security/vuxml: add FreeBSD SA-20:32.rtsold
This commit is contained in:
parent
c0dc157724
commit
cb3ac81e10
Notes:
svn2git
2021-03-31 03:12:20 +00:00
svn path=/head/; revision=556810
@ -58,6 +58,50 @@ Notes:
|
||||
* Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
|
||||
-->
|
||||
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
|
||||
<vuln vid="e2748c9d-3483-11eb-b87a-901b0ef719ab">
|
||||
<topic>FreeBSD -- Multiple vulnerabilities in rtsold</topic>
|
||||
<affects>
|
||||
<package>
|
||||
<name>FreeBSD</name>
|
||||
<range><ge>12.2</ge><lt>12.2_1</lt></range>
|
||||
<range><ge>12.1</ge><lt>12.1_11</lt></range>
|
||||
<range><ge>11.4</ge><lt>11.4_5</lt></range>
|
||||
</package>
|
||||
</affects>
|
||||
<description>
|
||||
<body xmlns="http://www.w3.org/1999/xhtml">
|
||||
<h1>Problem Description:</h1>
|
||||
<p>Two bugs exist in rtsold(8)'s RDNSS and DNSSL option handling.
|
||||
First, rtsold(8) failed to perform sufficient bounds checking on the
|
||||
extent of the option. In particular, it does not verify that the
|
||||
option does not extend past the end of the received packet before
|
||||
processing its contents. The kernel currently ignores such
|
||||
malformed packets but still passes them to userspace programs.</p>
|
||||
<p>Second, when processing a DNSSL option, rtsold(8) decodes domain
|
||||
name labels per an encoding specified in RFC 1035 in which the first
|
||||
octet of each label contains the label's length. rtsold(8) did not
|
||||
validate label lengths correctly and could overflow the destination
|
||||
buffer.</p>
|
||||
<h1>Impact:</h1>
|
||||
<p>It is believed that these bugs could be exploited to gain remote
|
||||
code execution within the rtsold(8) daemon, which runs as root.
|
||||
Note that rtsold(8) only processes messages received from hosts
|
||||
attached to the same physical link as the interface(s) on which
|
||||
rtsold(8) is listening.</p>
|
||||
<p>In FreeBSD 12.2 rtsold(8) runs in a Capsicum sandbox, limiting the
|
||||
scope of a compromised rtsold(8) process.</p>
|
||||
</body>
|
||||
</description>
|
||||
<references>
|
||||
<cvename>CVE-2020-25577</cvename>
|
||||
<freebsdsa>SA-20:32.rtsold</freebsdsa>
|
||||
</references>
|
||||
<dates>
|
||||
<discovery>2020-12-01</discovery>
|
||||
<entry>2020-12-02</entry>
|
||||
</dates>
|
||||
</vuln>
|
||||
|
||||
<vuln vid="8eed0c5c-3482-11eb-b87a-901b0ef719ab">
|
||||
<topic>FreeBSD -- ICMPv6 use-after-free in error message handling</topic>
|
||||
<affects>
|
||||
|
Loading…
Reference in New Issue
Block a user