Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 807604

Summary: <net-dns/c-ares-1.17.2: missing validation on hostnames returned by DNS servers (CVE-2021-3672)
Product: Gentoo Security Reporter: Allen Webb <allenwebb>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: IN_PROGRESS ---    
Severity: minor CC: blueness
Priority: Normal Flags: nattka: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [glsa?]
Package list:
net-dns/c-ares-1.17.2 *
Runtime testing required: ---
Bug Depends on: 807775    
Bug Blocks: 807778    

Description Allen Webb 2021-08-10 19:18:41 UTC
c-ares before 1.17.2 has missing input validation.

Missing input validation of host names returned by Domain Name Servers in the c-ares library can lead to output of wrong hostnames (leading to Domain Hijacking).

The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2021-3672 to this issue.
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-08-10 19:45:06 UTC
Comment 2 Larry the Git Cow gentoo-dev 2021-08-10 23:45:37 UTC
The bug has been referenced in the following commit(s):

commit c06fd172f1183f13dd6802abd5c3585987f4bc86
Author:     Sam James <>
AuthorDate: 2021-08-10 23:45:13 +0000
Commit:     Sam James <>
CommitDate: 2021-08-10 23:45:18 +0000

    net-dns/c-ares: add 1.17.2
    Now with tests.
    Signed-off-by: Sam James <>

 net-dns/c-ares/Manifest             |  1 +
 net-dns/c-ares/c-ares-1.17.2.ebuild | 49 +++++++++++++++++++++++++++++++++++++
 2 files changed, 50 insertions(+)