CVE-2022-4904: A flaw was found in the c-ares package. The ares_set_sortlist is missing checks about the validity of the input string, which allows a possible arbitrary length stack overflow. This issue may cause a denial of service or a limited impact on confidentiality and integrity. Patch is in 1.19.0: https://github.com/c-ares/c-ares/commit/9903253c347f9e0bffd285ae3829aef251cc852d Please cleanup.
commit 5b4524f8d03b8da79a6357422dc6ebbc25e2d191 Author: Sam James <sam@gentoo.org> Date: Mon May 1 14:30:29 2023 +0100 net-dns/c-ares: drop 1.18.1
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=c2152e9dc06608bf6a50d3bdd22ee8bd8bf222ce commit c2152e9dc06608bf6a50d3bdd22ee8bd8bf222ce Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2024-01-05 09:27:33 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2024-01-05 09:28:02 +0000 [ GLSA 202401-02 ] c-ares: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/807604 Bug: https://bugs.gentoo.org/807775 Bug: https://bugs.gentoo.org/892489 Bug: https://bugs.gentoo.org/905341 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202401-02.xml | 50 ++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 50 insertions(+)
