CVE-2020-25682: 
NixOS vulnerability analysis and mitigation

CVE-2020-25682 is a buffer overflow vulnerability discovered in dnsmasq before version 2.83. The vulnerability exists in the way dnsmasq extracts names from DNS packets before validating them with DNSSEC data. The flaw was discovered in January 2021 and affects the rfc1035.c:extract_name() function (NVD, Red Hat).

The vulnerability occurs in the extractname() function, which writes data to memory pointed by name assuming MAXDNAME*2 bytes are available in the buffer. However, in some code execution paths, extractname() can be passed an offset from the base buffer, reducing the actual number of available bytes that can be written, potentially leading to a buffer overflow. The vulnerability has a CVSS v3.1 base score of 8.1 HIGH (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) (NVD).

An attacker who can create valid DNS replies could exploit this vulnerability to cause an overflow with arbitrary data in heap-allocated memory, potentially executing arbitrary code on the machine. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability (NVD, Red Hat).

The vulnerability was fixed in dnsmasq version 2.83. For systems unable to update immediately, the only known mitigation is to disable DNSSEC altogether by removing the --dnssec command line option or the dnssec option from the dnsmasq configuration file (Red Hat).

The vulnerability was part of a larger set of vulnerabilities dubbed 'DNSpooq' discovered by researchers Moshe Kol and Shlomi Oberman from JSOF. Multiple vendors including Red Hat, Debian, and Fedora quickly released security advisories and patches to address the vulnerability (JSOF).