Videolabs Patches Code Execution, DoS Vulnerabilities in libmicrodns Library

Vulnerabilities that Videolabs recently addressed in its libmicrodns library could lead to denial of service (DoS) and arbitrary code execution, Cisco Talos’ security researchers warn.


A company founded by VideoLAN members, Videolabs is the current editor of the VLC mobile applications and also an important contributor to the VLC media player. The libmicrodns mDNS resolver cross-platform library is used in the VLC media player for mDNS service discovery.


The most severe of the newly discovered vulnerabilities is an exploitable remote code execution bug in the label-parsing functionality of the library. It is tracked as CVE-2020-6072 and has a CVSS score of 9.8.


“When parsing compressed labels in mDNS messages, the `rr_decode` function's return value is not checked, leading to a double free that could be exploited to execute arbitrary code. An attacker can send an mDNS message to trigger this vulnerability,” Talos explains.


All of the remaining issues have a CVSS score of 7.5, but they impact different components of the library. The first of them is a denial of service bug in the resource record-parsing functionality of libmicrodns.


The issue is tracked as CVE-2020-6071 and can be triggered during the parsing of compressed labels in mDNS messages. According to Talos, because the compression pointer is followed without checking for recursion, a denial of service condition can occur.


Another DoS flaw was found in the TXT record-parsing functionality of the library and is tracked as CVE-2020-6073. According to Talos, integer overflows can be triggered when parsing the RDATA section in a TXT record in mDNS messages, leading to DoS.


The message-parsing functionality of libmicrodns was impacted by an out-of-bounds flaw (CVE-2020-6077) that e ..

Support the originator by clicking the read the rest link below.