Compare commits

..

2 Commits

Author SHA1 Message Date
Alexey Tikhonov 6543b2b22f Resolves: RHEL-26529 - Out of bounds read in ares__read_line() [rhel-9] 2024-03-12 01:17:05 +00:00
Alexey Tikhonov cd0d576973 Resolves: rhbz#2209564 - CVE-2023-31124 c-ares: AutoTools does not set CARES_RANDOM_FILE during cross compilation [rhel-9]
Resolves: rhbz#2209556 - CVE-2023-31130 c-ares: Buffer Underwrite in ares_inet_net_pton() [rhel-9]
Resolves: rhbz#2209550 - CVE-2023-31147 c-ares: Insufficient randomness in generation of DNS query IDs [rhel-9]
Resolves: rhbz#2209520 - CVE-2023-32067 c-ares: 0-byte UDP payload Denial of Service [rhel-9.3.0]
Resolves: rhbz#2210370 - Rebase c-ares for RHEL 9.3
2023-05-27 17:26:19 +02:00
2 changed files with 38 additions and 1 deletions

View File

@ -0,0 +1,33 @@
From a59618566446044c1fa7f35ed349a273c48176fb Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Mon, 11 Mar 2024 20:46:09 +0100
Subject: [PATCH] Merge pull request from GHSA-mg26-v6qh-x48q
Backported from
https://github.com/c-ares/c-ares/commit/a804c04ddc8245fc8adf0e92368709639125e183
---
src/lib/ares__read_line.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/src/lib/ares__read_line.c b/src/lib/ares__read_line.c
index c62ad2a..d6625a3 100644
--- a/src/lib/ares__read_line.c
+++ b/src/lib/ares__read_line.c
@@ -49,6 +49,14 @@ int ares__read_line(FILE *fp, char **buf, size_t *bufsize)
if (!fgets(*buf + offset, bytestoread, fp))
return (offset != 0) ? 0 : (ferror(fp)) ? ARES_EFILE : ARES_EOF;
len = offset + strlen(*buf + offset);
+
+ /* Probably means there was an embedded NULL as the first character in
+ * the line, throw away line */
+ if (len == 0) {
+ offset = 0;
+ continue;
+ }
+
if ((*buf)[len - 1] == '\n')
{
(*buf)[len - 1] = 0;
--
2.42.0

View File

@ -3,13 +3,14 @@
Summary: A library that performs asynchronous DNS operations
Name: c-ares
Version: 1.19.1
Release: 1%{?dist}
Release: 2%{?dist}
License: MIT
URL: http://c-ares.org/
Source0: http://c-ares.org/download/%{name}-%{version}.tar.gz
# The license can be obtained at http://c-ares.haxx.se/license.html
Source1: LICENSE
Patch0: 0001-Use-RPM-compiler-options.patch
Patch1: 0002-Merge-pull-request-from-GHSA-mg26-v6qh-x48q.patch
BuildRequires: gcc
%if %{use_cmake}
@ -84,6 +85,9 @@ rm -f $RPM_BUILD_ROOT/%{_libdir}/libcares.la
%{_mandir}/man3/ares_*
%changelog
* Mon Mar 11 2024 Alexey Tikhonov <atikhono@redhat.com> - 1.19.1-2
- Resolves: RHEL-26529 - Out of bounds read in ares__read_line() [rhel-9]
* Fri May 26 2023 Alexey Tikhonov <atikhono@redhat.com> - 1.19.1-1
- Resolves: rhbz#2209564 - CVE-2023-31124 c-ares: AutoTools does not set CARES_RANDOM_FILE during cross compilation [rhel-9]
- Resolves: rhbz#2209556 - CVE-2023-31130 c-ares: Buffer Underwrite in ares_inet_net_pton() [rhel-9]