form-action 'self' to Content-Security-Policy by [@​yubiuser](https://redirect.github.com/yubiuser) in [pi-hole/FTL#2804](https://redirect.github.com/pi-hole/FTL/pull/2804) - Add query\_frequency to /padd endpoint by [@​yubiuser](https://redirect.github.com/yubiuser) in [pi-hole/FTL#2806](https://redirect.github.com/pi-hole/FTL/pull/2806) - Guard query-count counters against unsigned underflow by [@​DL6ER](https://redirect.github.com/DL6ER) in [pi-hole/FTL#2815](https://redirect.github.com/pi-hole/FTL/pull/2815) - Add universal crash backtrace via \_Unwind\_Backtrace by [@​DL6ER](https://redirect.github.com/DL6ER) in [pi-hole/FTL#2811](https://redirect.github.com/pi-hole/FTL/pull/2811) - config: show totp\_secret presence in CLI output by [@​DL6ER](https://redirect.github.com/DL6ER) in [pi-hole/FTL#2813](https://redirect.github.com/pi-hole/FTL/pull/2813) - Fix client count inflation for rate-limited queries by [@​DL6ER](https://redirect.github.com/DL6ER) in [pi-hole/FTL#2814](https://redirect.github.com/pi-hole/FTL/pull/2814) - Fix stack buffer overflow in get\_process\_name() by [@​DL6ER](https://redirect.github.com/DL6ER) in [pi-hole/FTL#2821](https://redirect.github.com/pi-hole/FTL/pull/2821) - Do not restart FTL while `pihole -g` is still ongoing by [@​DL6ER](https://redirect.github.com/DL6ER) in [pi-hole/FTL#2419](https://redirect.github.com/pi-hole/FTL/pull/2419) #### Security Advisories - [GHSA-r7g8-3fj7-m5qq - Authorization bypass: CLI API sessions can import Teleporter archives and modify configuration](https://redirect.github.com/pi-hole/FTL/security/advisories/GHSA-r7g8-3fj7-m5qq) reported by [@​mzalzahrani](https://redirect.github.com/mzalzahrani) - Remote Code Execution (RCE) via Newline Injection in Multiple Configuration Parameters reported by [@​T0X1Cx](https://redirect.github.com/T0X1Cx) - [pi-hole/FTL/security/advisories/GHSA-vfmq-jrx3-wv3c](https://redirect.github.com/pi-hole/FTL/security/advisories/GHSA-vfmq-jrx3-wv3c) - [pi-hole/FTL/security/advisories/GHSA-wxhv-w77q-6qwp](https://redirect.github.com/pi-hole/FTL/security/advisories/GHSA-wxhv-w77q-6qwp) - [pi-hole/FTL/security/advisories/GHSA-28g5-gg88-wh5m](https://redirect.github.com/pi-hole/FTL/security/advisories/GHSA-28g5-gg88-wh5m) - [pi-hole/FTL/security/advisories/GHSA-fqv2-qhfh-ghcj](https://redirect.github.com/pi-hole/FTL/security/advisories/GHSA-fqv2-qhfh-ghcj) - [pi-hole/FTL/security/advisories/GHSA-23w8-7333-p9fj](https://redirect.github.com/pi-hole/FTL/security/advisories/GHSA-23w8-7333-p9fj) #### New Contributors - [@​aeolio](https://redirect.github.com/aeolio) made their first contribution in [pi-hole/FTL#2795](https://redirect.github.com/pi-hole/FTL/pull/2795) **Full Changelog**: <pi-hole/FTL@v6.5...v6.6> <!-- Release notes generated using configuration in .github/release.yml at development --> #### What's Changed (Web v6.5) - Amend teleporter help text that the long-term data is not included by [@​yubiuser](https://redirect.github.com/yubiuser) in [pi-hole/web#3721](https://redirect.github.com/pi-hole/web/pull/3721) - Do not use 3 columns when boxed layout is used by [@​rdwebdesign](https://redirect.github.com/rdwebdesign) in [pi-hole/web#3722](https://redirect.github.com/pi-hole/web/pull/3722) - Use <kbd>ENTER</kbd> instead of <kbd>⏎</kbd> by [@​yubiuser](https://redirect.github.com/yubiuser) in [pi-hole/web#3727](https://redirect.github.com/pi-hole/web/pull/3727) - Don't link to github releases if docker tag is nightly by [@​yubiuser](https://redirect.github.com/yubiuser) in [pi-hole/web#3718](https://redirect.github.com/pi-hole/web/pull/3718) - Do not try to compare component version when remote version info is not available by [@​yubiuser](https://redirect.github.com/yubiuser) in [pi-hole/web#3729](https://redirect.github.com/pi-hole/web/pull/3729) - Show loading overlay when adding/removing CNAME records as it requires a FTL restart by [@​yubiuser](https://redirect.github.com/yubiuser) in [pi-hole/web#3742](https://redirect.github.com/pi-hole/web/pull/3742) - fix: check on responseJSON when wrong password by [@​guybrush2105](https://redirect.github.com/guybrush2105) in [pi-hole/web#3693](https://redirect.github.com/pi-hole/web/pull/3693) - Remove the loggingButton from Settings > System > Actions by [@​yubiuser](https://redirect.github.com/yubiuser) in [pi-hole/web#3747](https://redirect.github.com/pi-hole/web/pull/3747) #### Security Advisories - Multiple Stored HTML Injections and XSS in different web interface pages reported by [@​andrejtomci](https://redirect.github.com/andrejtomci) - [GHSA-jx8x-mj2r-62vq - Stored HTML Injection in queries.js](https://redirect.github.com/pi-hole/web/security/advisories/GHSA-jx8x-mj2r-62vq) - [GHSA-9rfm-c5g6-538p - Stored HTML attribute injection](https://redirect.github.com/pi-hole/web/security/advisories/GHSA-9rfm-c5g6-538p) - [GHSA-px6w-85wp-ww9v - Stored XSS / HTML injection in the Network page/Dashboard](https://redirect.github.com/pi-hole/web/security/advisories/GHSA-px6w-85wp-ww9v) - [GHSA-7xqw-r9pr-qv59 - Reflected XSS / HTML injection in taillog.js](https://redirect.github.com/pi-hole/web/security/advisories/GHSA-7xqw-r9pr-qv59) (Also reported by [@​n1rwhex](https://redirect.github.com/n1rwhex) and [@​mzalzahrani](https://redirect.github.com/mzalzahrani)) #### New Contributors - [@​guybrush2105](https://redirect.github.com/guybrush2105) made their first contribution in [pi-hole/web#3693](https://redirect.github.com/pi-hole/web/pull/3693) **Full Changelog**: <pi-hole/web@v6.4.1...v6.5> <!-- Release notes generated using configuration in .github/release.yml at development --> #### What's Changed (Core v6.4.1) - Remove additional ':' from debug log system time output by [@​yubiuser](https://redirect.github.com/yubiuser) in [pi-hole/pi-hole#6551](https://redirect.github.com/pi-hole/pi-hole/pull/6551) - Remove `readonly` from piholeNetworkFlush.sh to avoid error message by [@​rdwebdesign](https://redirect.github.com/rdwebdesign) in [pi-hole/pi-hole#6554](https://redirect.github.com/pi-hole/pi-hole/pull/6554) - Add antigravity index by [@​DL6ER](https://redirect.github.com/DL6ER) in [pi-hole/pi-hole#6573](https://redirect.github.com/pi-hole/pi-hole/pull/6573) - Fix return status capture of FTL check\_download exists by [@​yubiuser](https://redirect.github.com/yubiuser) in [pi-hole/pi-hole#6572](https://redirect.github.com/pi-hole/pi-hole/pull/6572) - Remove misleading TODO comment for SetWebPassword by [@​10adnan75](https://redirect.github.com/10adnan75) in [pi-hole/pi-hole#6531](https://redirect.github.com/pi-hole/pi-hole/pull/6531) #### Security Advisories - [GHSA-c935-8g63-qp74 – Local Privilege Escalation](https://redirect.github.com/pi-hole/pi-hole/security/advisories/GHSA-c935-8g63-qp74) reported by [@​smittix](https://redirect.github.com/smittix) #### New Contributors - [@​10adnan75](https://redirect.github.com/10adnan75) made their first contribution in [pi-hole/pi-hole#6531](https://redirect.github.com/pi-hole/pi-hole/pull/6531) - [@​Copilot](https://redirect.github.com/Copilot) made their first contribution in [pi-hole/pi-hole#6580](https://redirect.github.com/pi-hole/pi-hole/pull/6580) **Full Changelog**: <pi-hole/pi-hole@v6.4...v6.4.1> </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/bigbeartechworld/big-bear-universal-apps). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xMDIuMTEiLCJ1cGRhdGVkSW5WZXIiOiI0My4xMDIuMTEiLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbImRlcGVuZGVuY2llcyIsInJlbm92YXRlIl19-->
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What does this implement/fix?
readlink()was called withPROC_PATH_SIZ(32) as the buffer size limit, allowing it to fill all 32 bytes. The subsequent null-terminationname[len] = '\0'then wrote one byte past the buffer end when the symlink target was >= 32 characters, corrupting the stack canary and causing aSIGSEGVvia__stack_chk_fail.This was triggered in
set_dnsmasq_debug()which allocates exactlyPROC_PATH_SIZbytes for the name buffer. The housekeeper thread would crash immediately when a debugger (gdb/valgrind) was attached and the path to debug being very long, because it tries to read the debugger's process name via/proc/<pid>/exe.This is not the root cause of #2786 (current assumption: heap corruption in
civetweb-workerthreads) but it blocks from debugging that issue undergdbin specific setups.The fix is simple: tell
readlink()to use at most one byte less, reserving one byte for the terminator and increase the buffer size.See #2786
Related issue or feature (if applicable): N/A
Pull request in docs with documentation (if applicable): N/A
By submitting this pull request, I confirm the following:
git rebase)Checklist:
developmentbranch.