CVE-2020-6072: 
NixOS vulnerability analysis and mitigation

An exploitable code execution vulnerability exists in the label-parsing functionality of Videolabs libmicrodns 0.1.0, identified as CVE-2020-6072. The vulnerability was discovered in January 2020 and publicly disclosed on March 23, 2020. The affected software is the libmicrodns library, which is used by VLC media player for mDNS services discovery (Talos Blog, Talos Report).

The vulnerability occurs in the rr_decode function when parsing compressed labels in mDNS messages. The function's return value is not checked, which leads to a double free condition. The issue received a CVSS v3.1 score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The vulnerability is classified under CWE-252: Unchecked Return Value (Talos Report).

If successfully exploited, this vulnerability could allow an attacker to execute arbitrary code on the affected system. The vulnerability can be triggered by sending a specially crafted mDNS message to the target system (Talos Report).

The vulnerability was patched in libmicrodns version 0.1.2. Users are advised to upgrade to this version or later. For Debian systems, the issue was addressed by disabling the microdns plugin in VLC version 3.0.10-0+deb10u1 for stable distribution and 3.0.10-0+deb9u1 for oldstable distribution (Debian Advisory, Gentoo Advisory).