906964 – (CVE-2023-31124, CVE-2023-31130, CVE-2023-31147, CVE-2023-32067) <net-dns/c-ares-1.19.1: Multiple vulnerabilities

Bug 906964 (CVE-2023-31124, CVE-2023-31130, CVE-2023-31147, CVE-2023-32067) - <net-dns/c-ares-1.19.1: Multiple vulnerabilities

Summary: <net-dns/c-ares-1.19.1: Multiple vulnerabilities

Status:	RESOLVED FIXED

Alias:	CVE-2023-31124, CVE-2023-31130, CVE-2023-31147, CVE-2023-32067

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	A3 [glsa+]
Keywords:

Depends on:	908618
Blocks:
	Show dependency tree

Reported:	2023-05-23 03:38 UTC by Sam James
Modified:	2023-10-08 07:30 UTC (History)
CC List:	1 user (show)

See Also:	892489
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sam James archtester

2023-05-23 03:38:58 UTC

From https://c-ares.org/changelog.html (with CVE links added):
"""
 c-ares version 1.19.1 - May 22 2023

Security:

    CVE-2023-32067. High. 0-byte UDP payload causes Denial of Service (https://github.com/c-ares/c-ares/security/advisories/GHSA-9g78-jv2r-p7vc)
    CVE-2023-31147 Moderate. Insufficient randomness in generation of DNS query IDs (https://github.com/c-ares/c-ares/security/advisories/GHSA-8r8p-23f3-64c2)
    CVE-2023-31130. Moderate. Buffer Underwrite in ares_inet_net_pton() (https://github.com/c-ares/c-ares/security/advisories/GHSA-x6mf-cxr9-8q6v)
    CVE-2023-31124. Low. AutoTools does not set CARES_RANDOM_FILE during cross compilation (https://github.com/c-ares/c-ares/security/advisories/GHSA-54xr-f67r-4pc4)
"""

Comment 1 Larry the Git Cow gentoo-dev

2023-05-23 03:40:23 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e390c358ad849784b280deaa023250aebf5f7f1b

commit e390c358ad849784b280deaa023250aebf5f7f1b
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2023-05-23 03:39:22 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-05-23 03:39:22 +0000

    net-dns/c-ares: add 1.19.1
    
    Bug: https://bugs.gentoo.org/906964
    Signed-off-by: Sam James <sam@gentoo.org>

 net-dns/c-ares/Manifest             |  2 ++
 net-dns/c-ares/c-ares-1.19.1.ebuild | 70 +++++++++++++++++++++++++++++++++++++
 2 files changed, 72 insertions(+)

Comment 2 Larry the Git Cow gentoo-dev

2023-09-30 01:54:03 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b63eb1d88fe2e39d50ed26013185067da2d4827c

commit b63eb1d88fe2e39d50ed26013185067da2d4827c
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2023-09-30 01:51:11 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-09-30 01:51:11 +0000

    net-dns/c-ares: drop 1.19.0
    
    Bug: https://bugs.gentoo.org/906964
    Signed-off-by: Sam James <sam@gentoo.org>

 net-dns/c-ares/Manifest             |  2 --
 net-dns/c-ares/c-ares-1.19.0.ebuild | 70 -------------------------------------
 2 files changed, 72 deletions(-)

Comment 3 Larry the Git Cow gentoo-dev

2023-10-08 07:30:08 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=e13b4705e37d564cf7d1830379f6550fae91f021

commit e13b4705e37d564cf7d1830379f6550fae91f021
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2023-10-08 07:28:06 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2023-10-08 07:30:01 +0000

    [ GLSA 202310-09 ] c-ares: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/906964
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202310-09.xml | 45 +++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 45 insertions(+)