CVE-2020-12460
medium
CVSS v3
—
CVSS v2
—
VIR risk
5.5
Description
OpenDMARC through 1.3.2 and 1.4.x through 1.4.0-Beta1 has improper null termination in the function opendmarc_xml_parse that can result in a one-byte heap overflow in opendmarc_xml when parsing a specially crafted DMARC aggregate report. This can cause remote memory corruption when a '\0' byte overwrites the heap metadata of the next chunk and its PREV_INUSE flag.
Predictions
Exploit likelihood
20%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2020-12460
Vendor advisory: arch — https://security.archlinux.org/ASA-202009-1
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| arch | fixed | 1.3.3-1 | |
| debian | bookworm | fixed | 1.4.0~beta1+dfsg-3 |
| debian | bullseye | fixed | 1.4.0~beta1+dfsg-3 |
| debian | forky | fixed | 1.4.0~beta1+dfsg-3 |
| debian | sid | fixed | 1.4.0~beta1+dfsg-3 |
| debian | trixie | fixed | 1.4.0~beta1+dfsg-3 |
References
Verify integrity in audit chain (admin only). AS-IS.