Package: release.debian.org Severity: normal Tags: bullseye User: release.debian....@packages.debian.org Usertags: pu X-Debbugs-Cc: c-a...@packages.debian.org Control: affects -1 + src:c-ares
Dear Release Team, [ Reason ] I'd like to upload a new version of c-ares which fixes CVE-2022-4904 (#1031525). According to the assessment of the Security Team the bug is not severe enough to warrant an upload to bullseye-seurity but the patch should go into -proposed instead. [ Impact ] The CVE will stay unfixed. [ Tests ] The upstream patch also adds a test to the c-ares test suite. I ran the test suite locally and it passes as expected. [ Risks ] IMO minimal risks. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] Backport of the upstream fix. It applied cleanly. Thanks, Gregor
diff -Nru c-ares-1.17.1/debian/changelog c-ares-1.17.1/debian/changelog --- c-ares-1.17.1/debian/changelog 2021-08-07 11:56:59.000000000 +0200 +++ c-ares-1.17.1/debian/changelog 2023-02-18 00:24:32.000000000 +0100 @@ -1,3 +1,13 @@ +c-ares (1.17.1-1+deb11u2) bullseye; urgency=medium + + * Fix CVE-2022-4904: + It was discovered that in c-ares, an asynchronous name resolver library, + the config_sortlist function is missing checks about the validity of the + input string, which allows a possible arbitrary length stack overflow and + thus may cause a denial of service. (Closes: #1031525) + + -- Gregor Jasny <gja...@googlemail.com> Sat, 18 Feb 2023 00:24:32 +0100 + c-ares (1.17.1-1+deb11u1) bullseye-security; urgency=high * Non-maintainer upload by the Security Team. diff -Nru c-ares-1.17.1/debian/patches/CVE-2022-4904.diff c-ares-1.17.1/debian/patches/CVE-2022-4904.diff --- c-ares-1.17.1/debian/patches/CVE-2022-4904.diff 1970-01-01 01:00:00.000000000 +0100 +++ c-ares-1.17.1/debian/patches/CVE-2022-4904.diff 2023-02-18 00:24:32.000000000 +0100 @@ -0,0 +1,36 @@ +Subject: Add str len check in config_sortlist to avoid stack overflow +Origin: https://github.com/c-ares/c-ares/commit/9903253c347f9e0bffd285ae3829aef251cc852d +Bug: https://github.com/c-ares/c-ares/issues/496 +Bug-Debian: https://bugs.debian.org/1031525 + +--- a/src/lib/ares_init.c ++++ b/src/lib/ares_init.c +@@ -2198,6 +2198,8 @@ + q = str; + while (*q && *q != '/' && *q != ';' && !ISSPACE(*q)) + q++; ++ if (q-str >= 16) ++ return ARES_EBADSTR; + memcpy(ipbuf, str, q-str); + ipbuf[q-str] = '\0'; + /* Find the prefix */ +@@ -2206,6 +2208,8 @@ + const char *str2 = q+1; + while (*q && *q != ';' && !ISSPACE(*q)) + q++; ++ if (q-str >= 32) ++ return ARES_EBADSTR; + memcpy(ipbufpfx, str, q-str); + ipbufpfx[q-str] = '\0'; + str = str2; +--- a/test/ares-test-init.cc ++++ b/test/ares-test-init.cc +@@ -270,6 +270,8 @@ + + TEST_F(DefaultChannelTest, SetSortlistFailures) { + EXPECT_EQ(ARES_ENODATA, ares_set_sortlist(nullptr, "1.2.3.4")); ++ EXPECT_EQ(ARES_EBADSTR, ares_set_sortlist(channel_, "111.111.111.111*/16")); ++ EXPECT_EQ(ARES_EBADSTR, ares_set_sortlist(channel_, "111.111.111.111/255.255.255.240*")); + EXPECT_EQ(ARES_SUCCESS, ares_set_sortlist(channel_, "xyzzy ; lwk")); + EXPECT_EQ(ARES_SUCCESS, ares_set_sortlist(channel_, "xyzzy ; 0x123")); + } diff -Nru c-ares-1.17.1/debian/patches/series c-ares-1.17.1/debian/patches/series --- c-ares-1.17.1/debian/patches/series 2021-08-07 11:56:59.000000000 +0200 +++ c-ares-1.17.1/debian/patches/series 2023-02-18 00:24:32.000000000 +0100 @@ -1,3 +1,4 @@ disable-cflags-rewrite.diff ares_expand_name-should-escape-more-characters.patch ares_expand_name-fix-formatting-and-handling-of-root.patch +CVE-2022-4904.diff
