rpms/c-ares
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import CS c-ares-1.13.0-10.el8

Browse Source
This commit is contained in:
eabdullin 2023-11-15 07:56:41 +00:00
parent 0c9b6e0a08
commit 91c235622b
5 changed files with 408 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

64
SOURCES/0003-Add-str-len-check-in-config_sortlist-to-avoid-stack-.patch Normal file
View File

@ -0,0 +1,64 @@
From 9903253c347f9e0bffd285ae3829aef251cc852d Mon Sep 17 00:00:00 2001
From: hopper-vul <118949689+hopper-vul@users.noreply.github.com>
Date: Wed, 18 Jan 2023 22:14:26 +0800
Subject: [PATCH] Add str len check in config_sortlist to avoid stack overflow
(#497)
In ares_set_sortlist, it calls config_sortlist(..., sortstr) to parse
the input str and initialize a sortlist configuration.
However, ares_set_sortlist has not any checks about the validity of the input str.
It is very easy to create an arbitrary length stack overflow with the unchecked
`memcpy(ipbuf, str, q-str);` and `memcpy(ipbufpfx, str, q-str);`
statements in the config_sortlist call, which could potentially cause severe
security impact in practical programs.
This commit add necessary check for `ipbuf` and `ipbufpfx` which avoid the
potential stack overflows.
fixes #496
Fix By: @hopper-vul
---
ares_init.c | 4 ++++
test/ares-test-init.cc | 2 ++
2 files changed, 6 insertions(+)
diff --git a/ares_init.c b/ares_init.c
index f7b700b..5aad7c8 100644
--- a/ares_init.c
+++ b/ares_init.c
@@ -2065,6 +2065,8 @@ static int config_sortlist(struct apattern **sortlist, int *nsort,
q = str;
while (*q && *q != '/' && *q != ';' && !ISSPACE(*q))
q++;
+ if (q-str >= 16)
+ return ARES_EBADSTR;
memcpy(ipbuf, str, q-str);
ipbuf[q-str] = '\0';
/* Find the prefix */
@@ -2073,6 +2075,8 @@ static int config_sortlist(struct apattern **sortlist, int *nsort,
const char *str2 = q+1;
while (*q && *q != ';' && !ISSPACE(*q))
q++;
+ if (q-str >= 32)
+ return ARES_EBADSTR;
memcpy(ipbufpfx, str, q-str);
ipbufpfx[q-str] = '\0';
str = str2;
diff --git a/test/ares-test-init.cc b/test/ares-test-init.cc
index 63c6a22..ee84518 100644
--- a/test/ares-test-init.cc
+++ b/test/ares-test-init.cc
@@ -275,6 +275,8 @@ TEST_F(DefaultChannelTest, SetAddresses) {
TEST_F(DefaultChannelTest, SetSortlistFailures) {
EXPECT_EQ(ARES_ENODATA, ares_set_sortlist(nullptr, "1.2.3.4"));
+ EXPECT_EQ(ARES_EBADSTR, ares_set_sortlist(channel_, "111.111.111.111*/16"));
+ EXPECT_EQ(ARES_EBADSTR, ares_set_sortlist(channel_, "111.111.111.111/255.255.255.240*"));
EXPECT_EQ(ARES_SUCCESS, ares_set_sortlist(channel_, "xyzzy ; lwk"));
EXPECT_EQ(ARES_SUCCESS, ares_set_sortlist(channel_, "xyzzy ; 0x123"));
}
--
2.37.3

0
SOURCES/0003-Merge-pull-request-from-GHSA-9g78-jv2r-p7vc.patch → SOURCES/0004-Merge-pull-request-from-GHSA-9g78-jv2r-p7vc.patch
View File

30
SOURCES/0005-avoid-read-heap-buffer-overflow-332.patch Normal file
View File

@ -0,0 +1,30 @@
From 65f83b8bf15a128524ef5fe26e1f1e219ee9b872 Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Fri, 1 Sep 2023 20:00:12 +0200
Subject: [PATCH] avoid read-heap-buffer-overflow (#332)
Fix invalid read in ares_parse_soa_reply.c found during fuzzing
Fixes Bug: #333
Fix By: lutianxiong (@ltx2018)
---
ares_parse_soa_reply.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/ares_parse_soa_reply.c b/ares_parse_soa_reply.c
index 35af0a7..5924bbc 100644
--- a/ares_parse_soa_reply.c
+++ b/ares_parse_soa_reply.c
@@ -65,6 +65,9 @@ ares_parse_soa_reply(const unsigned char *abuf, int alen,
status = ares__expand_name_for_response(aptr, abuf, alen, &qname, &len);
if (status != ARES_SUCCESS)
goto failed_stat;
+
+ if (alen <= len + HFIXEDSZ + 1)
+ goto failed;
aptr += len;
/* skip qtype & qclass */
--
2.38.1

294
SOURCES/0006-Merge-pull-request-from-GHSA-x6mf-cxr9-8q6v.patch Normal file
View File

@ -0,0 +1,294 @@
From f22cc01039b6473b736d3bf438f56a2654cdf2b2 Mon Sep 17 00:00:00 2001
From: Brad House <brad@brad-house.com>
Date: Mon, 22 May 2023 06:51:34 -0400
Subject: [PATCH] Merge pull request from GHSA-x6mf-cxr9-8q6v
* Merged latest OpenBSD changes for inet_net_pton_ipv6() into c-ares.
* Always use our own IP conversion functions now, do not delegate to OS
so we can have consistency in testing and fuzzing.
Fix By: Brad House (@bradh352)
---
inet_net_pton.c | 155 ++++++++++++++++++++-----------------
diff --git a/inet_net_pton.c b/inet_net_pton.c
index 840de50..fc50425 100644
--- a/inet_net_pton.c
+++ b/inet_net_pton.c
@@ -1,19 +1,20 @@
/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 2012 by Gilles Chehade <gilles@openbsd.org>
* Copyright (c) 1996,1999 by Internet Software Consortium.
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+ * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
*/
#include "ares_setup.h"
@@ -35,9 +36,6 @@
const struct ares_in6_addr ares_in6addr_any = { { { 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 } } };
-
-#ifndef HAVE_INET_NET_PTON
-
/*
* static int
* inet_net_pton_ipv4(src, dst, size)
@@ -60,7 +58,7 @@ const struct ares_in6_addr ares_in6addr_any = { { { 0,0,0,0,0,0,0,0,0,0,0,0,0,0,
* Paul Vixie (ISC), June 1996
*/
static int
-inet_net_pton_ipv4(const char *src, unsigned char *dst, size_t size)
+ares_inet_net_pton_ipv4(const char *src, unsigned char *dst, size_t size)
{
static const char xdigits[] = "0123456789abcdef";
static const char digits[] = "0123456789";
@@ -261,19 +259,14 @@ getv4(const char *src, unsigned char *dst, int *bitsp)
}
static int
-inet_net_pton_ipv6(const char *src, unsigned char *dst, size_t size)
+ares_inet_pton6(const char *src, unsigned char *dst)
{
static const char xdigits_l[] = "0123456789abcdef",
- xdigits_u[] = "0123456789ABCDEF";
+ xdigits_u[] = "0123456789ABCDEF";
unsigned char tmp[NS_IN6ADDRSZ], *tp, *endp, *colonp;
const char *xdigits, *curtok;
- int ch, saw_xdigit;
+ int ch, saw_xdigit, count_xdigit;
unsigned int val;
- int digits;
- int bits;
- size_t bytes;
- int words;
- int ipv4;
memset((tp = tmp), '\0', NS_IN6ADDRSZ);
endp = tp + NS_IN6ADDRSZ;
@@ -283,22 +276,22 @@ inet_net_pton_ipv6(const char *src, unsigned char *dst, size_t size)
if (*++src != ':')
goto enoent;
curtok = src;
- saw_xdigit = 0;
+ saw_xdigit = count_xdigit = 0;
val = 0;
- digits = 0;
- bits = -1;
- ipv4 = 0;
while ((ch = *src++) != '\0') {
const char *pch;
if ((pch = strchr((xdigits = xdigits_l), ch)) == NULL)
pch = strchr((xdigits = xdigits_u), ch);
if (pch != NULL) {
+ if (count_xdigit >= 4)
+ goto enoent;
val <<= 4;
- val |= aresx_sztoui(pch - xdigits);
- if (++digits > 4)
+ val |= (pch - xdigits);
+ if (val > 0xffff)
goto enoent;
saw_xdigit = 1;
+ count_xdigit++;
continue;
}
if (ch == ':') {
@@ -308,78 +301,107 @@ inet_net_pton_ipv6(const char *src, unsigned char *dst, size_t size)
goto enoent;
colonp = tp;
continue;
- } else if (*src == '\0')
+ } else if (*src == '\0') {
goto enoent;
+ }
if (tp + NS_INT16SZ > endp)
- return (0);
- *tp++ = (unsigned char)((val >> 8) & 0xff);
- *tp++ = (unsigned char)(val & 0xff);
+ goto enoent;
+ *tp++ = (unsigned char) (val >> 8) & 0xff;
+ *tp++ = (unsigned char) val & 0xff;
saw_xdigit = 0;
- digits = 0;
+ count_xdigit = 0;
val = 0;
continue;
}
if (ch == '.' && ((tp + NS_INADDRSZ) <= endp) &&
- getv4(curtok, tp, &bits) > 0) {
- tp += NS_INADDRSZ;
+ ares_inet_net_pton_ipv4(curtok, tp, INADDRSZ) > 0) {
+ tp += INADDRSZ;
saw_xdigit = 0;
- ipv4 = 1;
+ count_xdigit = 0;
break; /* '\0' was seen by inet_pton4(). */
}
- if (ch == '/' && getbits(src, &bits) > 0)
- break;
goto enoent;
}
if (saw_xdigit) {
if (tp + NS_INT16SZ > endp)
goto enoent;
- *tp++ = (unsigned char)((val >> 8) & 0xff);
- *tp++ = (unsigned char)(val & 0xff);
+ *tp++ = (unsigned char) (val >> 8) & 0xff;
+ *tp++ = (unsigned char) val & 0xff;
}
- if (bits == -1)
- bits = 128;
-
- words = (bits + 15) / 16;
- if (words < 2)
- words = 2;
- if (ipv4)
- words = 8;
- endp = tmp + 2 * words;
-
if (colonp != NULL) {
/*
* Since some memmove()'s erroneously fail to handle
* overlapping regions, we'll do the shift by hand.
*/
- const ares_ssize_t n = tp - colonp;
- ares_ssize_t i;
+ const int n = tp - colonp;
+ int i;
if (tp == endp)
goto enoent;
for (i = 1; i <= n; i++) {
- *(endp - i) = *(colonp + n - i);
- *(colonp + n - i) = 0;
+ endp[- i] = colonp[n - i];
+ colonp[n - i] = 0;
}
tp = endp;
}
if (tp != endp)
goto enoent;
- bytes = (bits + 7) / 8;
- if (bytes > size)
- goto emsgsize;
- memcpy(dst, tmp, bytes);
- return (bits);
+ memcpy(dst, tmp, NS_IN6ADDRSZ);
+ return (1);
- enoent:
+enoent:
SET_ERRNO(ENOENT);
return (-1);
- emsgsize:
+emsgsize:
SET_ERRNO(EMSGSIZE);
return (-1);
}
+static int
+ares_inet_net_pton_ipv6(const char *src, unsigned char *dst, size_t size)
+{
+ struct ares_in6_addr in6;
+ int ret;
+ int bits;
+ size_t bytes;
+ char buf[INET6_ADDRSTRLEN + sizeof("/128")];
+ char *sep;
+ const char *errstr;
+
+ if (strlen(src) >= sizeof buf) {
+ SET_ERRNO(EMSGSIZE);
+ return (-1);
+ }
+ strncpy(buf, src, sizeof buf);
+
+ sep = strchr(buf, '/');
+ if (sep != NULL)
+ *sep++ = '\0';
+
+ ret = ares_inet_pton6(buf, (unsigned char *)&in6);
+ if (ret != 1)
+ return (-1);
+
+ if (sep == NULL)
+ bits = 128;
+ else {
+ if (!getbits(sep, &bits)) {
+ SET_ERRNO(ENOENT);
+ return (-1);
+ }
+ }
+
+ bytes = (bits + 7) / 8;
+ if (bytes > size) {
+ SET_ERRNO(EMSGSIZE);
+ return (-1);
+ }
+ memcpy(dst, &in6, bytes);
+ return (bits);
+}
+
/*
* int
* inet_net_pton(af, src, dst, size)
@@ -403,18 +425,15 @@ ares_inet_net_pton(int af, const char *src, void *dst, size_t size)
{
switch (af) {
case AF_INET:
- return (inet_net_pton_ipv4(src, dst, size));
+ return (ares_inet_net_pton_ipv4(src, dst, size));
case AF_INET6:
- return (inet_net_pton_ipv6(src, dst, size));
+ return (ares_inet_net_pton_ipv6(src, dst, size));
default:
SET_ERRNO(EAFNOSUPPORT);
return (-1);
}
}
-#endif /* HAVE_INET_NET_PTON */
-
-#ifndef HAVE_INET_PTON
int ares_inet_pton(int af, const char *src, void *dst)
{
int result;
@@ -434,11 +453,3 @@ int ares_inet_pton(int af, const char *src, void *dst)
return 0;
return (result > -1 ? 1 : -1);
}
-#else /* HAVE_INET_PTON */
-int ares_inet_pton(int af, const char *src, void *dst)
-{
- /* just relay this to the underlying function */
- return inet_pton(af, src, dst);
-}
-
-#endif
--
2.41.0

25
SPECS/c-ares.spec
View File

@ -1,7 +1,7 @@
Summary: A library that performs asynchronous DNS operations
Name: c-ares
Version: 1.13.0
Release: 6%{?dist}.2
Release: 10%{?dist}
License: MIT
Group: System Environment/Libraries
URL: http://c-ares.haxx.se/
@ -10,7 +10,10 @@ Source0: http://c-ares.haxx.se/download/%{name}-%{version}.tar.gz
Source1: LICENSE
Patch0: 0001-Use-RPM-compiler-options.patch
Patch1: 0002-fix-CVE-2021-3672.patch
Patch2: 0003-Merge-pull-request-from-GHSA-9g78-jv2r-p7vc.patch
Patch2: 0003-Add-str-len-check-in-config_sortlist-to-avoid-stack-.patch
Patch3: 0004-Merge-pull-request-from-GHSA-9g78-jv2r-p7vc.patch
Patch4: 0005-avoid-read-heap-buffer-overflow-332.patch
Patch5: 0006-Merge-pull-request-from-GHSA-x6mf-cxr9-8q6v.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@ -37,7 +40,10 @@ compile applications or shared objects that use c-ares.
%setup -q
%patch0 -p1 -b .optflags
%patch1 -p1 -b .dns
%patch2 -p1 -b .udp
%patch2 -p1 -b .sortlist
%patch3 -p1 -b .udp
%patch4 -p1 -b .buffer
%patch5 -p1 -b .underwrite
cp %{SOURCE1} .
f=CHANGES ; iconv -f iso-8859-1 -t utf-8 $f -o $f.utf8 ; mv $f.utf8 $f
@ -76,8 +82,17 @@ rm -rf $RPM_BUILD_ROOT
%{_mandir}/man3/ares_*
%changelog
* Wed May 31 2023 Alexey Tikhonov <atikhono@redhat.com> - 1.13.0-6.1
- Resolves: rhbz#2209516 - CVE-2023-32067 c-ares: 0-byte UDP payload Denial of Service [rhel-8.8.0.z]
* Wed Oct 4 2023 Alexey Tikhonov <atikhono@redhat.com> - 1.13.0-10
- Resolves: RHEL-7853 - Buffer Underwrite in ares_inet_net_pton() [rhel-8]
* Fri Sep 8 2023 Alexey Tikhonov <atikhono@redhat.com> - 1.13.0-9
- Resolves: rhbz#2235805 - read-heap-buffer-overflow in ares_parse_soa_reply [rhel-8]
* Mon May 29 2023 Alexey Tikhonov <atikhono@redhat.com> - 1.13.0-8
- Resolves: rhbz#2209517 - CVE-2023-32067 c-ares: 0-byte UDP payload Denial of Service [rhel-8.9.0]
* Fri May 12 2023 Alexey Tikhonov <atikhono@redhat.com> - 1.13.0-7
- Resolves: rhbz#2170867 - c-ares: buffer overflow in config_sortlist() due to missing string length check [rhel-8]
* Fri Oct 15 2021 Alexey Tikhonov <atikhono@redhat.com> - 1.13.0-6
- Resolves: rhbz#1989425 - CVE-2021-3672 c-ares: missing input validation of host names may lead to Domain Hijacking [rhel-8]