Bug 1831763 (CVE-2020-6831)

Summary: CVE-2020-6831 usrsctp: Buffer overflow in AUTH chunk input validation
Product: [Other] Security Response Reporter: msiddiqu
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: cschalle, erack, gecko-bugs-nobody, jhorak, security-response-team, stransky
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: firefox 68.8, thunderbird 68.8.0 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Mozilla Firefox and Thunderbird. When parsing and validating SCTP chunks in WebRTC a memory buffer overflow could occur leading to memory corruption and an exploitable crash. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-05-06 10:32:01 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1828972, 1828973, 1828974, 1828975, 1828976, 1828977, 1828978, 1831592, 1831593, 1831594, 1831595, 1831596, 1831597, 1831598, 1832489    
Bug Blocks: 1828970    

Description msiddiqu 2020-05-05 15:14:29 UTC 
A buffer overflow could occur when parsing and validating SCTP chunks in WebRTC. This could have led to memory corruption and a potentially exploitable crash.



External Reference:

https://www.mozilla.org/en-US/security/advisories/mfsa2020-17/#CVE-2020-6831
Comment 1 msiddiqu 2020-05-05 15:14:36 UTC 
Acknowledgments:

Name: the Mozilla project
Upstream: Natalie Silvanovich (Google Project Zero)
Comment 2 errata-xmlrpc 2020-05-06 08:10:52 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions

Via RHSA-2020:2033 https://access.redhat.com/errata/RHSA-2020:2033
Comment 3 errata-xmlrpc 2020-05-06 08:26:32 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2020:2032 https://access.redhat.com/errata/RHSA-2020:2032
Comment 4 errata-xmlrpc 2020-05-06 08:43:50 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:2031 https://access.redhat.com/errata/RHSA-2020:2031
Comment 5 Product Security DevOps Team 2020-05-06 10:32:01 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-6831
Comment 6 errata-xmlrpc 2020-05-06 10:42:11 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:2037 https://access.redhat.com/errata/RHSA-2020:2037
Comment 7 errata-xmlrpc 2020-05-06 10:45:20 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2020:2036 https://access.redhat.com/errata/RHSA-2020:2036
Comment 8 Tomas Hoger 2020-05-06 21:49:05 UTC 
This issue was also fixed in Google Chrome 81.0.4044.138:

https://chromereleases.googleblog.com/2020/05/stable-channel-update-for-desktop.html
https://bugs.chromium.org/p/chromium/issues/detail?id=1073602

Related fixes as applied to Mozilla mercurial repo:

https://hg.mozilla.org/releases/mozilla-release/rev/35616be71c33a7a4707b3a2f42af9b67d8ddcdb9
https://hg.mozilla.org/releases/mozilla-release/rev/e3b02434661ad795beea1baccce52f589bdc0269

The fix in usrsctp upstream git repo:

https://github.com/sctplab/usrsctp/commit/858d2f73019f73bd2c1691bab75c2022640b82e7
Comment 10 errata-xmlrpc 2020-05-11 08:54:42 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions

Via RHSA-2020:2048 https://access.redhat.com/errata/RHSA-2020:2048
Comment 11 errata-xmlrpc 2020-05-11 09:05:45 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2020:2047 https://access.redhat.com/errata/RHSA-2020:2047
Comment 12 errata-xmlrpc 2020-05-11 09:25:17 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:2046 https://access.redhat.com/errata/RHSA-2020:2046
Comment 13 errata-xmlrpc 2020-05-11 09:34:33 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2020:2049 https://access.redhat.com/errata/RHSA-2020:2049
Comment 14 errata-xmlrpc 2020-05-11 09:51:06 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:2050 https://access.redhat.com/errata/RHSA-2020:2050
Comment 15 errata-xmlrpc 2020-05-11 21:24:14 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6 Supplementary

Via RHSA-2020:2064 https://access.redhat.com/errata/RHSA-2020:2064