Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 622278 (CVE-2017-1000381) - <net-dns/c-ares-1.13.0: NAPTR parser out of bounds access
Summary: <net-dns/c-ares-1.13.0: NAPTR parser out of bounds access
Status: RESOLVED FIXED
Alias: CVE-2017-1000381
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://c-ares.haxx.se/adv_20170620.html
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-06-20 07:17 UTC by Kristian Fiskerstrand (RETIRED)
Modified: 2017-12-04 22:09 UTC (History)
1 user (show)

See Also:
Package list:
net-dns/c-ares-1.13.0
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Kristian Fiskerstrand (RETIRED) gentoo-dev 2017-06-20 07:17:02 UTC
Project c-ares Security Advisory, June 20, 2017 -
[Permalink](https://c-ares.haxx.se/adv_20170620.html)

VULNERABILITY
-------------

The c-ares function `ares_parse_naptr_reply()`, which is used for parsing
NAPTR responses, could be triggered to read memory outside of the given input
buffer if the passed in DNS response packet was crafted in a particular way.

We are not aware of any exploits of this flaw.

INFO
----

The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2017-1000381 to this issue.

AFFECTED VERSIONS
-----------------

This flaw exists in the following c-ares versions.

- Affected versions: c-ares 1.8.0 to and including 1.12.0
- Not affected versions: c-ares >= 1.13.0

THE SOLUTION
------------

In version 1.13.0, the `RR_len` value gets checked properly and the function
is also added to the fuzz testing. It was previously accidentally left out
from that.

A [patch for CVE-2017-1000381](https://c-ares.haxx.se/CVE-2017-1000381.patch)
is available.

RECOMMENDATIONS
---------------

We suggest you take one of the following actions immediately, in order of
preference:

 A - Upgrade c-ares to version 1.13.0

 B - Apply the patch to your version and rebuild

 C - Do not use `ares_parse_naptr_reply()`.

TIME LINE
---------

It was reported to the c-ares project on May 20. We contacted distros@openall
on June 16.

c-ares 1.13.0 was released on June 20 2017, coordinated with the publication
of this advisory.

CREDITS
-------

Thanks to LCatro for the report and to David Drysdale for the fix.
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2017-07-18 18:56:51 UTC
@ Arches,

please test and mark stable: =net-dns/c-ares-1.13.0
Comment 2 Tobias Klausmann (RETIRED) gentoo-dev 2017-07-19 18:14:48 UTC
Stable on amd64.
Comment 3 Sergei Trofimovich (RETIRED) gentoo-dev 2017-07-21 07:22:15 UTC
ia64 stable
Comment 4 Markus Meier gentoo-dev 2017-07-25 18:50:42 UTC
arm stable
Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev 2017-08-18 21:03:14 UTC
x86 stable
Comment 6 Matt Turner gentoo-dev 2017-08-31 15:21:38 UTC
alpha stable
Comment 7 Aaron Bauman (RETIRED) gentoo-dev 2017-09-10 22:17:29 UTC
sparc was dropped to exp.

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b5901d8f716555a1479f12313a2925fcadd177a9
Comment 8 Sergei Trofimovich (RETIRED) gentoo-dev 2017-09-25 21:15:01 UTC
ppc64 stable
Comment 9 Sergei Trofimovich (RETIRED) gentoo-dev 2017-09-25 21:37:41 UTC
ppc stable
Comment 10 Sergei Trofimovich (RETIRED) gentoo-dev 2017-09-29 00:42:19 UTC
hppa stable
Comment 11 Aaron Bauman (RETIRED) gentoo-dev 2017-10-20 02:36:13 UTC
please clean vulnerable versions.
Comment 12 Aaron Bauman (RETIRED) gentoo-dev 2017-10-30 00:18:42 UTC
GLSA Vote: No.

@blueness, can 1.12.0 be dropped?
Comment 13 Anthony Basile gentoo-dev 2017-10-30 07:58:03 UTC
(In reply to Aaron Bauman from comment #12)
> GLSA Vote: No.
> 
> @blueness, can 1.12.0 be dropped?

done
Comment 14 Sergei Trofimovich (RETIRED) gentoo-dev 2017-12-04 22:09:31 UTC
sparc stable (thanks to Rolf Eike Beer)