Bug 2168631 (CVE-2022-4904) - CVE-2022-4904 c-ares: buffer overflow in config_sortlist() due to missing string length check
Summary: CVE-2022-4904 c-ares: buffer overflow in config_sortlist() due to missing str...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-4904
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
: 2165777 (view as bug list)
Depends On: 2170867 2170868 2170869 2170870 2170871 2170872 2170873 2175837 2178102 2178103 2178105 2178150 2178152 2170860 2170861 2170862 2170863 2170866 2175838 2175839 2175840 2176102 2178099 2178100 2178101 2178104 2178106 2178151
Blocks: 2168630 2175314
TreeView+ depends on / blocked
 
Reported: 2023-02-09 15:33 UTC by Marian Rehak
Modified: 2023-07-13 11:42 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the c-ares package. The ares_set_sortlist is missing checks about the validity of the input string, which allows a possible arbitrary length stack overflow. This issue may cause a denial of service or a limited impact on confidentiality and integrity.
Clone Of:
Environment:
Last Closed: 2023-05-09 20:45:26 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2023:1546 0 None None None 2023-04-03 12:04:12 UTC
Red Hat Product Errata RHBA-2023:1776 0 None None None 2023-04-13 14:58:55 UTC
Red Hat Product Errata RHBA-2023:1799 0 None None None 2023-04-17 07:30:51 UTC
Red Hat Product Errata RHBA-2023:1807 0 None None None 2023-04-17 14:08:04 UTC
Red Hat Product Errata RHBA-2023:1808 0 None None None 2023-04-17 14:08:16 UTC
Red Hat Product Errata RHBA-2023:1856 0 None None None 2023-04-18 22:33:19 UTC
Red Hat Product Errata RHBA-2023:1927 0 None None None 2023-04-24 01:07:53 UTC
Red Hat Product Errata RHBA-2023:4078 0 None None None 2023-07-13 11:42:11 UTC
Red Hat Product Errata RHSA-2023:1533 0 None None None 2023-03-30 12:36:04 UTC
Red Hat Product Errata RHSA-2023:1582 0 None None None 2023-04-04 09:48:21 UTC
Red Hat Product Errata RHSA-2023:1742 0 None None None 2023-04-12 14:58:50 UTC
Red Hat Product Errata RHSA-2023:1743 0 None None None 2023-04-12 14:59:14 UTC
Red Hat Product Errata RHSA-2023:1744 0 None None None 2023-04-12 15:07:40 UTC
Red Hat Product Errata RHSA-2023:2654 0 None None None 2023-05-09 11:46:34 UTC
Red Hat Product Errata RHSA-2023:2655 0 None None None 2023-05-09 11:46:50 UTC
Red Hat Product Errata RHSA-2023:4035 0 None None None 2023-07-12 08:25:18 UTC

Description Marian Rehak 2023-02-09 15:33:16 UTC 
In ares_set_sortlist, it calls config_sortlist(..., sortstr) to parse the input str and initialize a sortlist configuration. However, ares_set_sortlist has not any checks about the validity of the input str. It is very easy to create an arbitrary length stack overflow with the unchecked memcpy(ipbuf, str, q-str); and memcpy(ipbufpfx, str, q-str); statements in the config_sortlist call, which could potentially cause severe security impact in practical programs.
Comment 1 Marian Rehak 2023-02-17 13:15:29 UTC 
Created c-ares tracking bugs for this issue:

Affects: fedora-all [bug 2170860]


Created nodejs:14/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2170861]


Created nodejs:16/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2170862]


Created nodejs:18/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2170863]
Comment 3 Marian Rehak 2023-02-17 13:51:16 UTC 
*** Bug 2165777 has been marked as a duplicate of this bug. ***
Comment 8 errata-xmlrpc 2023-03-30 12:36:02 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2023:1533 https://access.redhat.com/errata/RHSA-2023:1533
Comment 9 errata-xmlrpc 2023-04-04 09:48:19 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:1582 https://access.redhat.com/errata/RHSA-2023:1582
Comment 10 errata-xmlrpc 2023-04-12 14:58:48 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2023:1742 https://access.redhat.com/errata/RHSA-2023:1742
Comment 11 errata-xmlrpc 2023-04-12 14:59:13 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:1743 https://access.redhat.com/errata/RHSA-2023:1743
Comment 12 errata-xmlrpc 2023-04-12 15:07:38 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7

Via RHSA-2023:1744 https://access.redhat.com/errata/RHSA-2023:1744
Comment 13 errata-xmlrpc 2023-05-09 11:46:32 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:2654 https://access.redhat.com/errata/RHSA-2023:2654
Comment 14 errata-xmlrpc 2023-05-09 11:46:48 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:2655 https://access.redhat.com/errata/RHSA-2023:2655
Comment 15 Product Security DevOps Team 2023-05-09 20:45:24 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-4904
Comment 17 errata-xmlrpc 2023-07-12 08:25:17 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:4035 https://access.redhat.com/errata/RHSA-2023:4035
Note You need to log in before you can comment on or make changes to this bug.