Bug 1380463 (CVE-2016-5180)

Summary: CVE-2016-5180 c-ares: Single byte out of buffer write
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abhgupta, ahardin, apevec, ayoung, bleanhar, cbuissar, ccoleman, chrisw, cvsbot-xmlrpc, dedgar, dmcphers, dmoppert, hhorak, jgoulding, jhrozek, jialiu, jkeck, joelsmith, jokerman, jorton, jschluet, kbasil, kseifried, lhh, lmeyer, lpeer, markmc, mchappel, mmccomas, mnagy, mrunge, nodejs-sig, rbryant, sclewis, sgallagh, srevivo, tcallawa, tchollingsworth, tdawson, tdecacqu, thrcka, tiwillia, valtri, zsvetlik
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: c-ares 1.12.0, nodejs 4.6.1, nodejs 0.10.48 Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in c-ares. A hostname with an escaped trailing dot (such as "hello\.") would have its size calculated incorrectly, leading to a single byte written beyond the end of a buffer on the heap. An attacker able to provide such a hostname to an application using c-ares, could potentially cause that application to crash.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 02:59:15 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1380464, 1380465, 1380466, 1380467, 1380468, 1380576, 1387961, 1389242, 1389243, 1389244, 1399557, 1405996, 1470080, 1597937    
Bug Blocks: 1380469, 1434569    

Description Adam Mariš 2016-09-29 16:31:32 UTC 
When a string is passed in to `ares_create_query` or `ares_mkquery` and uses an escaped trailing dot, like "hello\.", c-ares calculates the string length wrong and subsequently writes outside of the the allocated buffer with one byte. The wrongly written byte is the least significant byte of the 'dnsclass' argument; most commonly 1.

Affected versions: c-ares 1.0.0 to and including 1.11.0

Upstream patch:

https://c-ares.haxx.se/CVE-2016-5180.patch

External References:

https://c-ares.haxx.se/adv_20160929.html
Comment 1 Adam Mariš 2016-09-29 16:32:34 UTC 
Created c-ares19 tracking bugs for this issue:

Affects: epel-7 [bug 1380468]
Comment 2 Adam Mariš 2016-09-29 16:32:46 UTC 
Created mingw-c-ares tracking bugs for this issue:

Affects: fedora-all [bug 1380465]
Affects: epel-6 [bug 1380467]
Comment 3 Adam Mariš 2016-09-29 16:32:53 UTC 
Created c-ares tracking bugs for this issue:

Affects: fedora-all [bug 1380464]
Affects: epel-5 [bug 1380466]
Comment 4 Doran Moppert 2016-09-30 02:42:10 UTC 
The overflowed buffer is heap-allocated using malloc().  Overflow is by only one byte, and the value comes from another parameter (dnsclass) to the affected function.

Normally this parameter is not under the attacker's control.  For Internet domain resolution (by far the most common case), it must always be 1.

As such, the worst possible outcome here is to corrupt the first byte of the following chunk's metadata, which may lead to a panic in a later call to malloc/free/realloc.
Comment 5 Doran Moppert 2016-09-30 03:05:38 UTC 
Created mingw-c-ares tracking bugs for this issue:

Affects: epel-7 [bug 1380576]
Comment 6 Doran Moppert 2016-09-30 03:08:46 UTC 
Statement:

Red Hat Product Security has rated this issue as having Moderate security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
Comment 10 Adam Mariš 2016-10-27 09:19:53 UTC 
Created nodejs tracking bugs for this issue:

Affects: fedora-all [bug 1389243]
Affects: epel-all [bug 1389244]
Comment 11 Doran Moppert 2016-10-28 01:49:08 UTC 
Upstream patch (0.10.48):

https://github.com/nodejs/node/commit/a14a6a3a1


Upstream patch (4.6.1):

https://github.com/nodejs/node/commit/f3c63e7ccf
Comment 15 errata-xmlrpc 2017-01-02 15:57:12 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS

Via RHSA-2017:0002 https://rhn.redhat.com/errata/RHSA-2017-0002.html
Comment 19 Tomas Hoger 2018-07-04 15:50:05 UTC 
NodeJS upstream fixed this issue in their bundled c-ares in versions 0.10.48, 0.12.17, and 4.6.1:

https://nodejs.org/en/blog/vulnerability/october-2016-security-releases/
https://nodejs.org/en/blog/release/v0.10.48/
https://nodejs.org/en/blog/release/v0.12.17/
https://nodejs.org/en/blog/release/v4.6.1/