From 6ad6954deb9202f7d8f70c33a53a747323a69a05 Mon Sep 17 00:00:00 2001 From: eabdullin Date: Wed, 27 Sep 2023 12:44:44 +0000 Subject: [PATCH] import CS c-ares-1.13.0-8.el8 --- ...k-in-config_sortlist-to-avoid-stack-.patch | 64 +++++++++++++++ ...ull-request-from-GHSA-9g78-jv2r-p7vc.patch | 82 +++++++++++++++++++ SPECS/c-ares.spec | 12 ++- 3 files changed, 157 insertions(+), 1 deletion(-) create mode 100644 SOURCES/0003-Add-str-len-check-in-config_sortlist-to-avoid-stack-.patch create mode 100644 SOURCES/0004-Merge-pull-request-from-GHSA-9g78-jv2r-p7vc.patch diff --git a/SOURCES/0003-Add-str-len-check-in-config_sortlist-to-avoid-stack-.patch b/SOURCES/0003-Add-str-len-check-in-config_sortlist-to-avoid-stack-.patch new file mode 100644 index 0000000..ed2edf9 --- /dev/null +++ b/SOURCES/0003-Add-str-len-check-in-config_sortlist-to-avoid-stack-.patch @@ -0,0 +1,64 @@ +From 9903253c347f9e0bffd285ae3829aef251cc852d Mon Sep 17 00:00:00 2001 +From: hopper-vul <118949689+hopper-vul@users.noreply.github.com> +Date: Wed, 18 Jan 2023 22:14:26 +0800 +Subject: [PATCH] Add str len check in config_sortlist to avoid stack overflow + (#497) + +In ares_set_sortlist, it calls config_sortlist(..., sortstr) to parse +the input str and initialize a sortlist configuration. + +However, ares_set_sortlist has not any checks about the validity of the input str. +It is very easy to create an arbitrary length stack overflow with the unchecked +`memcpy(ipbuf, str, q-str);` and `memcpy(ipbufpfx, str, q-str);` +statements in the config_sortlist call, which could potentially cause severe +security impact in practical programs. + +This commit add necessary check for `ipbuf` and `ipbufpfx` which avoid the +potential stack overflows. + +fixes #496 + +Fix By: @hopper-vul +--- + ares_init.c | 4 ++++ + test/ares-test-init.cc | 2 ++ + 2 files changed, 6 insertions(+) + +diff --git a/ares_init.c b/ares_init.c +index f7b700b..5aad7c8 100644 +--- a/ares_init.c ++++ b/ares_init.c +@@ -2065,6 +2065,8 @@ static int config_sortlist(struct apattern **sortlist, int *nsort, + q = str; + while (*q && *q != '/' && *q != ';' && !ISSPACE(*q)) + q++; ++ if (q-str >= 16) ++ return ARES_EBADSTR; + memcpy(ipbuf, str, q-str); + ipbuf[q-str] = '\0'; + /* Find the prefix */ +@@ -2073,6 +2075,8 @@ static int config_sortlist(struct apattern **sortlist, int *nsort, + const char *str2 = q+1; + while (*q && *q != ';' && !ISSPACE(*q)) + q++; ++ if (q-str >= 32) ++ return ARES_EBADSTR; + memcpy(ipbufpfx, str, q-str); + ipbufpfx[q-str] = '\0'; + str = str2; +diff --git a/test/ares-test-init.cc b/test/ares-test-init.cc +index 63c6a22..ee84518 100644 +--- a/test/ares-test-init.cc ++++ b/test/ares-test-init.cc +@@ -275,6 +275,8 @@ TEST_F(DefaultChannelTest, SetAddresses) { + + TEST_F(DefaultChannelTest, SetSortlistFailures) { + EXPECT_EQ(ARES_ENODATA, ares_set_sortlist(nullptr, "1.2.3.4")); ++ EXPECT_EQ(ARES_EBADSTR, ares_set_sortlist(channel_, "111.111.111.111*/16")); ++ EXPECT_EQ(ARES_EBADSTR, ares_set_sortlist(channel_, "111.111.111.111/255.255.255.240*")); + EXPECT_EQ(ARES_SUCCESS, ares_set_sortlist(channel_, "xyzzy ; lwk")); + EXPECT_EQ(ARES_SUCCESS, ares_set_sortlist(channel_, "xyzzy ; 0x123")); + } +-- +2.37.3 + diff --git a/SOURCES/0004-Merge-pull-request-from-GHSA-9g78-jv2r-p7vc.patch b/SOURCES/0004-Merge-pull-request-from-GHSA-9g78-jv2r-p7vc.patch new file mode 100644 index 0000000..70f7e36 --- /dev/null +++ b/SOURCES/0004-Merge-pull-request-from-GHSA-9g78-jv2r-p7vc.patch @@ -0,0 +1,82 @@ +From b9b8413cfdb70a3f99e1573333b23052d57ec1ae Mon Sep 17 00:00:00 2001 +From: Brad House +Date: Mon, 22 May 2023 06:51:49 -0400 +Subject: [PATCH] Merge pull request from GHSA-9g78-jv2r-p7vc + +--- + ares_process.c | 41 +++++++++++++++++++++++++---------------- + 1 file changed, 25 insertions(+), 16 deletions(-) + +diff --git a/ares_process.c b/ares_process.c +index bf0cde4..6cac0a9 100644 +--- a/ares_process.c ++++ b/ares_process.c +@@ -470,7 +470,7 @@ static void read_udp_packets(ares_channel channel, fd_set *read_fds, + { + struct server_state *server; + int i; +- ares_ssize_t count; ++ ares_ssize_t read_len; + unsigned char buf[MAXENDSSZ + 1]; + #ifdef HAVE_RECVFROM + ares_socklen_t fromlen; +@@ -513,32 +513,41 @@ static void read_udp_packets(ares_channel channel, fd_set *read_fds, + /* To reduce event loop overhead, read and process as many + * packets as we can. */ + do { +- if (server->udp_socket == ARES_SOCKET_BAD) +- count = 0; +- +- else { +- if (server->addr.family == AF_INET) ++ if (server->udp_socket == ARES_SOCKET_BAD) { ++ read_len = -1; ++ } else { ++ if (server->addr.family == AF_INET) { + fromlen = sizeof(from.sa4); +- else ++ } else { + fromlen = sizeof(from.sa6); +- count = socket_recvfrom(channel, server->udp_socket, (void *)buf, +- sizeof(buf), 0, &from.sa, &fromlen); ++ } ++ read_len = socket_recvfrom(channel, server->udp_socket, (void *)buf, ++ sizeof(buf), 0, &from.sa, &fromlen); + } + +- if (count == -1 && try_again(SOCKERRNO)) ++ if (read_len == 0) { ++ /* UDP is connectionless, so result code of 0 is a 0-length UDP ++ * packet, and not an indication the connection is closed like on ++ * tcp */ + continue; +- else if (count <= 0) ++ } else if (read_len < 0) { ++ if (try_again(SOCKERRNO)) ++ continue; ++ + handle_error(channel, i, now); ++ + #ifdef HAVE_RECVFROM +- else if (!same_address(&from.sa, &server->addr)) ++ } else if (!same_address(&from.sa, &server->addr)) { + /* The address the response comes from does not match the address we + * sent the request to. Someone may be attempting to perform a cache + * poisoning attack. */ +- break; ++ continue; + #endif +- else +- process_answer(channel, buf, (int)count, i, 0, now); +- } while (count > 0); ++ ++ } else { ++ process_answer(channel, buf, (int)read_len, i, 0, now); ++ } ++ } while (read_len >= 0); + } + } + +-- +2.38.1 + diff --git a/SPECS/c-ares.spec b/SPECS/c-ares.spec index 0a692cf..080773b 100644 --- a/SPECS/c-ares.spec +++ b/SPECS/c-ares.spec @@ -1,7 +1,7 @@ Summary: A library that performs asynchronous DNS operations Name: c-ares Version: 1.13.0 -Release: 6%{?dist} +Release: 8%{?dist} License: MIT Group: System Environment/Libraries URL: http://c-ares.haxx.se/ @@ -10,6 +10,8 @@ Source0: http://c-ares.haxx.se/download/%{name}-%{version}.tar.gz Source1: LICENSE Patch0: 0001-Use-RPM-compiler-options.patch Patch1: 0002-fix-CVE-2021-3672.patch +Patch2: 0003-Add-str-len-check-in-config_sortlist-to-avoid-stack-.patch +Patch3: 0004-Merge-pull-request-from-GHSA-9g78-jv2r-p7vc.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -36,6 +38,8 @@ compile applications or shared objects that use c-ares. %setup -q %patch0 -p1 -b .optflags %patch1 -p1 -b .dns +%patch2 -p1 -b .sortlist +%patch3 -p1 -b .udp cp %{SOURCE1} . f=CHANGES ; iconv -f iso-8859-1 -t utf-8 $f -o $f.utf8 ; mv $f.utf8 $f @@ -74,6 +78,12 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man3/ares_* %changelog +* Mon May 29 2023 Alexey Tikhonov - 1.13.0-8 +- Resolves: rhbz#2209517 - CVE-2023-32067 c-ares: 0-byte UDP payload Denial of Service [rhel-8.9.0] + +* Fri May 12 2023 Alexey Tikhonov - 1.13.0-7 +- Resolves: rhbz#2170867 - c-ares: buffer overflow in config_sortlist() due to missing string length check [rhel-8] + * Fri Oct 15 2021 Alexey Tikhonov - 1.13.0-6 - Resolves: rhbz#1989425 - CVE-2021-3672 c-ares: missing input validation of host names may lead to Domain Hijacking [rhel-8]