Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 807604 (CVE-2021-3672) - <net-dns/c-ares-1.17.2: missing validation on hostnames returned by DNS servers
Summary: <net-dns/c-ares-1.17.2: missing validation on hostnames returned by DNS servers
Status: RESOLVED FIXED
Alias: CVE-2021-3672
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa+]
Keywords:
Depends on: CVE-2021-22930, CVE-2021-22931, CVE-2021-22939, CVE-2021-22940
Blocks: 807778
  Show dependency tree
 
Reported: 2021-08-10 19:18 UTC by Allen Webb
Modified: 2024-01-05 09:30 UTC (History)
1 user (show)

See Also:
Package list:
net-dns/c-ares-1.17.2 *
Runtime testing required: ---
nattka: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Allen Webb 2021-08-10 19:18:41 UTC
c-ares before 1.17.2 has missing input validation.

```
Missing input validation of host names returned by Domain Name Servers in the c-ares library can lead to output of wrong hostnames (leading to Domain Hijacking).

The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2021-3672 to this issue.
```
From: https://c-ares.haxx.se/adv_20210810.html
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-08-10 19:45:06 UTC
Thanks!
Comment 2 Larry the Git Cow gentoo-dev 2021-08-10 23:45:37 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c06fd172f1183f13dd6802abd5c3585987f4bc86

commit c06fd172f1183f13dd6802abd5c3585987f4bc86
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2021-08-10 23:45:13 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-08-10 23:45:18 +0000

    net-dns/c-ares: add 1.17.2
    
    Now with tests.
    
    Bug: https://bugs.gentoo.org/807604
    Signed-off-by: Sam James <sam@gentoo.org>

 net-dns/c-ares/Manifest             |  1 +
 net-dns/c-ares/c-ares-1.17.2.ebuild | 49 +++++++++++++++++++++++++++++++++++++
 2 files changed, 50 insertions(+)
Comment 3 Larry the Git Cow gentoo-dev 2024-01-05 09:28:16 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=c2152e9dc06608bf6a50d3bdd22ee8bd8bf222ce

commit c2152e9dc06608bf6a50d3bdd22ee8bd8bf222ce
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2024-01-05 09:27:33 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2024-01-05 09:28:02 +0000

    [ GLSA 202401-02 ] c-ares: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/807604
    Bug: https://bugs.gentoo.org/807775
    Bug: https://bugs.gentoo.org/892489
    Bug: https://bugs.gentoo.org/905341
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202401-02.xml | 50 ++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 50 insertions(+)