The inputs to `sctp_load_addresses_from_init` are verified by `sctp_arethere_unrecognized_parameters`; however, the two functions handled parameter bounds differently, resulting in out of bounds reads when parameters are partially outside a chunk. External Reference: https://www.mozilla.org/en-US/security/advisories/mfsa2020-09/#CVE-2019-20503
Acknowledgments: Name: the Mozilla project Upstream: Natalie Silvanovich (Google Project Zero)
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:0815 https://access.redhat.com/errata/RHSA-2020:0815
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2020:0816 https://access.redhat.com/errata/RHSA-2020:0816
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-20503
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions Via RHSA-2020:0819 https://access.redhat.com/errata/RHSA-2020:0819
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:0820 https://access.redhat.com/errata/RHSA-2020:0820
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:0905 https://access.redhat.com/errata/RHSA-2020:0905
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions Via RHSA-2020:0918 https://access.redhat.com/errata/RHSA-2020:0918
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:0919 https://access.redhat.com/errata/RHSA-2020:0919
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2020:0914 https://access.redhat.com/errata/RHSA-2020:0914
This issue was also fixed in Google Chrome 80.0.3987.149: https://chromereleases.googleblog.com/2020/03/stable-channel-update-for-desktop_18.html https://bugs.chromium.org/p/chromium/issues/detail?id=1059349 The fix as applied to Mozilla mercurial repo: https://hg.mozilla.org/releases/mozilla-release/rev/23240642f474d6b4e435b509ab0885fe79759a3d The fix in usrsctp upstream git repo: https://github.com/sctplab/usrsctp/commit/790a7a2
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Supplementary Via RHSA-2020:1270 https://access.redhat.com/errata/RHSA-2020:1270