CVE-2020-6077: 
NixOS vulnerability analysis and mitigation

An exploitable denial-of-service vulnerability exists in the message-parsing functionality of Videolabs libmicrodns 0.1.0, identified as CVE-2020-6077. The vulnerability was discovered by Claudio Bozzato of Cisco Talos and publicly disclosed on March 23, 2020. The issue affects the mDNS message parsing implementation, where the software fails to properly track available data in messages (Talos Report).

The vulnerability stems from improper bounds tracking in message parsing. When parsing mDNS messages, the implementation incorrectly handles the comparison of remaining bytes, which can lead to out-of-bounds read operations. The issue is classified under CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and has been assigned a CVSS v3.1 score of 7.5 (HIGH) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (Talos Report).

The vulnerability can result in a denial of service condition when exploited. Additionally, when combined with other bugs in the code, it could potentially be used to trigger a double-free vulnerability, potentially leading to more severe consequences (Talos Report).

The vulnerability was patched by the vendor on March 20, 2020. Users should upgrade to a version newer than 0.1.0. Some distributions have taken specific measures - for example, Debian disabled the microdns plugin in their VLC media player packages as part of their security update (Debian Advisory, Gentoo Advisory).