From cd0d57697375450fb9018b89db29118c7a710b47 Mon Sep 17 00:00:00 2001 From: Alexey Tikhonov Date: Sat, 27 May 2023 17:26:19 +0200 Subject: [PATCH] Resolves: rhbz#2209564 - CVE-2023-31124 c-ares: AutoTools does not set CARES_RANDOM_FILE during cross compilation [rhel-9] Resolves: rhbz#2209556 - CVE-2023-31130 c-ares: Buffer Underwrite in ares_inet_net_pton() [rhel-9] Resolves: rhbz#2209550 - CVE-2023-31147 c-ares: Insufficient randomness in generation of DNS query IDs [rhel-9] Resolves: rhbz#2209520 - CVE-2023-32067 c-ares: 0-byte UDP payload Denial of Service [rhel-9.3.0] Resolves: rhbz#2210370 - Rebase c-ares for RHEL 9.3 --- .gitignore | 1 + 0002-fix-CVE-2021-3672.patch | 192 ------------------ ...k-in-config_sortlist-to-avoid-stack-.patch | 64 ------ c-ares.spec | 23 ++- sources | 2 +- 5 files changed, 17 insertions(+), 265 deletions(-) delete mode 100644 0002-fix-CVE-2021-3672.patch delete mode 100644 0003-Add-str-len-check-in-config_sortlist-to-avoid-stack-.patch diff --git a/.gitignore b/.gitignore index e1295ec..0c5da7c 100644 --- a/.gitignore +++ b/.gitignore @@ -13,3 +13,4 @@ c-ares-1.7.3.tar.gz /c-ares-1.16.1.tar.gz /c-ares-1.17.0.tar.gz /c-ares-1.17.1.tar.gz +/c-ares-1.19.1.tar.gz diff --git a/0002-fix-CVE-2021-3672.patch b/0002-fix-CVE-2021-3672.patch deleted file mode 100644 index 670f06e..0000000 --- a/0002-fix-CVE-2021-3672.patch +++ /dev/null @@ -1,192 +0,0 @@ -From 362f91d807d293791008cdb7616d40f7784ece83 Mon Sep 17 00:00:00 2001 -From: bradh352 -Date: Fri, 11 Jun 2021 11:27:45 -0400 -Subject: [PATCH 1/2] ares_expand_name() should escape more characters - -RFC1035 5.1 specifies some reserved characters and escaping sequences -that are allowed to be specified. Expand the list of reserved characters -and also escape non-printable characters using the \DDD format as -specified in the RFC. - -Bug Reported By: philipp.jeitner@sit.fraunhofer.de -Fix By: Brad House (@bradh352) ---- - src/lib/ares_expand_name.c | 41 +++++++++++++++++++++++++++++++++++--- - 1 file changed, 38 insertions(+), 3 deletions(-) - -diff --git a/src/lib/ares_expand_name.c b/src/lib/ares_expand_name.c -index 407200ef..f1c874a9 100644 ---- a/src/lib/ares_expand_name.c -+++ b/src/lib/ares_expand_name.c -@@ -32,6 +32,26 @@ - static int name_length(const unsigned char *encoded, const unsigned char *abuf, - int alen); - -+/* Reserved characters for names that need to be escaped */ -+static int is_reservedch(int ch) -+{ -+ switch (ch) { -+ case '"': -+ case '.': -+ case ';': -+ case '\\': -+ case '(': -+ case ')': -+ case '@': -+ case '$': -+ return 1; -+ default: -+ break; -+ } -+ -+ return 0; -+} -+ - /* Expand an RFC1035-encoded domain name given by encoded. The - * containing message is given by abuf and alen. The result given by - * *s, which is set to a NUL-terminated allocated buffer. *enclen is -@@ -111,9 +131,18 @@ int ares_expand_name(const unsigned char *encoded, const unsigned char *abuf, - p++; - while (len--) - { -- if (*p == '.' || *p == '\\') -+ if (!isprint(*p)) { -+ /* Output as \DDD for consistency with RFC1035 5.1 */ -+ *q++ = '\\'; -+ *q++ = '0' + *p / 100; -+ *q++ = '0' + (*p % 100) / 10; -+ *q++ = '0' + (*p % 10); -+ } else if (is_reservedch(*p)) { - *q++ = '\\'; -- *q++ = *p; -+ *q++ = *p; -+ } else { -+ *q++ = *p; -+ } - p++; - } - *q++ = '.'; -@@ -171,7 +200,13 @@ static int name_length(const unsigned char *encoded, const unsigned char *abuf, - encoded++; - while (offset--) - { -- n += (*encoded == '.' || *encoded == '\\') ? 2 : 1; -+ if (!isprint(*encoded)) { -+ n += 4; -+ } else if (is_reservedch(*encoded)) { -+ n += 2; -+ } else { -+ n += 1; -+ } - encoded++; - } - n++; - -From 44c009b8e62ea1929de68e3f438181bea469ec14 Mon Sep 17 00:00:00 2001 -From: bradh352 -Date: Fri, 11 Jun 2021 12:39:24 -0400 -Subject: [PATCH 2/2] ares_expand_name(): fix formatting and handling of root - name response - -Fixes issue introduced in prior commit with formatting and handling -of parsing a root name response which should not be escaped. - -Fix By: Brad House ---- - src/lib/ares_expand_name.c | 62 ++++++++++++++++++++++++-------------- - 1 file changed, 40 insertions(+), 22 deletions(-) - -diff --git a/src/lib/ares_expand_name.c b/src/lib/ares_expand_name.c -index f1c874a9..eb9268c1 100644 ---- a/src/lib/ares_expand_name.c -+++ b/src/lib/ares_expand_name.c -@@ -127,27 +127,37 @@ int ares_expand_name(const unsigned char *encoded, const unsigned char *abuf, - } - else - { -- len = *p; -+ int name_len = *p; -+ len = name_len; - p++; -+ - while (len--) - { -- if (!isprint(*p)) { -- /* Output as \DDD for consistency with RFC1035 5.1 */ -- *q++ = '\\'; -- *q++ = '0' + *p / 100; -- *q++ = '0' + (*p % 100) / 10; -- *q++ = '0' + (*p % 10); -- } else if (is_reservedch(*p)) { -- *q++ = '\\'; -- *q++ = *p; -- } else { -- *q++ = *p; -- } -+ /* Output as \DDD for consistency with RFC1035 5.1, except -+ * for the special case of a root name response */ -+ if (!isprint(*p) && !(name_len == 1 && *p == 0)) -+ { -+ -+ *q++ = '\\'; -+ *q++ = '0' + *p / 100; -+ *q++ = '0' + (*p % 100) / 10; -+ *q++ = '0' + (*p % 10); -+ } -+ else if (is_reservedch(*p)) -+ { -+ *q++ = '\\'; -+ *q++ = *p; -+ } -+ else -+ { -+ *q++ = *p; -+ } - p++; - } - *q++ = '.'; - } -- } -+ } -+ - if (!indir) - *enclen = aresx_uztosl(p + 1U - encoded); - -@@ -194,21 +204,29 @@ static int name_length(const unsigned char *encoded, const unsigned char *abuf, - } - else if (top == 0x00) - { -- offset = *encoded; -+ int name_len = *encoded; -+ offset = name_len; - if (encoded + offset + 1 >= abuf + alen) - return -1; - encoded++; -+ - while (offset--) - { -- if (!isprint(*encoded)) { -- n += 4; -- } else if (is_reservedch(*encoded)) { -- n += 2; -- } else { -- n += 1; -- } -+ if (!isprint(*encoded) && !(name_len == 1 && *encoded == 0)) -+ { -+ n += 4; -+ } -+ else if (is_reservedch(*encoded)) -+ { -+ n += 2; -+ } -+ else -+ { -+ n += 1; -+ } - encoded++; - } -+ - n++; - } - else diff --git a/0003-Add-str-len-check-in-config_sortlist-to-avoid-stack-.patch b/0003-Add-str-len-check-in-config_sortlist-to-avoid-stack-.patch deleted file mode 100644 index 5ca9065..0000000 --- a/0003-Add-str-len-check-in-config_sortlist-to-avoid-stack-.patch +++ /dev/null @@ -1,64 +0,0 @@ -From 9903253c347f9e0bffd285ae3829aef251cc852d Mon Sep 17 00:00:00 2001 -From: hopper-vul <118949689+hopper-vul@users.noreply.github.com> -Date: Wed, 18 Jan 2023 22:14:26 +0800 -Subject: [PATCH] Add str len check in config_sortlist to avoid stack overflow - (#497) - -In ares_set_sortlist, it calls config_sortlist(..., sortstr) to parse -the input str and initialize a sortlist configuration. - -However, ares_set_sortlist has not any checks about the validity of the input str. -It is very easy to create an arbitrary length stack overflow with the unchecked -`memcpy(ipbuf, str, q-str);` and `memcpy(ipbufpfx, str, q-str);` -statements in the config_sortlist call, which could potentially cause severe -security impact in practical programs. - -This commit add necessary check for `ipbuf` and `ipbufpfx` which avoid the -potential stack overflows. - -fixes #496 - -Fix By: @hopper-vul ---- - src/lib/ares_init.c | 4 ++++ - test/ares-test-init.cc | 2 ++ - 2 files changed, 6 insertions(+) - -diff --git a/src/lib/ares_init.c b/src/lib/ares_init.c -index 51668a5..3f9cec6 100644 ---- a/src/lib/ares_init.c -+++ b/src/lib/ares_init.c -@@ -1913,6 +1913,8 @@ static int config_sortlist(struct apattern **sortlist, int *nsort, - q = str; - while (*q && *q != '/' && *q != ';' && !ISSPACE(*q)) - q++; -+ if (q-str >= 16) -+ return ARES_EBADSTR; - memcpy(ipbuf, str, q-str); - ipbuf[q-str] = '\0'; - /* Find the prefix */ -@@ -1921,6 +1923,8 @@ static int config_sortlist(struct apattern **sortlist, int *nsort, - const char *str2 = q+1; - while (*q && *q != ';' && !ISSPACE(*q)) - q++; -+ if (q-str >= 32) -+ return ARES_EBADSTR; - memcpy(ipbufpfx, str, q-str); - ipbufpfx[q-str] = '\0'; - str = str2; -diff --git a/test/ares-test-init.cc b/test/ares-test-init.cc -index 63c6a22..ee84518 100644 ---- a/test/ares-test-init.cc -+++ b/test/ares-test-init.cc -@@ -275,6 +275,8 @@ TEST_F(DefaultChannelTest, SetAddresses) { - - TEST_F(DefaultChannelTest, SetSortlistFailures) { - EXPECT_EQ(ARES_ENODATA, ares_set_sortlist(nullptr, "1.2.3.4")); -+ EXPECT_EQ(ARES_EBADSTR, ares_set_sortlist(channel_, "111.111.111.111*/16")); -+ EXPECT_EQ(ARES_EBADSTR, ares_set_sortlist(channel_, "111.111.111.111/255.255.255.240*")); - EXPECT_EQ(ARES_SUCCESS, ares_set_sortlist(channel_, "xyzzy ; lwk")); - EXPECT_EQ(ARES_SUCCESS, ares_set_sortlist(channel_, "xyzzy ; 0x123")); - } --- -2.37.3 - diff --git a/c-ares.spec b/c-ares.spec index 830e7e3..96b22ad 100644 --- a/c-ares.spec +++ b/c-ares.spec @@ -2,16 +2,15 @@ Summary: A library that performs asynchronous DNS operations Name: c-ares -Version: 1.17.1 -Release: 6%{?dist} +Version: 1.19.1 +Release: 1%{?dist} License: MIT -URL: http://c-ares.haxx.se/ -Source0: http://c-ares.haxx.se/download/%{name}-%{version}.tar.gz +URL: http://c-ares.org/ +Source0: http://c-ares.org/download/%{name}-%{version}.tar.gz # The license can be obtained at http://c-ares.haxx.se/license.html Source1: LICENSE Patch0: 0001-Use-RPM-compiler-options.patch -Patch1: 0002-fix-CVE-2021-3672.patch -Patch2: 0003-Add-str-len-check-in-config_sortlist-to-avoid-stack-.patch + BuildRequires: gcc %if %{use_cmake} BuildRequires: cmake @@ -23,8 +22,8 @@ BuildRequires: libtool BuildRequires: make %description -c-ares is a C library that performs DNS requests and name resolves -asynchronously. c-ares is a fork of the library named 'ares', written +c-ares is a C library that performs DNS requests and name resolves +asynchronously. c-ares is a fork of the library named 'ares', written by Greg Hudson at MIT. %package devel @@ -74,6 +73,7 @@ rm -f $RPM_BUILD_ROOT/%{_libdir}/libcares.la %{_includedir}/ares.h %{_includedir}/ares_build.h %{_includedir}/ares_dns.h +%{_includedir}/ares_nameser.h %{_includedir}/ares_rules.h %{_includedir}/ares_version.h %{_libdir}/*.so @@ -84,6 +84,13 @@ rm -f $RPM_BUILD_ROOT/%{_libdir}/libcares.la %{_mandir}/man3/ares_* %changelog +* Fri May 26 2023 Alexey Tikhonov - 1.19.1-1 +- Resolves: rhbz#2209564 - CVE-2023-31124 c-ares: AutoTools does not set CARES_RANDOM_FILE during cross compilation [rhel-9] +- Resolves: rhbz#2209556 - CVE-2023-31130 c-ares: Buffer Underwrite in ares_inet_net_pton() [rhel-9] +- Resolves: rhbz#2209550 - CVE-2023-31147 c-ares: Insufficient randomness in generation of DNS query IDs [rhel-9] +- Resolves: rhbz#2209520 - CVE-2023-32067 c-ares: 0-byte UDP payload Denial of Service [rhel-9.3.0] +- Resolves: rhbz#2210370 - Rebase c-ares for RHEL 9.3 + * Fri May 12 2023 Alexey Tikhonov - 1.17.1-6 - Resolves: rhbz#2170868 - c-ares: buffer overflow in config_sortlist() due to missing string length check [rhel-9] diff --git a/sources b/sources index a3f3315..566e172 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (c-ares-1.17.1.tar.gz) = b11887bcc9274d368088e1a8b6aca62414f20675cf0bc58e948f54fa04c327c39dd23cefe7509eec6397db14b550a3f6b77f5c18b3d735b3eef48ce2da1dcd00 +SHA512 (c-ares-1.19.1.tar.gz) = 466a94efda626e815a6ef7a890637056339f883d549ea6055e289fd8cd2391130e5682c905c0fb3bd7e955af7f6deb793562c170eb0ee066a4a62085a82ba470