CVE-2020-6079: 
NixOS vulnerability analysis and mitigation

An exploitable denial-of-service vulnerability exists in the resource allocation handling of Videolabs libmicrodns 0.1.0. The vulnerability was discovered in March 2020 and assigned identifier CVE-2020-6079. When encountering errors while parsing mDNS messages, some allocated data is not freed, possibly leading to a denial-of-service condition via resource exhaustion (Talos Report).

The vulnerability occurs in the resource allocation handling when parsing mDNS messages. Specifically, in the rr_decode function, when decoding domain names, the allocated ss buffer is only freed upon error but not by the caller of this function. This leads to a memory leak when certain conditions are met during message parsing. The vulnerability has been assigned a CVSS v3.1 Base Score of 7.5 HIGH with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (NVD).

The vulnerability can lead to a denial-of-service condition through resource exhaustion. An attacker can send one mDNS message repeatedly to trigger this vulnerability, causing memory leaks that eventually exhaust system resources (Talos Report).

The vulnerability has been fixed in libmicrodns version 0.1.2. Users should upgrade to this version or later. For Debian systems, the issue was addressed by disabling the microdns plugin in VLC media player version 3.0.10-0+deb10u1 (Debian Advisory). Gentoo users should upgrade to libmicrodns version 0.1.2 or later (Gentoo Advisory).