Project c-ares Security Advisory, June 20, 2017 - [Permalink](https://c-ares.haxx.se/adv_20170620.html) VULNERABILITY ------------- The c-ares function `ares_parse_naptr_reply()`, which is used for parsing NAPTR responses, could be triggered to read memory outside of the given input buffer if the passed in DNS response packet was crafted in a particular way. We are not aware of any exploits of this flaw. INFO ---- The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2017-1000381 to this issue. AFFECTED VERSIONS ----------------- This flaw exists in the following c-ares versions. - Affected versions: c-ares 1.8.0 to and including 1.12.0 - Not affected versions: c-ares >= 1.13.0 THE SOLUTION ------------ In version 1.13.0, the `RR_len` value gets checked properly and the function is also added to the fuzz testing. It was previously accidentally left out from that. A [patch for CVE-2017-1000381](https://c-ares.haxx.se/CVE-2017-1000381.patch) is available. RECOMMENDATIONS --------------- We suggest you take one of the following actions immediately, in order of preference: A - Upgrade c-ares to version 1.13.0 B - Apply the patch to your version and rebuild C - Do not use `ares_parse_naptr_reply()`. TIME LINE --------- It was reported to the c-ares project on May 20. We contacted distros@openall on June 16. c-ares 1.13.0 was released on June 20 2017, coordinated with the publication of this advisory. CREDITS ------- Thanks to LCatro for the report and to David Drysdale for the fix.
@ Arches, please test and mark stable: =net-dns/c-ares-1.13.0
Stable on amd64.
ia64 stable
arm stable
x86 stable
alpha stable
sparc was dropped to exp. https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b5901d8f716555a1479f12313a2925fcadd177a9
ppc64 stable
ppc stable
hppa stable
please clean vulnerable versions.
GLSA Vote: No. @blueness, can 1.12.0 be dropped?
(In reply to Aaron Bauman from comment #12) > GLSA Vote: No. > > @blueness, can 1.12.0 be dropped? done
sparc stable (thanks to Rolf Eike Beer)