Bug 1463132 (CVE-2017-1000381) - CVE-2017-1000381 c-ares: NAPTR parser out of bounds access
Summary: CVE-2017-1000381 c-ares: NAPTR parser out of bounds access
Keywords:
Status: NEW
Alias: CVE-2017-1000381
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20170620,repor...
Depends On: 1463133 1463134 1463135 1463136 1463137 1470469
Blocks: 1463140
TreeView+ depends on / blocked
 
Reported: 2017-06-20 08:36 UTC by Andrej Nemec
Modified: 2019-06-08 22:04 UTC (History)
40 users (show)

Fixed In Version: c-ares 1.13.0
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Andrej Nemec 2017-06-20 08:36:59 UTC
The c-ares function `ares_parse_naptr_reply()`, which is used for parsing
NAPTR responses, could be triggered to read memory outside of the given input
buffer if the passed in DNS response packet was crafted in a particular way.

External References:

https://c-ares.haxx.se/adv_20170620.html

Comment 1 Andrej Nemec 2017-06-20 08:37:29 UTC
Acknowledgments:

Name: Daniel Stenberg
Upstream: LCatro

Comment 2 Andrej Nemec 2017-06-20 08:38:19 UTC
Created mingw-c-ares tracking bugs for this issue:

Affects: epel-7 [bug 1463133]
Affects: fedora-all [bug 1463135]


Created nodejs tracking bugs for this issue:

Affects: epel-all [bug 1463134]
Affects: fedora-all [bug 1463137]
Affects: openshift-1 [bug 1463136]

Comment 5 Stefan Cornelius 2017-07-04 08:24:44 UTC
Patch:
https://c-ares.haxx.se/CVE-2017-1000381.patch

Comment 6 Japheth Cleaver 2017-07-11 22:55:53 UTC
That's two CVE's (this and CVE-2016-5180 in #BZ1387961) applicable to c-ares in EL6. Will this patch be backported, or can the version be rebased?

Comment 8 Tomas Hoger 2018-07-04 15:25:40 UTC
Upstream commit that was applied in 1.13.0:

https://github.com/c-ares/c-ares/commit/9478908a490a6bf009ba58d81de8c1d06d50a117

The above fix introduce a regression that was fixed in 1.14.0:

https://github.com/c-ares/c-ares/commit/18ea99693d63f957ecb670045adbd2c1da8a4641

Comment 10 Tomas Hoger 2018-07-04 15:41:28 UTC
The rh-nodejs6-nodejs packages in Red Hat Software Collections got this problem corrected when they were rebased from version 6.9.1 to 6.11.3 via RHSA-2017:2908:

https://access.redhat.com/errata/RHSA-2017:2908

The rh-nodejs8-nodejs packages in Red Hat Software Collections were first released based on fixed upstream version 8.6.0 and hence were never affected by this issue.


Note You need to log in before you can comment on or make changes to this bug.