Resolves: RHEL-26529 - Out of bounds read in ares__read_line() [rhel-9]

Resolves: rhbz#2209556 - CVE-2023-31130 c-ares: Buffer Underwrite in ares_inet_net_pton() [rhel-9]
Resolves: rhbz#2209550 - CVE-2023-31147 c-ares: Insufficient randomness in generation of DNS query IDs [rhel-9]
Resolves: rhbz#2209520 - CVE-2023-32067 c-ares: 0-byte UDP payload Denial of Service [rhel-9.3.0]
Resolves: rhbz#2210370 - Rebase c-ares for RHEL 9.3

.c-ares.metadata

@@ -0,0 +1 @@
+99566278e4ed4b261891aa62c8b88227bf1a2823 c-ares-1.19.1.tar.gz

.gitignore

@@ -13,3 +13,4 @@ c-ares-1.7.3.tar.gz
 /c-ares-1.16.1.tar.gz
 /c-ares-1.17.0.tar.gz
 /c-ares-1.17.1.tar.gz
+/c-ares-1.19.1.tar.gz

0002-Merge-pull-request-from-GHSA-mg26-v6qh-x48q.patch

@@ -0,0 +1,33 @@
+From a59618566446044c1fa7f35ed349a273c48176fb Mon Sep 17 00:00:00 2001
+From: Alexey Tikhonov <atikhono@redhat.com>
+Date: Mon, 11 Mar 2024 20:46:09 +0100
+Subject: [PATCH] Merge pull request from GHSA-mg26-v6qh-x48q
+
+Backported from
+https://github.com/c-ares/c-ares/commit/a804c04ddc8245fc8adf0e92368709639125e183
+---
+ src/lib/ares__read_line.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/src/lib/ares__read_line.c b/src/lib/ares__read_line.c
+index c62ad2a..d6625a3 100644
+--- a/src/lib/ares__read_line.c
++++ b/src/lib/ares__read_line.c
+@@ -49,6 +49,14 @@ int ares__read_line(FILE *fp, char **buf, size_t *bufsize)
+       if (!fgets(*buf + offset, bytestoread, fp))
+         return (offset != 0) ? 0 : (ferror(fp)) ? ARES_EFILE : ARES_EOF;
+       len = offset + strlen(*buf + offset);
++
++      /* Probably means there was an embedded NULL as the first character in
++       * the line, throw away line */
++      if (len == 0) {
++        offset = 0;
++        continue;
++      }
++
+       if ((*buf)[len - 1] == '\n')
+         {
+           (*buf)[len - 1] = 0;
+-- 
+2.42.0
+

0002-fix-CVE-2021-3672.patch

@@ -1,192 +0,0 @@
-From 362f91d807d293791008cdb7616d40f7784ece83 Mon Sep 17 00:00:00 2001
-From: bradh352 <brad@brad-house.com>
-Date: Fri, 11 Jun 2021 11:27:45 -0400
-Subject: [PATCH 1/2] ares_expand_name() should escape more characters
-
-RFC1035 5.1 specifies some reserved characters and escaping sequences
-that are allowed to be specified.  Expand the list of reserved characters
-and also escape non-printable characters using the \DDD format as
-specified in the RFC.
-
-Bug Reported By: philipp.jeitner@sit.fraunhofer.de
-Fix By: Brad House (@bradh352)
----
- src/lib/ares_expand_name.c | 41 +++++++++++++++++++++++++++++++++++---
- 1 file changed, 38 insertions(+), 3 deletions(-)
-
-diff --git a/src/lib/ares_expand_name.c b/src/lib/ares_expand_name.c
-index 407200ef..f1c874a9 100644
---- a/src/lib/ares_expand_name.c
-+++ b/src/lib/ares_expand_name.c
-@@ -32,6 +32,26 @@
- static int name_length(const unsigned char *encoded, const unsigned char *abuf,
-                        int alen);
- 
-+/* Reserved characters for names that need to be escaped */
-+static int is_reservedch(int ch)
-+{
-+  switch (ch) {
-+    case '"':
-+    case '.':
-+    case ';':
-+    case '\\':
-+    case '(':
-+    case ')':
-+    case '@':
-+    case '$':
-+      return 1;
-+    default:
-+      break;
-+  }
-+
-+  return 0;
-+}
-+
- /* Expand an RFC1035-encoded domain name given by encoded.  The
-  * containing message is given by abuf and alen.  The result given by
-  * *s, which is set to a NUL-terminated allocated buffer.  *enclen is
-@@ -111,9 +131,18 @@ int ares_expand_name(const unsigned char *encoded, const unsigned char *abuf,
-           p++;
-           while (len--)
-             {
--              if (*p == '.' || *p == '\\')
-+              if (!isprint(*p)) {
-+                /* Output as \DDD for consistency with RFC1035 5.1 */
-+                *q++ = '\\';
-+                *q++ = '0' + *p / 100;
-+                *q++ = '0' + (*p % 100) / 10;
-+                *q++ = '0' + (*p % 10);
-+              } else if (is_reservedch(*p)) {
-                 *q++ = '\\';
--              *q++ = *p;
-+                *q++ = *p;
-+              } else {
-+                *q++ = *p;
-+              }
-               p++;
-             }
-           *q++ = '.';
-@@ -171,7 +200,13 @@ static int name_length(const unsigned char *encoded, const unsigned char *abuf,
-           encoded++;
-           while (offset--)
-             {
--              n += (*encoded == '.' || *encoded == '\\') ? 2 : 1;
-+              if (!isprint(*encoded)) {
-+                n += 4;
-+              } else if (is_reservedch(*encoded)) {
-+                n += 2;
-+              } else {
-+                n += 1;
-+              }
-               encoded++;
-             }
-           n++;
-
-From 44c009b8e62ea1929de68e3f438181bea469ec14 Mon Sep 17 00:00:00 2001
-From: bradh352 <brad@brad-house.com>
-Date: Fri, 11 Jun 2021 12:39:24 -0400
-Subject: [PATCH 2/2] ares_expand_name(): fix formatting and handling of root
- name response
-
-Fixes issue introduced in prior commit with formatting and handling
-of parsing a root name response which should not be escaped.
-
-Fix By: Brad House
----
- src/lib/ares_expand_name.c | 62 ++++++++++++++++++++++++--------------
- 1 file changed, 40 insertions(+), 22 deletions(-)
-
-diff --git a/src/lib/ares_expand_name.c b/src/lib/ares_expand_name.c
-index f1c874a9..eb9268c1 100644
---- a/src/lib/ares_expand_name.c
-+++ b/src/lib/ares_expand_name.c
-@@ -127,27 +127,37 @@ int ares_expand_name(const unsigned char *encoded, const unsigned char *abuf,
-         }
-       else
-         {
--          len = *p;
-+          int name_len = *p;
-+          len = name_len;
-           p++;
-+
-           while (len--)
-             {
--              if (!isprint(*p)) {
--                /* Output as \DDD for consistency with RFC1035 5.1 */
--                *q++ = '\\';
--                *q++ = '0' + *p / 100;
--                *q++ = '0' + (*p % 100) / 10;
--                *q++ = '0' + (*p % 10);
--              } else if (is_reservedch(*p)) {
--                *q++ = '\\';
--                *q++ = *p;
--              } else {
--                *q++ = *p;
--              }
-+              /* Output as \DDD for consistency with RFC1035 5.1, except
-+               * for the special case of a root name response  */
-+              if (!isprint(*p) && !(name_len == 1 && *p == 0))
-+                {
-+
-+                  *q++ = '\\';
-+                  *q++ = '0' + *p / 100;
-+                  *q++ = '0' + (*p % 100) / 10;
-+                  *q++ = '0' + (*p % 10);
-+                }
-+              else if (is_reservedch(*p))
-+                {
-+                  *q++ = '\\';
-+                  *q++ = *p;
-+                }
-+              else
-+                {
-+                  *q++ = *p;
-+                }
-               p++;
-             }
-           *q++ = '.';
-         }
--    }
-+     }
-+
-   if (!indir)
-     *enclen = aresx_uztosl(p + 1U - encoded);
- 
-@@ -194,21 +204,29 @@ static int name_length(const unsigned char *encoded, const unsigned char *abuf,
-         }
-       else if (top == 0x00)
-         {
--          offset = *encoded;
-+          int name_len = *encoded;
-+          offset = name_len;
-           if (encoded + offset + 1 >= abuf + alen)
-             return -1;
-           encoded++;
-+
-           while (offset--)
-             {
--              if (!isprint(*encoded)) {
--                n += 4;
--              } else if (is_reservedch(*encoded)) {
--                n += 2;
--              } else {
--                n += 1;
--              }
-+              if (!isprint(*encoded) && !(name_len == 1 && *encoded == 0))
-+                {
-+                  n += 4;
-+                }
-+              else if (is_reservedch(*encoded))
-+                {
-+                  n += 2;
-+                }
-+              else
-+                {
-+                  n += 1;
-+                }
-               encoded++;
-             }
-+
-           n++;
-         }
-       else

0003-Add-str-len-check-in-config_sortlist-to-avoid-stack-.patch

@@ -1,64 +0,0 @@
-From 9903253c347f9e0bffd285ae3829aef251cc852d Mon Sep 17 00:00:00 2001
-From: hopper-vul <118949689+hopper-vul@users.noreply.github.com>
-Date: Wed, 18 Jan 2023 22:14:26 +0800
-Subject: [PATCH] Add str len check in config_sortlist to avoid stack overflow
- (#497)
-
-In ares_set_sortlist, it calls config_sortlist(..., sortstr) to parse
-the input str and initialize a sortlist configuration.
-
-However, ares_set_sortlist has not any checks about the validity of the input str.
-It is very easy to create an arbitrary length stack overflow with the unchecked
-`memcpy(ipbuf, str, q-str);` and `memcpy(ipbufpfx, str, q-str);`
-statements in the config_sortlist call, which could potentially cause severe
-security impact in practical programs.
-
-This commit add necessary check for `ipbuf` and `ipbufpfx` which avoid the
-potential stack overflows.
-
-fixes #496
-
-Fix By: @hopper-vul
----
- src/lib/ares_init.c    | 4 ++++
- test/ares-test-init.cc | 2 ++
- 2 files changed, 6 insertions(+)
-
-diff --git a/src/lib/ares_init.c b/src/lib/ares_init.c
-index 51668a5..3f9cec6 100644
---- a/src/lib/ares_init.c
-+++ b/src/lib/ares_init.c
-@@ -1913,6 +1913,8 @@ static int config_sortlist(struct apattern **sortlist, int *nsort,
-       q = str;
-       while (*q && *q != '/' && *q != ';' && !ISSPACE(*q))
-         q++;
-+      if (q-str >= 16)
-+        return ARES_EBADSTR;
-       memcpy(ipbuf, str, q-str);
-       ipbuf[q-str] = '\0';
-       /* Find the prefix */
-@@ -1921,6 +1923,8 @@ static int config_sortlist(struct apattern **sortlist, int *nsort,
-           const char *str2 = q+1;
-           while (*q && *q != ';' && !ISSPACE(*q))
-             q++;
-+          if (q-str >= 32)
-+            return ARES_EBADSTR;
-           memcpy(ipbufpfx, str, q-str);
-           ipbufpfx[q-str] = '\0';
-           str = str2;
-diff --git a/test/ares-test-init.cc b/test/ares-test-init.cc
-index 63c6a22..ee84518 100644
---- a/test/ares-test-init.cc
-+++ b/test/ares-test-init.cc
-@@ -275,6 +275,8 @@ TEST_F(DefaultChannelTest, SetAddresses) {
- 
- TEST_F(DefaultChannelTest, SetSortlistFailures) {
-   EXPECT_EQ(ARES_ENODATA, ares_set_sortlist(nullptr, "1.2.3.4"));
-+  EXPECT_EQ(ARES_EBADSTR, ares_set_sortlist(channel_, "111.111.111.111*/16"));
-+  EXPECT_EQ(ARES_EBADSTR, ares_set_sortlist(channel_, "111.111.111.111/255.255.255.240*"));
-   EXPECT_EQ(ARES_SUCCESS, ares_set_sortlist(channel_, "xyzzy ; lwk"));
-   EXPECT_EQ(ARES_SUCCESS, ares_set_sortlist(channel_, "xyzzy ; 0x123"));
- }
--- 
-2.37.3
-

c-ares.spec

@@ -2,16 +2,16 @@
 
 Summary: A library that performs asynchronous DNS operations
 Name: c-ares
-Version: 1.17.1
-Release: 6%{?dist}
+Version: 1.19.1
+Release: 2%{?dist}
 License: MIT
-URL: http://c-ares.haxx.se/
-Source0: http://c-ares.haxx.se/download/%{name}-%{version}.tar.gz
+URL: http://c-ares.org/
+Source0: http://c-ares.org/download/%{name}-%{version}.tar.gz
 # The license can be obtained at http://c-ares.haxx.se/license.html
 Source1: LICENSE
 Patch0: 0001-Use-RPM-compiler-options.patch
-Patch1: 0002-fix-CVE-2021-3672.patch
-Patch2: 0003-Add-str-len-check-in-config_sortlist-to-avoid-stack-.patch
+Patch1: 0002-Merge-pull-request-from-GHSA-mg26-v6qh-x48q.patch
+
 BuildRequires: gcc
 %if %{use_cmake}
 BuildRequires: cmake
@@ -23,8 +23,8 @@ BuildRequires: libtool
 BuildRequires: make
 
 %description
-c-ares is a C library that performs DNS requests and name resolves 
-asynchronously. c-ares is a fork of the library named 'ares', written 
+c-ares is a C library that performs DNS requests and name resolves
+asynchronously. c-ares is a fork of the library named 'ares', written
 by Greg Hudson at MIT.
 
 %package devel
@@ -74,6 +74,7 @@ rm -f $RPM_BUILD_ROOT/%{_libdir}/libcares.la
 %{_includedir}/ares.h
 %{_includedir}/ares_build.h
 %{_includedir}/ares_dns.h
+%{_includedir}/ares_nameser.h
 %{_includedir}/ares_rules.h
 %{_includedir}/ares_version.h
 %{_libdir}/*.so
@@ -84,6 +85,16 @@ rm -f $RPM_BUILD_ROOT/%{_libdir}/libcares.la
 %{_mandir}/man3/ares_*
 
 %changelog
+* Mon Mar 11 2024 Alexey Tikhonov <atikhono@redhat.com> - 1.19.1-2
+- Resolves: RHEL-26529 - Out of bounds read in ares__read_line() [rhel-9]
+
+* Fri May 26 2023 Alexey Tikhonov <atikhono@redhat.com> - 1.19.1-1
+- Resolves: rhbz#2209564 - CVE-2023-31124 c-ares: AutoTools does not set CARES_RANDOM_FILE during cross compilation [rhel-9]
+- Resolves: rhbz#2209556 - CVE-2023-31130 c-ares: Buffer Underwrite in ares_inet_net_pton() [rhel-9]
+- Resolves: rhbz#2209550 - CVE-2023-31147 c-ares: Insufficient randomness in generation of DNS query IDs [rhel-9]
+- Resolves: rhbz#2209520 - CVE-2023-32067 c-ares: 0-byte UDP payload Denial of Service [rhel-9.3.0]
+- Resolves: rhbz#2210370 - Rebase c-ares for RHEL 9.3
+
 * Fri May 12 2023 Alexey Tikhonov <atikhono@redhat.com> - 1.17.1-6
 - Resolves: rhbz#2170868 - c-ares: buffer overflow in config_sortlist() due to missing string length check [rhel-9]
 

sources

@@ -1 +1 @@
-SHA512 (c-ares-1.17.1.tar.gz) = b11887bcc9274d368088e1a8b6aca62414f20675cf0bc58e948f54fa04c327c39dd23cefe7509eec6397db14b550a3f6b77f5c18b3d735b3eef48ce2da1dcd00
+SHA512 (c-ares-1.19.1.tar.gz) = 466a94efda626e815a6ef7a890637056339f883d549ea6055e289fd8cd2391130e5682c905c0fb3bd7e955af7f6deb793562c170eb0ee066a4a62085a82ba470