CVE-2020-25687

Name of the Vulnerable Software and Affected Versions dnsmasq versions prior to 2.83

Description A heap-based buffer overflow was discovered in dnsmasq when DNSSEC is enabled and before it validates the received DNS entries. This flaw allows a remote attacker, who can create valid DNS replies, to cause an overflow in a heap-allocated memory. The issue is caused by the lack of length checks in extract name() function in rfc1035.c, which could be abused to make the code execute memcpy() with a negative size in sort rrset() and cause a crash in dnsmasq, resulting in a denial of service. The highest threat from this issue is to system availability.

Recommendations For dnsmasq versions prior to 2.83, update to version 2.83 or later to resolve the issue. As a temporary workaround, consider disabling DNSSEC until a patch is available. Restrict access to the extract name() function in rfc1035.c to minimize the risk of exploitation. Avoid using the sort rrset() function with unvalidated input until the issue is resolved.