Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 622278 (CVE-2017-1000381) - <net-dns/c-ares-1.13.0: NAPTR parser out of bounds access
Summary: <net-dns/c-ares-1.13.0: NAPTR parser out of bounds access
Alias: CVE-2017-1000381
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [noglsa cve]
Depends on:
Reported: 2017-06-20 07:17 UTC by Kristian Fiskerstrand (RETIRED)
Modified: 2017-12-04 22:09 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---
stable-bot: sanity-check+


Note You need to log in before you can comment on or make changes to this bug.
Description Kristian Fiskerstrand (RETIRED) gentoo-dev 2017-06-20 07:17:02 UTC
Project c-ares Security Advisory, June 20, 2017 -


The c-ares function `ares_parse_naptr_reply()`, which is used for parsing
NAPTR responses, could be triggered to read memory outside of the given input
buffer if the passed in DNS response packet was crafted in a particular way.

We are not aware of any exploits of this flaw.


The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2017-1000381 to this issue.


This flaw exists in the following c-ares versions.

- Affected versions: c-ares 1.8.0 to and including 1.12.0
- Not affected versions: c-ares >= 1.13.0


In version 1.13.0, the `RR_len` value gets checked properly and the function
is also added to the fuzz testing. It was previously accidentally left out
from that.

A [patch for CVE-2017-1000381](
is available.


We suggest you take one of the following actions immediately, in order of

 A - Upgrade c-ares to version 1.13.0

 B - Apply the patch to your version and rebuild

 C - Do not use `ares_parse_naptr_reply()`.


It was reported to the c-ares project on May 20. We contacted distros@openall
on June 16.

c-ares 1.13.0 was released on June 20 2017, coordinated with the publication
of this advisory.


Thanks to LCatro for the report and to David Drysdale for the fix.
Comment 1 Thomas Deutschmann gentoo-dev 2017-07-18 18:56:51 UTC
@ Arches,

please test and mark stable: =net-dns/c-ares-1.13.0
Comment 2 Tobias Klausmann (RETIRED) gentoo-dev 2017-07-19 18:14:48 UTC
Stable on amd64.
Comment 3 Sergei Trofimovich (RETIRED) gentoo-dev 2017-07-21 07:22:15 UTC
ia64 stable
Comment 4 Markus Meier gentoo-dev 2017-07-25 18:50:42 UTC
arm stable
Comment 5 Thomas Deutschmann gentoo-dev 2017-08-18 21:03:14 UTC
x86 stable
Comment 6 Matt Turner gentoo-dev 2017-08-31 15:21:38 UTC
alpha stable
Comment 8 Sergei Trofimovich (RETIRED) gentoo-dev 2017-09-25 21:15:01 UTC
ppc64 stable
Comment 9 Sergei Trofimovich (RETIRED) gentoo-dev 2017-09-25 21:37:41 UTC
ppc stable
Comment 10 Sergei Trofimovich (RETIRED) gentoo-dev 2017-09-29 00:42:19 UTC
hppa stable
Comment 11 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-10-20 02:36:13 UTC
please clean vulnerable versions.
Comment 12 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-10-30 00:18:42 UTC
GLSA Vote: No.

@blueness, can 1.12.0 be dropped?
Comment 13 Anthony Basile gentoo-dev 2017-10-30 07:58:03 UTC
(In reply to Aaron Bauman from comment #12)
> GLSA Vote: No.
> @blueness, can 1.12.0 be dropped?

Comment 14 Sergei Trofimovich (RETIRED) gentoo-dev 2017-12-04 22:09:31 UTC
sparc stable (thanks to Rolf Eike Beer)