Bug 1463132 (CVE-2017-1000381) - CVE-2017-1000381 c-ares: NAPTR parser out of bounds access
Summary: CVE-2017-1000381 c-ares: NAPTR parser out of bounds access
Alias: CVE-2017-1000381
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1463133 1463134 1463135 1463136 1463137 1470469
Blocks: 1463140
TreeView+ depends on / blocked
Reported: 2017-06-20 08:36 UTC by Andrej Nemec
Modified: 2021-10-21 11:54 UTC (History)
35 users (show)

Fixed In Version: c-ares 1.13.0
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2021-10-21 11:54:17 UTC

Attachments (Terms of Use)

Description Andrej Nemec 2017-06-20 08:36:59 UTC
The c-ares function `ares_parse_naptr_reply()`, which is used for parsing
NAPTR responses, could be triggered to read memory outside of the given input
buffer if the passed in DNS response packet was crafted in a particular way.

External References:


Comment 1 Andrej Nemec 2017-06-20 08:37:29 UTC

Name: Daniel Stenberg
Upstream: LCatro

Comment 2 Andrej Nemec 2017-06-20 08:38:19 UTC
Created mingw-c-ares tracking bugs for this issue:

Affects: epel-7 [bug 1463133]
Affects: fedora-all [bug 1463135]

Created nodejs tracking bugs for this issue:

Affects: epel-all [bug 1463134]
Affects: fedora-all [bug 1463137]
Affects: openshift-1 [bug 1463136]

Comment 5 Stefan Cornelius 2017-07-04 08:24:44 UTC

Comment 6 Japheth Cleaver 2017-07-11 22:55:53 UTC
That's two CVE's (this and CVE-2016-5180 in #BZ1387961) applicable to c-ares in EL6. Will this patch be backported, or can the version be rebased?

Comment 8 Tomas Hoger 2018-07-04 15:25:40 UTC
Upstream commit that was applied in 1.13.0:


The above fix introduce a regression that was fixed in 1.14.0:


Comment 10 Tomas Hoger 2018-07-04 15:41:28 UTC
The rh-nodejs6-nodejs packages in Red Hat Software Collections got this problem corrected when they were rebased from version 6.9.1 to 6.11.3 via RHSA-2017:2908:


The rh-nodejs8-nodejs packages in Red Hat Software Collections were first released based on fixed upstream version 8.6.0 and hence were never affected by this issue.

Note You need to log in before you can comment on or make changes to this bug.