Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 906964 (CVE-2023-31124, CVE-2023-31130, CVE-2023-31147, CVE-2023-32067) - <net-dns/c-ares-1.19.1: Multiple vulnerabilities
Summary: <net-dns/c-ares-1.19.1: Multiple vulnerabilities
Status: IN_PROGRESS
Alias: CVE-2023-31124, CVE-2023-31130, CVE-2023-31147, CVE-2023-32067
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A3 [glsa? cleanup]
Keywords:
Depends on: 908618
Blocks:
  Show dependency tree
 
Reported: 2023-05-23 03:38 UTC by Sam James
Modified: 2023-08-19 05:44 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2023-05-23 03:38:58 UTC
From https://c-ares.org/changelog.html (with CVE links added):
"""
 c-ares version 1.19.1 - May 22 2023

Security:

    CVE-2023-32067. High. 0-byte UDP payload causes Denial of Service (https://github.com/c-ares/c-ares/security/advisories/GHSA-9g78-jv2r-p7vc)
    CVE-2023-31147 Moderate. Insufficient randomness in generation of DNS query IDs (https://github.com/c-ares/c-ares/security/advisories/GHSA-8r8p-23f3-64c2)
    CVE-2023-31130. Moderate. Buffer Underwrite in ares_inet_net_pton() (https://github.com/c-ares/c-ares/security/advisories/GHSA-x6mf-cxr9-8q6v)
    CVE-2023-31124. Low. AutoTools does not set CARES_RANDOM_FILE during cross compilation (https://github.com/c-ares/c-ares/security/advisories/GHSA-54xr-f67r-4pc4)
"""
Comment 1 Larry the Git Cow gentoo-dev 2023-05-23 03:40:23 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e390c358ad849784b280deaa023250aebf5f7f1b

commit e390c358ad849784b280deaa023250aebf5f7f1b
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2023-05-23 03:39:22 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-05-23 03:39:22 +0000

    net-dns/c-ares: add 1.19.1
    
    Bug: https://bugs.gentoo.org/906964
    Signed-off-by: Sam James <sam@gentoo.org>

 net-dns/c-ares/Manifest             |  2 ++
 net-dns/c-ares/c-ares-1.19.1.ebuild | 70 +++++++++++++++++++++++++++++++++++++
 2 files changed, 72 insertions(+)