2044427 – (CVE-2020-19860) CVE-2020-19860 ldns: heap overread vulnerability via zone file

Bug 2044427 (CVE-2020-19860) - CVE-2020-19860 ldns: heap overread vulnerability via zone file

Summary: CVE-2020-19860 ldns: heap overread vulnerability via zone file

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2020-19860
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Nobody
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2044428 2051210 2051211
Blocks:	2044431
TreeView+	depends on / blocked

Reported:	2022-01-24 15:28 UTC by Sandipan Roy
Modified:	2023-07-16 16:43 UTC (History)
CC List:	3 users (show)
Fixed In Version:	ldns-1.8.0, ldns-1.8.1
Doc Type:	If docs needed, set a value
Doc Text:	A heap out-of-bounds read flaw was found in ldns, specifically within the ldns_rr_new_frm_str_internal function. This flaw allows an attacker to leak information on the heap by creating a malicious zone file.
Clone Of:
Environment:
Last Closed:	2023-07-16 16:43:41 UTC
Embargoed:

Attachments	(Terms of Use)

Description Sandipan Roy 2022-01-24 15:28:58 UTC

When ldns version 1.7.1 verifies a zone file, the ldns_rr_new_frm_str_internal function has a heap out of bounds read vulnerability. An attacker can leak information on the heap by constructing a zone file payload.

https://github.com/NLnetLabs/ldns/issues/50
https://github.com/NLnetLabs/ldns/commit/15d96206996bea969fbc918eb0a4a346f514b9f3

Comment 1 Sandipan Roy 2022-01-24 15:29:14 UTC

Created ldns tracking bugs for this issue:

Affects: fedora-all [bug 2044428]

Comment 6 Paul Wouters 2023-07-11 00:51:24 UTC

I cannot close this bug. Someone please close this. It's ancient and old and resolved in all branches years ago

Note You need to log in before you can comment on or make changes to this bug.