Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1463132 (CVE-2017-1000381) - CVE-2017-1000381 c-ares: NAPTR parser out of bounds access
Summary: CVE-2017-1000381 c-ares: NAPTR parser out of bounds access
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2017-1000381
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1463133 1463134 1463135 1463136 1463137 1470469
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-06-20 08:36 UTC by Andrej Nemec
Modified: 2021-10-21 11:54 UTC (History)
35 users (show)

Fixed In Version: c-ares 1.13.0
Clone Of:
Environment:
Last Closed: 2021-10-21 11:54:17 UTC
Embargoed:

Attachments (Terms of Use)

Description Andrej Nemec 2017-06-20 08:36:59 UTC 
The c-ares function `ares_parse_naptr_reply()`, which is used for parsing
NAPTR responses, could be triggered to read memory outside of the given input
buffer if the passed in DNS response packet was crafted in a particular way.

External References:

https://c-ares.haxx.se/adv_20170620.html
Comment 1 Andrej Nemec 2017-06-20 08:37:29 UTC 
Acknowledgments:

Name: Daniel Stenberg
Upstream: LCatro
Comment 2 Andrej Nemec 2017-06-20 08:38:19 UTC 
Created mingw-c-ares tracking bugs for this issue:

Affects: epel-7 [bug 1463133]
Affects: fedora-all [bug 1463135]


Created nodejs tracking bugs for this issue:

Affects: epel-all [bug 1463134]
Affects: fedora-all [bug 1463137]
Affects: openshift-1 [bug 1463136]
Comment 5 Stefan Cornelius 2017-07-04 08:24:44 UTC 
Patch:
https://c-ares.haxx.se/CVE-2017-1000381.patch
Comment 6 Japheth Cleaver 2017-07-11 22:55:53 UTC 
That's two CVE's (this and CVE-2016-5180 in #BZ1387961) applicable to c-ares in EL6. Will this patch be backported, or can the version be rebased?
Comment 8 Tomas Hoger 2018-07-04 15:25:40 UTC 
Upstream commit that was applied in 1.13.0:

https://github.com/c-ares/c-ares/commit/9478908a490a6bf009ba58d81de8c1d06d50a117

The above fix introduce a regression that was fixed in 1.14.0:

https://github.com/c-ares/c-ares/commit/18ea99693d63f957ecb670045adbd2c1da8a4641
Comment 9 Tomas Hoger 2018-07-04 15:37:43 UTC 
c-ares version bundled in NodeJS was fixed in NodeJS versions 4.8.4, 6.11.1, 7.10.1, and 8.1.4:

https://nodejs.org/en/blog/vulnerability/july-2017-security-releases/
https://nodejs.org/en/blog/release/v4.8.4/
https://nodejs.org/en/blog/release/v6.11.1/
https://nodejs.org/en/blog/release/v7.10.1/
https://nodejs.org/en/blog/release/v8.1.4/
Comment 10 Tomas Hoger 2018-07-04 15:41:28 UTC 
The rh-nodejs6-nodejs packages in Red Hat Software Collections got this problem corrected when they were rebased from version 6.9.1 to 6.11.3 via RHSA-2017:2908:

https://access.redhat.com/errata/RHSA-2017:2908

The rh-nodejs8-nodejs packages in Red Hat Software Collections were first released based on fixed upstream version 8.6.0 and hence were never affected by this issue.
Note You need to log in before you can comment on or make changes to this bug.