RUSTSEC-2020-0001

Source
https://rustsec.org/advisories/RUSTSEC-2020-0001
Import Source
https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2020-0001.json
JSON Data
https://api.osv.dev/v1/vulns/RUSTSEC-2020-0001
Aliases
Published
2020-01-06T12:00:00Z
Modified
2023-11-08T04:03:35.852947Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
Stack overflow when resolving additional records from MX or SRV null targets
Details

There's a stack overflow leading to a crash and potential DOS when processing additional records for return of MX or SRV record types from the server.

This is only possible when a zone is configured with a null target for MX or SRV records, i.e. '.'.

Example effected zone record:

no-service 86400 IN MX 0 .

Prior to 0.16.0 the additional record processing was not supported by trust-dns-server. There Are no known issues with upgrading from 0.16 or 0.17 to 0.18.1. The remidy should be to upgrade to 0.18.1. If unable to do so, MX, SRV or other record types with a target to the null type, should be avoided.

Database specific
{
    "license": "CC0-1.0"
}
References

Affected packages

crates.io / trust-dns-server

Package

Name
trust-dns-server
View open source insights on deps.dev
Purl
pkg:cargo/trust-dns-server

Affected ranges

Type
SEMVER
Events
Introduced
0.16.0
Fixed
0.18.1

Ecosystem specific

{
    "affected_functions": null,
    "affects": {
        "os": [],
        "functions": [],
        "arch": []
    }
}

Database specific

{
    "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
    "informational": null,
    "categories": [
        "denial-of-service"
    ]
}