Bug#1031652: bullseye-pu: package c-ares/1.17.1-1+deb11u1 CVE-2022-4904
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: c-ares@packages.debian.org
Control: affects -1 + src:c-ares
Dear Release Team,
[ Reason ]
I'd like to upload a new version of c-ares which fixes
CVE-2022-4904 (#1031525). According to the assessment of the
Security Team the bug is not severe enough to warrant an upload
to bullseye-seurity but the patch should go into -proposed instead.
[ Impact ]
The CVE will stay unfixed.
[ Tests ]
The upstream patch also adds a test to the c-ares test suite.
I ran the test suite locally and it passes as expected.
[ Risks ]
IMO minimal risks.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
Backport of the upstream fix. It applied cleanly.
Thanks,
Gregor
diff -Nru c-ares-1.17.1/debian/changelog c-ares-1.17.1/debian/changelog
--- c-ares-1.17.1/debian/changelog 2021-08-07 11:56:59.000000000 +0200
+++ c-ares-1.17.1/debian/changelog 2023-02-18 00:24:32.000000000 +0100
@@ -1,3 +1,13 @@
+c-ares (1.17.1-1+deb11u2) bullseye; urgency=medium
+
+ * Fix CVE-2022-4904:
+ It was discovered that in c-ares, an asynchronous name resolver library,
+ the config_sortlist function is missing checks about the validity of the
+ input string, which allows a possible arbitrary length stack overflow and
+ thus may cause a denial of service. (Closes: #1031525)
+
+ -- Gregor Jasny <gjasny@googlemail.com> Sat, 18 Feb 2023 00:24:32 +0100
+
c-ares (1.17.1-1+deb11u1) bullseye-security; urgency=high
* Non-maintainer upload by the Security Team.
diff -Nru c-ares-1.17.1/debian/patches/CVE-2022-4904.diff c-ares-1.17.1/debian/patches/CVE-2022-4904.diff
--- c-ares-1.17.1/debian/patches/CVE-2022-4904.diff 1970-01-01 01:00:00.000000000 +0100
+++ c-ares-1.17.1/debian/patches/CVE-2022-4904.diff 2023-02-18 00:24:32.000000000 +0100
@@ -0,0 +1,36 @@
+Subject: Add str len check in config_sortlist to avoid stack overflow
+Origin: https://github.com/c-ares/c-ares/commit/9903253c347f9e0bffd285ae3829aef251cc852d
+Bug: https://github.com/c-ares/c-ares/issues/496
+Bug-Debian: https://bugs.debian.org/1031525
+
+--- a/src/lib/ares_init.c
++++ b/src/lib/ares_init.c
+@@ -2198,6 +2198,8 @@
+ q = str;
+ while (*q && *q != '/' && *q != ';' && !ISSPACE(*q))
+ q++;
++ if (q-str >= 16)
++ return ARES_EBADSTR;
+ memcpy(ipbuf, str, q-str);
+ ipbuf[q-str] = '\0';
+ /* Find the prefix */
+@@ -2206,6 +2208,8 @@
+ const char *str2 = q+1;
+ while (*q && *q != ';' && !ISSPACE(*q))
+ q++;
++ if (q-str >= 32)
++ return ARES_EBADSTR;
+ memcpy(ipbufpfx, str, q-str);
+ ipbufpfx[q-str] = '\0';
+ str = str2;
+--- a/test/ares-test-init.cc
++++ b/test/ares-test-init.cc
+@@ -270,6 +270,8 @@
+
+ TEST_F(DefaultChannelTest, SetSortlistFailures) {
+ EXPECT_EQ(ARES_ENODATA, ares_set_sortlist(nullptr, "1.2.3.4"));
++ EXPECT_EQ(ARES_EBADSTR, ares_set_sortlist(channel_, "111.111.111.111*/16"));
++ EXPECT_EQ(ARES_EBADSTR, ares_set_sortlist(channel_, "111.111.111.111/255.255.255.240*"));
+ EXPECT_EQ(ARES_SUCCESS, ares_set_sortlist(channel_, "xyzzy ; lwk"));
+ EXPECT_EQ(ARES_SUCCESS, ares_set_sortlist(channel_, "xyzzy ; 0x123"));
+ }
diff -Nru c-ares-1.17.1/debian/patches/series c-ares-1.17.1/debian/patches/series
--- c-ares-1.17.1/debian/patches/series 2021-08-07 11:56:59.000000000 +0200
+++ c-ares-1.17.1/debian/patches/series 2023-02-18 00:24:32.000000000 +0100
@@ -1,3 +1,4 @@
disable-cflags-rewrite.diff
ares_expand_name-should-escape-more-characters.patch
ares_expand_name-fix-formatting-and-handling-of-root.patch
+CVE-2022-4904.diff
Reply to: