CVE-2020-19861: 
NixOS vulnerability analysis and mitigation

CVE-2020-19861 affects ldns version 1.7.1, specifically when parsing zone files. The vulnerability was discovered and disclosed in January 2022. The issue resides in the ldns_nsec3_salt_data function, which improperly handles length values obtained from zone files (NVD).

The vulnerability is classified as an Out-of-bounds Read (CWE-125) with a CVSS v3.1 Base Score of 7.5 (HIGH). The technical issue occurs when the ldns_nsec3_salt_data function processes length values from zone files without proper validation. During the memcpy operation, it can copy 0xfe - ldns_rdf_size(salt_rdf) byte data, leading to a heap overflow condition (NVD, Debian Tracker).

The vulnerability can lead to information disclosure through heap overflow information leakage. When exploited, an attacker might be able to read sensitive data from memory locations beyond the intended buffer boundaries (NVD).

The vulnerability has been fixed in later versions of ldns. Debian bookworm includes the fixed version 1.8.3-1, and sid/trixie contains version 1.8.4-2. Ubuntu has also released security updates for affected versions through USN-5257-2 (Debian Tracker, Ubuntu Notice).