From e6ad467a79d52695727df75f317fa2f361259d81 Mon Sep 17 00:00:00 2001 From: Alexey Tikhonov Date: Tue, 26 Mar 2024 18:18:57 +0100 Subject: [PATCH] Resolves: RHEL-30025 - Out of bounds read in ares__read_line() [rhel-10.0] --- ...ull-request-from-GHSA-mg26-v6qh-x48q.patch | 31 ++++++++++++++ 0001-Use-RPM-compiler-options.patch | 41 ------------------- c-ares.spec | 6 ++- 3 files changed, 36 insertions(+), 42 deletions(-) create mode 100644 0001-Merge-pull-request-from-GHSA-mg26-v6qh-x48q.patch delete mode 100644 0001-Use-RPM-compiler-options.patch diff --git a/0001-Merge-pull-request-from-GHSA-mg26-v6qh-x48q.patch b/0001-Merge-pull-request-from-GHSA-mg26-v6qh-x48q.patch new file mode 100644 index 0000000..88883c8 --- /dev/null +++ b/0001-Merge-pull-request-from-GHSA-mg26-v6qh-x48q.patch @@ -0,0 +1,31 @@ +From a804c04ddc8245fc8adf0e92368709639125e183 Mon Sep 17 00:00:00 2001 +From: Brad House +Date: Thu, 22 Feb 2024 16:23:33 -0500 +Subject: [PATCH] Merge pull request from GHSA-mg26-v6qh-x48q + +--- + src/lib/ares__read_line.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/src/lib/ares__read_line.c b/src/lib/ares__read_line.c +index d65ac1f..018f55e 100644 +--- a/src/lib/ares__read_line.c ++++ b/src/lib/ares__read_line.c +@@ -59,6 +59,14 @@ ares_status_t ares__read_line(FILE *fp, char **buf, size_t *bufsize) + return (offset != 0) ? 0 : (ferror(fp)) ? ARES_EFILE : ARES_EOF; + } + len = offset + ares_strlen(*buf + offset); ++ ++ /* Probably means there was an embedded NULL as the first character in ++ * the line, throw away line */ ++ if (len == 0) { ++ offset = 0; ++ continue; ++ } ++ + if ((*buf)[len - 1] == '\n') { + (*buf)[len - 1] = 0; + break; +-- +2.42.0 + diff --git a/0001-Use-RPM-compiler-options.patch b/0001-Use-RPM-compiler-options.patch deleted file mode 100644 index 721b713..0000000 --- a/0001-Use-RPM-compiler-options.patch +++ /dev/null @@ -1,41 +0,0 @@ -From 7dada62a77e061c752123e672e844386ff3b01ea Mon Sep 17 00:00:00 2001 -From: Stephen Gallagher -Date: Wed, 10 Apr 2013 12:32:44 -0400 -Subject: [PATCH] Use RPM compiler options - ---- - m4/cares-compilers.m4 | 19 ++++++------------- - 1 file changed, 6 insertions(+), 13 deletions(-) - -diff --git a/m4/cares-compilers.m4 b/m4/cares-compilers.m4 -index 7ee8e0dbe741c1a64149a0d20b826f507b3ec620..d7708230fb5628ae80fbf1052da0d2c78ebbc160 100644 ---- a/m4/cares-compilers.m4 -+++ b/m4/cares-compilers.m4 -@@ -143,19 +143,12 @@ AC_DEFUN([CARES_CHECK_COMPILER_GNU_C], [ - gccvhi=`echo $gccver | cut -d . -f1` - gccvlo=`echo $gccver | cut -d . -f2` - compiler_num=`(expr $gccvhi "*" 100 + $gccvlo) 2>/dev/null` -- flags_dbg_all="-g -g0 -g1 -g2 -g3" -- flags_dbg_all="$flags_dbg_all -ggdb" -- flags_dbg_all="$flags_dbg_all -gstabs" -- flags_dbg_all="$flags_dbg_all -gstabs+" -- flags_dbg_all="$flags_dbg_all -gcoff" -- flags_dbg_all="$flags_dbg_all -gxcoff" -- flags_dbg_all="$flags_dbg_all -gdwarf-2" -- flags_dbg_all="$flags_dbg_all -gvms" -- flags_dbg_yes="-g" -- flags_dbg_off="-g0" -- flags_opt_all="-O -O0 -O1 -O2 -O3 -Os" -- flags_opt_yes="-O2" -- flags_opt_off="-O0" -+ flags_dbg_all="" -+ flags_dbg_yes="" -+ flags_dbg_off="" -+ flags_opt_all="" -+ flags_opt_yes="" -+ flags_opt_off="" - CURL_CHECK_DEF([_WIN32], [], [silent]) - else - AC_MSG_RESULT([no]) --- -1.8.1.4 diff --git a/c-ares.spec b/c-ares.spec index 2e41a08..8c52f5f 100644 --- a/c-ares.spec +++ b/c-ares.spec @@ -3,10 +3,11 @@ Summary: A library that performs asynchronous DNS operations Name: c-ares Version: 1.25.0 -Release: 3%{?dist} +Release: 4%{?dist} License: MIT URL: http://c-ares.org/ Source0: http://c-ares.org/download/%{name}-%{version}.tar.gz +Patch0: 0001-Merge-pull-request-from-GHSA-mg26-v6qh-x48q.patch BuildRequires: gcc %if %{use_cmake} BuildRequires: cmake @@ -80,6 +81,9 @@ rm -f $RPM_BUILD_ROOT/%{_libdir}/libcares.la %{_mandir}/man3/ares_* %changelog +* Tue Mar 26 2024 Alexey Tikhonov - 1.25.0-4 +- Resolves: RHEL-30025 - Out of bounds read in ares__read_line() [rhel-10.0] + * Tue Jan 23 2024 Fedora Release Engineering - 1.25.0-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild