Compare commits
2 Commits
ab5fb5dd06
...
6543b2b22f
Author | SHA1 | Date | |
---|---|---|---|
|
6543b2b22f | ||
|
cd0d576973 |
1
.c-ares.metadata
Normal file
1
.c-ares.metadata
Normal file
@ -0,0 +1 @@
|
|||||||
|
99566278e4ed4b261891aa62c8b88227bf1a2823 c-ares-1.19.1.tar.gz
|
1
.gitignore
vendored
1
.gitignore
vendored
@ -13,3 +13,4 @@ c-ares-1.7.3.tar.gz
|
|||||||
/c-ares-1.16.1.tar.gz
|
/c-ares-1.16.1.tar.gz
|
||||||
/c-ares-1.17.0.tar.gz
|
/c-ares-1.17.0.tar.gz
|
||||||
/c-ares-1.17.1.tar.gz
|
/c-ares-1.17.1.tar.gz
|
||||||
|
/c-ares-1.19.1.tar.gz
|
||||||
|
33
0002-Merge-pull-request-from-GHSA-mg26-v6qh-x48q.patch
Normal file
33
0002-Merge-pull-request-from-GHSA-mg26-v6qh-x48q.patch
Normal file
@ -0,0 +1,33 @@
|
|||||||
|
From a59618566446044c1fa7f35ed349a273c48176fb Mon Sep 17 00:00:00 2001
|
||||||
|
From: Alexey Tikhonov <atikhono@redhat.com>
|
||||||
|
Date: Mon, 11 Mar 2024 20:46:09 +0100
|
||||||
|
Subject: [PATCH] Merge pull request from GHSA-mg26-v6qh-x48q
|
||||||
|
|
||||||
|
Backported from
|
||||||
|
https://github.com/c-ares/c-ares/commit/a804c04ddc8245fc8adf0e92368709639125e183
|
||||||
|
---
|
||||||
|
src/lib/ares__read_line.c | 8 ++++++++
|
||||||
|
1 file changed, 8 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/src/lib/ares__read_line.c b/src/lib/ares__read_line.c
|
||||||
|
index c62ad2a..d6625a3 100644
|
||||||
|
--- a/src/lib/ares__read_line.c
|
||||||
|
+++ b/src/lib/ares__read_line.c
|
||||||
|
@@ -49,6 +49,14 @@ int ares__read_line(FILE *fp, char **buf, size_t *bufsize)
|
||||||
|
if (!fgets(*buf + offset, bytestoread, fp))
|
||||||
|
return (offset != 0) ? 0 : (ferror(fp)) ? ARES_EFILE : ARES_EOF;
|
||||||
|
len = offset + strlen(*buf + offset);
|
||||||
|
+
|
||||||
|
+ /* Probably means there was an embedded NULL as the first character in
|
||||||
|
+ * the line, throw away line */
|
||||||
|
+ if (len == 0) {
|
||||||
|
+ offset = 0;
|
||||||
|
+ continue;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
if ((*buf)[len - 1] == '\n')
|
||||||
|
{
|
||||||
|
(*buf)[len - 1] = 0;
|
||||||
|
--
|
||||||
|
2.42.0
|
||||||
|
|
@ -1,192 +0,0 @@
|
|||||||
From 362f91d807d293791008cdb7616d40f7784ece83 Mon Sep 17 00:00:00 2001
|
|
||||||
From: bradh352 <brad@brad-house.com>
|
|
||||||
Date: Fri, 11 Jun 2021 11:27:45 -0400
|
|
||||||
Subject: [PATCH 1/2] ares_expand_name() should escape more characters
|
|
||||||
|
|
||||||
RFC1035 5.1 specifies some reserved characters and escaping sequences
|
|
||||||
that are allowed to be specified. Expand the list of reserved characters
|
|
||||||
and also escape non-printable characters using the \DDD format as
|
|
||||||
specified in the RFC.
|
|
||||||
|
|
||||||
Bug Reported By: philipp.jeitner@sit.fraunhofer.de
|
|
||||||
Fix By: Brad House (@bradh352)
|
|
||||||
---
|
|
||||||
src/lib/ares_expand_name.c | 41 +++++++++++++++++++++++++++++++++++---
|
|
||||||
1 file changed, 38 insertions(+), 3 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/lib/ares_expand_name.c b/src/lib/ares_expand_name.c
|
|
||||||
index 407200ef..f1c874a9 100644
|
|
||||||
--- a/src/lib/ares_expand_name.c
|
|
||||||
+++ b/src/lib/ares_expand_name.c
|
|
||||||
@@ -32,6 +32,26 @@
|
|
||||||
static int name_length(const unsigned char *encoded, const unsigned char *abuf,
|
|
||||||
int alen);
|
|
||||||
|
|
||||||
+/* Reserved characters for names that need to be escaped */
|
|
||||||
+static int is_reservedch(int ch)
|
|
||||||
+{
|
|
||||||
+ switch (ch) {
|
|
||||||
+ case '"':
|
|
||||||
+ case '.':
|
|
||||||
+ case ';':
|
|
||||||
+ case '\\':
|
|
||||||
+ case '(':
|
|
||||||
+ case ')':
|
|
||||||
+ case '@':
|
|
||||||
+ case '$':
|
|
||||||
+ return 1;
|
|
||||||
+ default:
|
|
||||||
+ break;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ return 0;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
/* Expand an RFC1035-encoded domain name given by encoded. The
|
|
||||||
* containing message is given by abuf and alen. The result given by
|
|
||||||
* *s, which is set to a NUL-terminated allocated buffer. *enclen is
|
|
||||||
@@ -111,9 +131,18 @@ int ares_expand_name(const unsigned char *encoded, const unsigned char *abuf,
|
|
||||||
p++;
|
|
||||||
while (len--)
|
|
||||||
{
|
|
||||||
- if (*p == '.' || *p == '\\')
|
|
||||||
+ if (!isprint(*p)) {
|
|
||||||
+ /* Output as \DDD for consistency with RFC1035 5.1 */
|
|
||||||
+ *q++ = '\\';
|
|
||||||
+ *q++ = '0' + *p / 100;
|
|
||||||
+ *q++ = '0' + (*p % 100) / 10;
|
|
||||||
+ *q++ = '0' + (*p % 10);
|
|
||||||
+ } else if (is_reservedch(*p)) {
|
|
||||||
*q++ = '\\';
|
|
||||||
- *q++ = *p;
|
|
||||||
+ *q++ = *p;
|
|
||||||
+ } else {
|
|
||||||
+ *q++ = *p;
|
|
||||||
+ }
|
|
||||||
p++;
|
|
||||||
}
|
|
||||||
*q++ = '.';
|
|
||||||
@@ -171,7 +200,13 @@ static int name_length(const unsigned char *encoded, const unsigned char *abuf,
|
|
||||||
encoded++;
|
|
||||||
while (offset--)
|
|
||||||
{
|
|
||||||
- n += (*encoded == '.' || *encoded == '\\') ? 2 : 1;
|
|
||||||
+ if (!isprint(*encoded)) {
|
|
||||||
+ n += 4;
|
|
||||||
+ } else if (is_reservedch(*encoded)) {
|
|
||||||
+ n += 2;
|
|
||||||
+ } else {
|
|
||||||
+ n += 1;
|
|
||||||
+ }
|
|
||||||
encoded++;
|
|
||||||
}
|
|
||||||
n++;
|
|
||||||
|
|
||||||
From 44c009b8e62ea1929de68e3f438181bea469ec14 Mon Sep 17 00:00:00 2001
|
|
||||||
From: bradh352 <brad@brad-house.com>
|
|
||||||
Date: Fri, 11 Jun 2021 12:39:24 -0400
|
|
||||||
Subject: [PATCH 2/2] ares_expand_name(): fix formatting and handling of root
|
|
||||||
name response
|
|
||||||
|
|
||||||
Fixes issue introduced in prior commit with formatting and handling
|
|
||||||
of parsing a root name response which should not be escaped.
|
|
||||||
|
|
||||||
Fix By: Brad House
|
|
||||||
---
|
|
||||||
src/lib/ares_expand_name.c | 62 ++++++++++++++++++++++++--------------
|
|
||||||
1 file changed, 40 insertions(+), 22 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/lib/ares_expand_name.c b/src/lib/ares_expand_name.c
|
|
||||||
index f1c874a9..eb9268c1 100644
|
|
||||||
--- a/src/lib/ares_expand_name.c
|
|
||||||
+++ b/src/lib/ares_expand_name.c
|
|
||||||
@@ -127,27 +127,37 @@ int ares_expand_name(const unsigned char *encoded, const unsigned char *abuf,
|
|
||||||
}
|
|
||||||
else
|
|
||||||
{
|
|
||||||
- len = *p;
|
|
||||||
+ int name_len = *p;
|
|
||||||
+ len = name_len;
|
|
||||||
p++;
|
|
||||||
+
|
|
||||||
while (len--)
|
|
||||||
{
|
|
||||||
- if (!isprint(*p)) {
|
|
||||||
- /* Output as \DDD for consistency with RFC1035 5.1 */
|
|
||||||
- *q++ = '\\';
|
|
||||||
- *q++ = '0' + *p / 100;
|
|
||||||
- *q++ = '0' + (*p % 100) / 10;
|
|
||||||
- *q++ = '0' + (*p % 10);
|
|
||||||
- } else if (is_reservedch(*p)) {
|
|
||||||
- *q++ = '\\';
|
|
||||||
- *q++ = *p;
|
|
||||||
- } else {
|
|
||||||
- *q++ = *p;
|
|
||||||
- }
|
|
||||||
+ /* Output as \DDD for consistency with RFC1035 5.1, except
|
|
||||||
+ * for the special case of a root name response */
|
|
||||||
+ if (!isprint(*p) && !(name_len == 1 && *p == 0))
|
|
||||||
+ {
|
|
||||||
+
|
|
||||||
+ *q++ = '\\';
|
|
||||||
+ *q++ = '0' + *p / 100;
|
|
||||||
+ *q++ = '0' + (*p % 100) / 10;
|
|
||||||
+ *q++ = '0' + (*p % 10);
|
|
||||||
+ }
|
|
||||||
+ else if (is_reservedch(*p))
|
|
||||||
+ {
|
|
||||||
+ *q++ = '\\';
|
|
||||||
+ *q++ = *p;
|
|
||||||
+ }
|
|
||||||
+ else
|
|
||||||
+ {
|
|
||||||
+ *q++ = *p;
|
|
||||||
+ }
|
|
||||||
p++;
|
|
||||||
}
|
|
||||||
*q++ = '.';
|
|
||||||
}
|
|
||||||
- }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
if (!indir)
|
|
||||||
*enclen = aresx_uztosl(p + 1U - encoded);
|
|
||||||
|
|
||||||
@@ -194,21 +204,29 @@ static int name_length(const unsigned char *encoded, const unsigned char *abuf,
|
|
||||||
}
|
|
||||||
else if (top == 0x00)
|
|
||||||
{
|
|
||||||
- offset = *encoded;
|
|
||||||
+ int name_len = *encoded;
|
|
||||||
+ offset = name_len;
|
|
||||||
if (encoded + offset + 1 >= abuf + alen)
|
|
||||||
return -1;
|
|
||||||
encoded++;
|
|
||||||
+
|
|
||||||
while (offset--)
|
|
||||||
{
|
|
||||||
- if (!isprint(*encoded)) {
|
|
||||||
- n += 4;
|
|
||||||
- } else if (is_reservedch(*encoded)) {
|
|
||||||
- n += 2;
|
|
||||||
- } else {
|
|
||||||
- n += 1;
|
|
||||||
- }
|
|
||||||
+ if (!isprint(*encoded) && !(name_len == 1 && *encoded == 0))
|
|
||||||
+ {
|
|
||||||
+ n += 4;
|
|
||||||
+ }
|
|
||||||
+ else if (is_reservedch(*encoded))
|
|
||||||
+ {
|
|
||||||
+ n += 2;
|
|
||||||
+ }
|
|
||||||
+ else
|
|
||||||
+ {
|
|
||||||
+ n += 1;
|
|
||||||
+ }
|
|
||||||
encoded++;
|
|
||||||
}
|
|
||||||
+
|
|
||||||
n++;
|
|
||||||
}
|
|
||||||
else
|
|
@ -1,64 +0,0 @@
|
|||||||
From 9903253c347f9e0bffd285ae3829aef251cc852d Mon Sep 17 00:00:00 2001
|
|
||||||
From: hopper-vul <118949689+hopper-vul@users.noreply.github.com>
|
|
||||||
Date: Wed, 18 Jan 2023 22:14:26 +0800
|
|
||||||
Subject: [PATCH] Add str len check in config_sortlist to avoid stack overflow
|
|
||||||
(#497)
|
|
||||||
|
|
||||||
In ares_set_sortlist, it calls config_sortlist(..., sortstr) to parse
|
|
||||||
the input str and initialize a sortlist configuration.
|
|
||||||
|
|
||||||
However, ares_set_sortlist has not any checks about the validity of the input str.
|
|
||||||
It is very easy to create an arbitrary length stack overflow with the unchecked
|
|
||||||
`memcpy(ipbuf, str, q-str);` and `memcpy(ipbufpfx, str, q-str);`
|
|
||||||
statements in the config_sortlist call, which could potentially cause severe
|
|
||||||
security impact in practical programs.
|
|
||||||
|
|
||||||
This commit add necessary check for `ipbuf` and `ipbufpfx` which avoid the
|
|
||||||
potential stack overflows.
|
|
||||||
|
|
||||||
fixes #496
|
|
||||||
|
|
||||||
Fix By: @hopper-vul
|
|
||||||
---
|
|
||||||
src/lib/ares_init.c | 4 ++++
|
|
||||||
test/ares-test-init.cc | 2 ++
|
|
||||||
2 files changed, 6 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/src/lib/ares_init.c b/src/lib/ares_init.c
|
|
||||||
index 51668a5..3f9cec6 100644
|
|
||||||
--- a/src/lib/ares_init.c
|
|
||||||
+++ b/src/lib/ares_init.c
|
|
||||||
@@ -1913,6 +1913,8 @@ static int config_sortlist(struct apattern **sortlist, int *nsort,
|
|
||||||
q = str;
|
|
||||||
while (*q && *q != '/' && *q != ';' && !ISSPACE(*q))
|
|
||||||
q++;
|
|
||||||
+ if (q-str >= 16)
|
|
||||||
+ return ARES_EBADSTR;
|
|
||||||
memcpy(ipbuf, str, q-str);
|
|
||||||
ipbuf[q-str] = '\0';
|
|
||||||
/* Find the prefix */
|
|
||||||
@@ -1921,6 +1923,8 @@ static int config_sortlist(struct apattern **sortlist, int *nsort,
|
|
||||||
const char *str2 = q+1;
|
|
||||||
while (*q && *q != ';' && !ISSPACE(*q))
|
|
||||||
q++;
|
|
||||||
+ if (q-str >= 32)
|
|
||||||
+ return ARES_EBADSTR;
|
|
||||||
memcpy(ipbufpfx, str, q-str);
|
|
||||||
ipbufpfx[q-str] = '\0';
|
|
||||||
str = str2;
|
|
||||||
diff --git a/test/ares-test-init.cc b/test/ares-test-init.cc
|
|
||||||
index 63c6a22..ee84518 100644
|
|
||||||
--- a/test/ares-test-init.cc
|
|
||||||
+++ b/test/ares-test-init.cc
|
|
||||||
@@ -275,6 +275,8 @@ TEST_F(DefaultChannelTest, SetAddresses) {
|
|
||||||
|
|
||||||
TEST_F(DefaultChannelTest, SetSortlistFailures) {
|
|
||||||
EXPECT_EQ(ARES_ENODATA, ares_set_sortlist(nullptr, "1.2.3.4"));
|
|
||||||
+ EXPECT_EQ(ARES_EBADSTR, ares_set_sortlist(channel_, "111.111.111.111*/16"));
|
|
||||||
+ EXPECT_EQ(ARES_EBADSTR, ares_set_sortlist(channel_, "111.111.111.111/255.255.255.240*"));
|
|
||||||
EXPECT_EQ(ARES_SUCCESS, ares_set_sortlist(channel_, "xyzzy ; lwk"));
|
|
||||||
EXPECT_EQ(ARES_SUCCESS, ares_set_sortlist(channel_, "xyzzy ; 0x123"));
|
|
||||||
}
|
|
||||||
--
|
|
||||||
2.37.3
|
|
||||||
|
|
23
c-ares.spec
23
c-ares.spec
@ -2,16 +2,16 @@
|
|||||||
|
|
||||||
Summary: A library that performs asynchronous DNS operations
|
Summary: A library that performs asynchronous DNS operations
|
||||||
Name: c-ares
|
Name: c-ares
|
||||||
Version: 1.17.1
|
Version: 1.19.1
|
||||||
Release: 6%{?dist}
|
Release: 2%{?dist}
|
||||||
License: MIT
|
License: MIT
|
||||||
URL: http://c-ares.haxx.se/
|
URL: http://c-ares.org/
|
||||||
Source0: http://c-ares.haxx.se/download/%{name}-%{version}.tar.gz
|
Source0: http://c-ares.org/download/%{name}-%{version}.tar.gz
|
||||||
# The license can be obtained at http://c-ares.haxx.se/license.html
|
# The license can be obtained at http://c-ares.haxx.se/license.html
|
||||||
Source1: LICENSE
|
Source1: LICENSE
|
||||||
Patch0: 0001-Use-RPM-compiler-options.patch
|
Patch0: 0001-Use-RPM-compiler-options.patch
|
||||||
Patch1: 0002-fix-CVE-2021-3672.patch
|
Patch1: 0002-Merge-pull-request-from-GHSA-mg26-v6qh-x48q.patch
|
||||||
Patch2: 0003-Add-str-len-check-in-config_sortlist-to-avoid-stack-.patch
|
|
||||||
BuildRequires: gcc
|
BuildRequires: gcc
|
||||||
%if %{use_cmake}
|
%if %{use_cmake}
|
||||||
BuildRequires: cmake
|
BuildRequires: cmake
|
||||||
@ -74,6 +74,7 @@ rm -f $RPM_BUILD_ROOT/%{_libdir}/libcares.la
|
|||||||
%{_includedir}/ares.h
|
%{_includedir}/ares.h
|
||||||
%{_includedir}/ares_build.h
|
%{_includedir}/ares_build.h
|
||||||
%{_includedir}/ares_dns.h
|
%{_includedir}/ares_dns.h
|
||||||
|
%{_includedir}/ares_nameser.h
|
||||||
%{_includedir}/ares_rules.h
|
%{_includedir}/ares_rules.h
|
||||||
%{_includedir}/ares_version.h
|
%{_includedir}/ares_version.h
|
||||||
%{_libdir}/*.so
|
%{_libdir}/*.so
|
||||||
@ -84,6 +85,16 @@ rm -f $RPM_BUILD_ROOT/%{_libdir}/libcares.la
|
|||||||
%{_mandir}/man3/ares_*
|
%{_mandir}/man3/ares_*
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon Mar 11 2024 Alexey Tikhonov <atikhono@redhat.com> - 1.19.1-2
|
||||||
|
- Resolves: RHEL-26529 - Out of bounds read in ares__read_line() [rhel-9]
|
||||||
|
|
||||||
|
* Fri May 26 2023 Alexey Tikhonov <atikhono@redhat.com> - 1.19.1-1
|
||||||
|
- Resolves: rhbz#2209564 - CVE-2023-31124 c-ares: AutoTools does not set CARES_RANDOM_FILE during cross compilation [rhel-9]
|
||||||
|
- Resolves: rhbz#2209556 - CVE-2023-31130 c-ares: Buffer Underwrite in ares_inet_net_pton() [rhel-9]
|
||||||
|
- Resolves: rhbz#2209550 - CVE-2023-31147 c-ares: Insufficient randomness in generation of DNS query IDs [rhel-9]
|
||||||
|
- Resolves: rhbz#2209520 - CVE-2023-32067 c-ares: 0-byte UDP payload Denial of Service [rhel-9.3.0]
|
||||||
|
- Resolves: rhbz#2210370 - Rebase c-ares for RHEL 9.3
|
||||||
|
|
||||||
* Fri May 12 2023 Alexey Tikhonov <atikhono@redhat.com> - 1.17.1-6
|
* Fri May 12 2023 Alexey Tikhonov <atikhono@redhat.com> - 1.17.1-6
|
||||||
- Resolves: rhbz#2170868 - c-ares: buffer overflow in config_sortlist() due to missing string length check [rhel-9]
|
- Resolves: rhbz#2170868 - c-ares: buffer overflow in config_sortlist() due to missing string length check [rhel-9]
|
||||||
|
|
||||||
|
2
sources
2
sources
@ -1 +1 @@
|
|||||||
SHA512 (c-ares-1.17.1.tar.gz) = b11887bcc9274d368088e1a8b6aca62414f20675cf0bc58e948f54fa04c327c39dd23cefe7509eec6397db14b550a3f6b77f5c18b3d735b3eef48ce2da1dcd00
|
SHA512 (c-ares-1.19.1.tar.gz) = 466a94efda626e815a6ef7a890637056339f883d549ea6055e289fd8cd2391130e5682c905c0fb3bd7e955af7f6deb793562c170eb0ee066a4a62085a82ba470
|
||||||
|
Loading…
Reference in New Issue
Block a user