user/libslirp: CVE-2020-10756: icmp6_send_echoreply host memory disclosure
Bugzilla ID | 330 |
Alias(es) | CVE-2020-10756, CVE-2020-29129, CVE-2020-29130 |
Reporter | Max Rees (sroracle) |
Assignee | Max Rees (sroracle) |
Reported | 2020-07-09 03:16:49 -0500 |
Modified | 2020-12-03 23:03:47 -0600 |
Status | CONFIRMED |
Version | 1.0-RC1 |
Hardware | Adélie Linux / All |
Importance | --- / normal |
Package(s) | user/libslirp |
Description
CVE-2020-10756: https://bugzilla.redhat.com/show_bug.cgi?id=1835986#c11
While processing an incoming ICMPv6 echo request, function
icmp6_send_echoreply() does not validate the IPv6 payload length
(ip->ip_pl) which is then used as the size of memcpy() to create the
destination packet. A malicious user could be able to trick memcpy()
into copying more data than allowed, thus potentially leaking the
contents of the host memory.
Fixed in >= 4.3.1 https://gitlab.freedesktop.org/slirp/libslirp/-/releases/v4.3.1