Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 906964 (CVE-2023-31124, CVE-2023-31130, CVE-2023-31147, CVE-2023-32067)

Summary: <net-dns/c-ares-1.19.1: Multiple vulnerabilities
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: base-system
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: https://bugs.gentoo.org/show_bug.cgi?id=892489
Whiteboard: A3 [glsa+]
Package list:
Runtime testing required: ---
Bug Depends on: 908618    
Bug Blocks:    

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2023-05-23 03:38:58 UTC 
From https://c-ares.org/changelog.html (with CVE links added):
"""
 c-ares version 1.19.1 - May 22 2023

Security:

    CVE-2023-32067. High. 0-byte UDP payload causes Denial of Service (https://github.com/c-ares/c-ares/security/advisories/GHSA-9g78-jv2r-p7vc)
    CVE-2023-31147 Moderate. Insufficient randomness in generation of DNS query IDs (https://github.com/c-ares/c-ares/security/advisories/GHSA-8r8p-23f3-64c2)
    CVE-2023-31130. Moderate. Buffer Underwrite in ares_inet_net_pton() (https://github.com/c-ares/c-ares/security/advisories/GHSA-x6mf-cxr9-8q6v)
    CVE-2023-31124. Low. AutoTools does not set CARES_RANDOM_FILE during cross compilation (https://github.com/c-ares/c-ares/security/advisories/GHSA-54xr-f67r-4pc4)
"""
Comment 1 Larry the Git Cow gentoo-dev 2023-05-23 03:40:23 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e390c358ad849784b280deaa023250aebf5f7f1b

commit e390c358ad849784b280deaa023250aebf5f7f1b
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2023-05-23 03:39:22 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-05-23 03:39:22 +0000

    net-dns/c-ares: add 1.19.1
    
    Bug: https://bugs.gentoo.org/906964
    Signed-off-by: Sam James <sam@gentoo.org>

 net-dns/c-ares/Manifest             |  2 ++
 net-dns/c-ares/c-ares-1.19.1.ebuild | 70 +++++++++++++++++++++++++++++++++++++
 2 files changed, 72 insertions(+)
Comment 2 Larry the Git Cow gentoo-dev 2023-09-30 01:54:03 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b63eb1d88fe2e39d50ed26013185067da2d4827c

commit b63eb1d88fe2e39d50ed26013185067da2d4827c
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2023-09-30 01:51:11 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-09-30 01:51:11 +0000

    net-dns/c-ares: drop 1.19.0
    
    Bug: https://bugs.gentoo.org/906964
    Signed-off-by: Sam James <sam@gentoo.org>

 net-dns/c-ares/Manifest             |  2 --
 net-dns/c-ares/c-ares-1.19.0.ebuild | 70 -------------------------------------
 2 files changed, 72 deletions(-)
Comment 3 Larry the Git Cow gentoo-dev 2023-10-08 07:30:08 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=e13b4705e37d564cf7d1830379f6550fae91f021

commit e13b4705e37d564cf7d1830379f6550fae91f021
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2023-10-08 07:28:06 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2023-10-08 07:30:01 +0000

    [ GLSA 202310-09 ] c-ares: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/906964
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202310-09.xml | 45 +++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 45 insertions(+)