Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 595536 (CVE-2016-5180) - <net-dns/c-ares-1.12.0: `ares_create_query` single byte out of buffer write (CVE-2016-5180)
Summary: <net-dns/c-ares-1.12.0: `ares_create_query` single byte out of buffer write (...
Status: RESOLVED FIXED
Alias: CVE-2016-5180
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: B2 [glsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2016-09-29 14:10 UTC by Agostino Sarubbo
Modified: 2017-01-11 12:30 UTC (History)
1 user (show)

See Also:
Package list:
=net-dns/c-ares-1.12.0
Runtime testing required: ---
kensington: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2016-09-29 14:10:35 UTC
From ${URL} :


`ares_create_query` single byte out of buffer write
=================================================

Project c-ares Security Advisory, September 29, 2016 -
[Permalink](https://c-ares.haxx.se/adv_20160929.html)

VULNERABILITY
-------------

When a string is passed in to `ares_create_query` or `ares_mkquery` and uses
an escaped trailing dot, like "hello\.", c-ares calculates the string length
wrong and subsequently writes outside of the the allocated buffer with one
byte. The wrongly written byte is the least significant byte of the 'dnsclass'
argument; most commonly 1.

We have been seen proof of concept code showing how this can be exploited in a
real-world system, but we are not aware of any such instances having actually
happened in the wild.

INFO
----

The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2016-5180 to this issue.

AFFECTED VERSIONS
-----------------

This flaw exists in the following c-ares versions.

- Affected versions: libcurl 1.0.0 to and including 1.11.0
- Not affected versions: c-ares >= 1.12.0

THE SOLUTION
------------

In version 1.12.0, the function has been corrected and a test case have been
added to verify.

A [patch for CVE-2016-5180](https://c-ares.haxx.se/CVE-2016-5180.patch) is
available.

RECOMMENDATIONS
---------------

We suggest you take one of the following actions immediately, in order of
preference:

  A - Upgrade c-ares to version 1.12.0

  B - Apply the patch to your version and rebuild

  C - Make *really* sure you don't pass in strings to either of these functions
      that use escaped trailing dots.

TIME LINE
---------

It was reported to the c-ares project on September 22 by Gzob Qq.

c-ares 1.12.0 was released on September 29 2016, coordinated with the
publication of this advisory.

CREDITS
-------

Thanks to Gzob Qq for the report and to Mattias Nissler for code reviews of
the patch.



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Agostino Sarubbo gentoo-dev 2016-09-29 14:30:34 UTC
Affected versions: c-ares 1.0.0 to and including 1.11.0
Not affected versions: c-ares >= 1.12.0
Comment 2 Thomas Deutschmann gentoo-dev Security 2016-11-21 11:52:14 UTC
=net-dns/c-ares-1.12.0 is in tree since https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4713589132fe11ec3184fb2602492139ce66ab37


@ Maintainer(s): Can we start stabilization of =net-dns/c-ares-1.12.0?
Comment 3 Thomas Deutschmann gentoo-dev Security 2016-11-28 17:45:41 UTC
@ Arches,

please test and mark stable: =net-dns/c-ares-1.12.0
Comment 4 Agostino Sarubbo gentoo-dev 2016-11-29 10:41:47 UTC
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2016-11-29 10:44:10 UTC
x86 stable
Comment 6 Markus Meier gentoo-dev 2016-11-30 19:35:18 UTC
arm stable
Comment 7 Tobias Klausmann gentoo-dev 2016-12-02 14:21:44 UTC
Stable on alpha.
Comment 8 Agostino Sarubbo gentoo-dev 2016-12-19 14:37:45 UTC
sparc stable
Comment 9 Agostino Sarubbo gentoo-dev 2016-12-19 15:14:36 UTC
ia64 stable
Comment 10 Agostino Sarubbo gentoo-dev 2016-12-20 09:47:28 UTC
ppc stable
Comment 11 Agostino Sarubbo gentoo-dev 2016-12-22 09:37:11 UTC
ppc64 stable
Comment 12 Jeroen Roovers gentoo-dev 2017-01-09 13:49:43 UTC
Stable for HPPA.
Comment 13 Thomas Deutschmann gentoo-dev Security 2017-01-09 14:12:40 UTC
New GLSA request filed.


@ Maintainer(s): Please drop all ebuilds <net-dns/c-ares-1.12.0
Comment 14 Anthony Basile gentoo-dev 2017-01-09 16:41:12 UTC
(In reply to Thomas Deutschmann from comment #13)
> New GLSA request filed.
> 
> 
> @ Maintainer(s): Please drop all ebuilds <net-dns/c-ares-1.12.0

done
Comment 15 Thomas Deutschmann gentoo-dev Security 2017-01-09 16:58:06 UTC
@ Maintainer(s): Thank you for your work!
Comment 16 GLSAMaker/CVETool Bot gentoo-dev 2017-01-11 12:30:38 UTC
This issue was resolved and addressed in
 GLSA 201701-28 at https://security.gentoo.org/glsa/201701-28
by GLSA coordinator Aaron Bauman (b-man).