MNBSD-2020-0: libalias insufficient packet length validation causes memory disclosure

Severity: Unknown

Affected Package: libalias

Summary: libalias insufficient packet length validation causes memory disclosure

Description

libalias(3), the library used for NAT (including the in-kernel NAT in ipfw and the userspace natd(8)), performed insufficient packet length validation. The FTP packet handler incorrectly calculated some packet lengths, which could disclose small amounts of memory from the kernel or from the natd process (CVE-2020-7455). More broadly, malicious packets could trigger out-of-bounds read or write conditions in the libalias packet handlers (CVE-2020-7454).

Affected Versions

libalias

Recommendations

No specific recommendations provided.

References

Additional Information

Aliases: CVE-2020-7454, CVE-2020-7455

Published: May 12, 2020
Last Modified: May 12, 2020