Bug 2044427 (CVE-2020-19860)

Summary: CVE-2020-19860 ldns: heap overread vulnerability via zone file
Product: [Other] Security Response Reporter: Sandipan Roy <saroy>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: paul.wouters, pemensik, rlescak
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: ldns-1.8.0, ldns-1.8.1 Doc Type: If docs needed, set a value
Doc Text:
A heap out-of-bounds read flaw was found in ldns, specifically within the ldns_rr_new_frm_str_internal function. This flaw allows an attacker to leak information on the heap by creating a malicious zone file.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-07-16 16:43:41 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2044428, 2051210, 2051211    
Bug Blocks: 2044431    

Description Sandipan Roy 2022-01-24 15:28:58 UTC 
When ldns version 1.7.1 verifies a zone file, the ldns_rr_new_frm_str_internal function has a heap out of bounds read vulnerability. An attacker can leak information on the heap by constructing a zone file payload.

https://github.com/NLnetLabs/ldns/issues/50
https://github.com/NLnetLabs/ldns/commit/15d96206996bea969fbc918eb0a4a346f514b9f3
Comment 1 Sandipan Roy 2022-01-24 15:29:14 UTC 
Created ldns tracking bugs for this issue:

Affects: fedora-all [bug 2044428]
Comment 6 Paul Wouters 2023-07-11 00:51:24 UTC 
I cannot close this bug. Someone please close this. It's ancient and old and resolved in all branches years ago