import CS c-ares-1.13.0-8.el8

2023-09-27 12:44:44 +00:00 · 2023-09-27 12:44:44 +00:00 · 6ad6954deb
commit 6ad6954deb
parent 2bcc699504
3 changed files with 157 additions and 1 deletions
--- a/SOURCES/0003-Add-str-len-check-in-config_sortlist-to-avoid-stack-.patch
+++ b/SOURCES/0003-Add-str-len-check-in-config_sortlist-to-avoid-stack-.patch
@ -0,0 +1,64 @@
+From 9903253c347f9e0bffd285ae3829aef251cc852d Mon Sep 17 00:00:00 2001
+From: hopper-vul <118949689+hopper-vul@users.noreply.github.com>
+Date: Wed, 18 Jan 2023 22:14:26 +0800
+Subject: [PATCH] Add str len check in config_sortlist to avoid stack overflow
+ (#497)
+
+In ares_set_sortlist, it calls config_sortlist(..., sortstr) to parse
+the input str and initialize a sortlist configuration.
+
+However, ares_set_sortlist has not any checks about the validity of the input str.
+It is very easy to create an arbitrary length stack overflow with the unchecked
+`memcpy(ipbuf, str, q-str);` and `memcpy(ipbufpfx, str, q-str);`
+statements in the config_sortlist call, which could potentially cause severe
+security impact in practical programs.
+
+This commit add necessary check for `ipbuf` and `ipbufpfx` which avoid the
+potential stack overflows.
+
+fixes #496
+
+Fix By: @hopper-vul
+---
+ ares_init.c            | 4 ++++
+ test/ares-test-init.cc | 2 ++
+ 2 files changed, 6 insertions(+)
+
+diff --git a/ares_init.c b/ares_init.c
+index f7b700b..5aad7c8 100644
+--- a/ares_init.c
+++ b/ares_init.c
+@@ -2065,6 +2065,8 @@ static int config_sortlist(struct apattern **sortlist, int *nsort,
+       q = str;
+       while (*q && *q != '/' && *q != ';' && !ISSPACE(*q))
+         q++;
+      if (q-str >= 16)
+        return ARES_EBADSTR;
+       memcpy(ipbuf, str, q-str);
+       ipbuf[q-str] = '\0';
+       /* Find the prefix */
+@@ -2073,6 +2075,8 @@ static int config_sortlist(struct apattern **sortlist, int *nsort,
+           const char *str2 = q+1;
+           while (*q && *q != ';' && !ISSPACE(*q))
+             q++;
+          if (q-str >= 32)
+            return ARES_EBADSTR;
+           memcpy(ipbufpfx, str, q-str);
+           ipbufpfx[q-str] = '\0';
+           str = str2;
+diff --git a/test/ares-test-init.cc b/test/ares-test-init.cc
+index 63c6a22..ee84518 100644
+--- a/test/ares-test-init.cc
+++ b/test/ares-test-init.cc
+@@ -275,6 +275,8 @@ TEST_F(DefaultChannelTest, SetAddresses) {
+ 
+ TEST_F(DefaultChannelTest, SetSortlistFailures) {
+   EXPECT_EQ(ARES_ENODATA, ares_set_sortlist(nullptr, "1.2.3.4"));
+  EXPECT_EQ(ARES_EBADSTR, ares_set_sortlist(channel_, "111.111.111.111*/16"));
+  EXPECT_EQ(ARES_EBADSTR, ares_set_sortlist(channel_, "111.111.111.111/255.255.255.240*"));
+   EXPECT_EQ(ARES_SUCCESS, ares_set_sortlist(channel_, "xyzzy ; lwk"));
+   EXPECT_EQ(ARES_SUCCESS, ares_set_sortlist(channel_, "xyzzy ; 0x123"));
+ }
+-- 
+2.37.3
+
--- a/SOURCES/0004-Merge-pull-request-from-GHSA-9g78-jv2r-p7vc.patch
+++ b/SOURCES/0004-Merge-pull-request-from-GHSA-9g78-jv2r-p7vc.patch
@ -0,0 +1,82 @@
+From b9b8413cfdb70a3f99e1573333b23052d57ec1ae Mon Sep 17 00:00:00 2001
+From: Brad House <brad@brad-house.com>
+Date: Mon, 22 May 2023 06:51:49 -0400
+Subject: [PATCH] Merge pull request from GHSA-9g78-jv2r-p7vc
+
+---
+ ares_process.c | 41 +++++++++++++++++++++++++----------------
+ 1 file changed, 25 insertions(+), 16 deletions(-)
+
+diff --git a/ares_process.c b/ares_process.c
+index bf0cde4..6cac0a9 100644
+--- a/ares_process.c
+++ b/ares_process.c
+@@ -470,7 +470,7 @@ static void read_udp_packets(ares_channel channel, fd_set *read_fds,
+ {
+   struct server_state *server;
+   int i;
+-  ares_ssize_t count;
+  ares_ssize_t read_len;
+   unsigned char buf[MAXENDSSZ + 1];
+ #ifdef HAVE_RECVFROM
+   ares_socklen_t fromlen;
+@@ -513,32 +513,41 @@ static void read_udp_packets(ares_channel channel, fd_set *read_fds,
+       /* To reduce event loop overhead, read and process as many
+        * packets as we can. */
+       do {
+-        if (server->udp_socket == ARES_SOCKET_BAD)
+-          count = 0;
+-
+-        else {
+-          if (server->addr.family == AF_INET)
+        if (server->udp_socket == ARES_SOCKET_BAD) {
+          read_len = -1;
+        } else {
+          if (server->addr.family == AF_INET) {
+             fromlen = sizeof(from.sa4);
+-          else
+          } else {
+             fromlen = sizeof(from.sa6);
+-          count = socket_recvfrom(channel, server->udp_socket, (void *)buf,
+-                                  sizeof(buf), 0, &from.sa, &fromlen);
+          }
+          read_len = socket_recvfrom(channel, server->udp_socket, (void *)buf,
+                                     sizeof(buf), 0, &from.sa, &fromlen);
+         }
+ 
+-        if (count == -1 && try_again(SOCKERRNO))
+        if (read_len == 0) {
+          /* UDP is connectionless, so result code of 0 is a 0-length UDP
+           * packet, and not an indication the connection is closed like on
+           * tcp */
+           continue;
+-        else if (count <= 0)
+        } else if (read_len < 0) {
+          if (try_again(SOCKERRNO))
+            continue;
+
+           handle_error(channel, i, now);
+
+ #ifdef HAVE_RECVFROM
+-        else if (!same_address(&from.sa, &server->addr))
+        } else if (!same_address(&from.sa, &server->addr)) {
+           /* The address the response comes from does not match the address we
+            * sent the request to. Someone may be attempting to perform a cache
+            * poisoning attack. */
+-          break;
+          continue;
+ #endif
+-        else
+-          process_answer(channel, buf, (int)count, i, 0, now);
+-       } while (count > 0);
+
+        } else {
+          process_answer(channel, buf, (int)read_len, i, 0, now);
+        }
+      } while (read_len >= 0);
+     }
+ }
+ 
+-- 
+2.38.1
+
--- a/SPECS/c-ares.spec
+++ b/SPECS/c-ares.spec
@ -1,7 +1,7 @@
 Summary: A library that performs asynchronous DNS operations
 Name: c-ares
 Version: 1.13.0
-Release: 6%{?dist}
+Release: 8%{?dist}
 License: MIT
 Group: System Environment/Libraries
 URL: http://c-ares.haxx.se/
@ -10,6 +10,8 @@ Source0: http://c-ares.haxx.se/download/%{name}-%{version}.tar.gz
 Source1: LICENSE
 Patch0: 0001-Use-RPM-compiler-options.patch
 Patch1: 0002-fix-CVE-2021-3672.patch
+Patch2: 0003-Add-str-len-check-in-config_sortlist-to-avoid-stack-.patch
+Patch3: 0004-Merge-pull-request-from-GHSA-9g78-jv2r-p7vc.patch

 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)

@ -36,6 +38,8 @@ compile applications or shared objects that use c-ares.
 %setup -q
 %patch0 -p1 -b .optflags
 %patch1 -p1 -b .dns
+%patch2 -p1 -b .sortlist
+%patch3 -p1 -b .udp

 cp %{SOURCE1} .
 f=CHANGES ; iconv -f iso-8859-1 -t utf-8 $f -o $f.utf8 ; mv $f.utf8 $f
@ -74,6 +78,12 @@ rm -rf $RPM_BUILD_ROOT
 %{_mandir}/man3/ares_*

 %changelog
+* Mon May 29 2023 Alexey Tikhonov <atikhono@redhat.com> - 1.13.0-8
+- Resolves: rhbz#2209517 - CVE-2023-32067 c-ares: 0-byte UDP payload Denial of Service [rhel-8.9.0]
+
+* Fri May 12 2023 Alexey Tikhonov <atikhono@redhat.com> - 1.13.0-7
+- Resolves: rhbz#2170867 - c-ares: buffer overflow in config_sortlist() due to missing string length check [rhel-8]
+
 * Fri Oct 15 2021 Alexey Tikhonov <atikhono@redhat.com> - 1.13.0-6
 - Resolves: rhbz#1989425 - CVE-2021-3672 c-ares: missing input validation of host names may lead to Domain Hijacking [rhel-8]