Bug 2028468 (CVE-2020-19861)

Summary: CVE-2020-19861 ldns: Heap out-of-bound read vulnerability in ldns_nsec3_salt_data function
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: paul.wouters, pemensik, rlescak
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-12-14 07:08:20 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2028469    
Bug Blocks: 2028476    

Description Pedro Sampaio 2021-12-02 12:44:50 UTC 
In ldns before 1.8.0 when the zone file is parsed, the function ldns_nsec3_salt_data is too trusted for the length value obtained from the zone file. When the memcpy is copied, the 0xfe - ldns_rdf_size(salt_rdf) byte data can be copied, causing heap information leakage.

References:

https://github.com/NLnetLabs/ldns/blob/d3955248eb409b6af0cc6f33e3d458e7f1f555cf/Changelog
https://github.com/NLnetLabs/ldns/issues/51
Comment 1 Pedro Sampaio 2021-12-02 12:45:05 UTC 
Created ldns tracking bugs for this issue:

Affects: fedora-all [bug 2028469]