SB2020050403 - Debian update for vlc 

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2020050403

SB2020050403 - Debian update for vlc

Published: May 4, 2020

Security Bulletin ID SB2020050403
Severity
High
Patch available
YES
Number of vulnerabilities 7
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 14% Medium 86%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 7 secuirty vulnerabilities.


1) Uncontrolled Recursion (CVE-ID: CVE-2020-6071)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to the compression pointer is followed without checking for recursion in the resource record-parsing functionality when parsing compressed labels in mDNS messages. A remote attacker can send a specially crafted mDNS message and cause a denial of service condition on the target system.


2) Unchecked Return Value (CVE-ID: CVE-2020-6072)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists within the label-parsing functionality due to the "rr_decode" function's return value is not checked when parsing compressed labels in mDNS messages. A remote attacker can send a specially crafted mDNS message and execute arbitrary code on the target system.


3) Integer overflow (CVE-ID: CVE-2020-6073)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to integer overflow in the TXT record-parsing functionality when parsing the RDATA section in a TXT record in mDNS messages. A remote attacker can send a specially crafted mDNS message, trigger integer overflow and cause a denial of service condition on the target system.



4) Out-of-bounds read (CVE-ID: CVE-2020-6077)

The vulnerability allows a remote attacker to perform a denial of service (DoS).

The vulnerability exists within the message-parsing functionality due to a boundary condition when parsing mDNS messages. A remote attacker can send a specially crafted mDNS message, trigger out-of-bounds read error and cause a denial of service condition on the target system.


5) Unchecked Return Value (CVE-ID: CVE-2020-6078)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists within the message-parsing functionality due to the "mdns_read_header" function is not checked when parsing mDNS messages in "mdns_recv". A remote attacker can send a specially crafted mDNS message and cause a denial of service condition on the target system.


6) Resource exhaustion (CVE-ID: CVE-2020-6079)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to encountering errors while parsing mDNS messages in the "rr_decode" function in the resource allocation handling. A remote attacker can send mDNS messages, trigger resource exhaustion and perform a denial of service (DoS) attack.


7) Resource exhaustion (CVE-ID: CVE-2020-6080)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to encountering errors while parsing mDNS messages in the "rr_read_TXT" function in the resource allocation handling. A remote attacker can send mDNS messages, trigger resource exhaustion and perform a denial of service (DoS) attack.


Remediation

Install update from vendor's website.

References