Control: tags 992053 + patch Control: tags 992053 + pending
Dear maintainer, I've prepared an NMU for c-ares (versioned as 1.17.1-1.1) and uploaded it to DELAYED/2. Please feel free to tell me if I should delay it longer. Regards, Salvatore
diff -Nru c-ares-1.17.1/debian/changelog c-ares-1.17.1/debian/changelog --- c-ares-1.17.1/debian/changelog 2020-11-19 18:57:27.000000000 +0100 +++ c-ares-1.17.1/debian/changelog 2021-08-07 11:43:50.000000000 +0200 @@ -1,3 +1,13 @@ +c-ares (1.17.1-1.1) unstable; urgency=medium + + * Non-maintainer upload. + * Missing input validation on hostnames returned by DNS servers + (CVE-2021-3672) (Closes: #992053) + - ares_expand_name() should escape more characters + - ares_expand_name(): fix formatting and handling of root name response + + -- Salvatore Bonaccorso <car...@debian.org> Sat, 07 Aug 2021 11:43:50 +0200 + c-ares (1.17.1-1) unstable; urgency=medium * Imported Upstream version 1.17.1 (fixes CVE-2020-8277) diff -Nru c-ares-1.17.1/debian/patches/ares_expand_name-fix-formatting-and-handling-of-root.patch c-ares-1.17.1/debian/patches/ares_expand_name-fix-formatting-and-handling-of-root.patch --- c-ares-1.17.1/debian/patches/ares_expand_name-fix-formatting-and-handling-of-root.patch 1970-01-01 01:00:00.000000000 +0100 +++ c-ares-1.17.1/debian/patches/ares_expand_name-fix-formatting-and-handling-of-root.patch 2021-08-07 11:43:50.000000000 +0200 @@ -0,0 +1,112 @@ +From: bradh352 <b...@brad-house.com> +Date: Fri, 11 Jun 2021 12:39:24 -0400 +Subject: [2/2] ares_expand_name(): fix formatting and handling of root name + response +Origin: https://github.com/c-ares/c-ares/commit/44c009b8e62ea1929de68e3f438181bea469ec14 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-3672 + +Fixes issue introduced in prior commit with formatting and handling +of parsing a root name response which should not be escaped. + +Fix By: Brad House +--- + src/lib/ares_expand_name.c | 62 ++++++++++++++++++++++++-------------- + 1 file changed, 40 insertions(+), 22 deletions(-) + +diff --git a/src/lib/ares_expand_name.c b/src/lib/ares_expand_name.c +index f1c874a97cfc..eb9268c1ff0a 100644 +--- a/src/lib/ares_expand_name.c ++++ b/src/lib/ares_expand_name.c +@@ -127,27 +127,37 @@ int ares_expand_name(const unsigned char *encoded, const unsigned char *abuf, + } + else + { +- len = *p; ++ int name_len = *p; ++ len = name_len; + p++; ++ + while (len--) + { +- if (!isprint(*p)) { +- /* Output as \DDD for consistency with RFC1035 5.1 */ +- *q++ = '\\'; +- *q++ = '0' + *p / 100; +- *q++ = '0' + (*p % 100) / 10; +- *q++ = '0' + (*p % 10); +- } else if (is_reservedch(*p)) { +- *q++ = '\\'; +- *q++ = *p; +- } else { +- *q++ = *p; +- } ++ /* Output as \DDD for consistency with RFC1035 5.1, except ++ * for the special case of a root name response */ ++ if (!isprint(*p) && !(name_len == 1 && *p == 0)) ++ { ++ ++ *q++ = '\\'; ++ *q++ = '0' + *p / 100; ++ *q++ = '0' + (*p % 100) / 10; ++ *q++ = '0' + (*p % 10); ++ } ++ else if (is_reservedch(*p)) ++ { ++ *q++ = '\\'; ++ *q++ = *p; ++ } ++ else ++ { ++ *q++ = *p; ++ } + p++; + } + *q++ = '.'; + } +- } ++ } ++ + if (!indir) + *enclen = aresx_uztosl(p + 1U - encoded); + +@@ -194,21 +204,29 @@ static int name_length(const unsigned char *encoded, const unsigned char *abuf, + } + else if (top == 0x00) + { +- offset = *encoded; ++ int name_len = *encoded; ++ offset = name_len; + if (encoded + offset + 1 >= abuf + alen) + return -1; + encoded++; ++ + while (offset--) + { +- if (!isprint(*encoded)) { +- n += 4; +- } else if (is_reservedch(*encoded)) { +- n += 2; +- } else { +- n += 1; +- } ++ if (!isprint(*encoded) && !(name_len == 1 && *encoded == 0)) ++ { ++ n += 4; ++ } ++ else if (is_reservedch(*encoded)) ++ { ++ n += 2; ++ } ++ else ++ { ++ n += 1; ++ } + encoded++; + } ++ + n++; + } + else +-- +2.32.0 + diff -Nru c-ares-1.17.1/debian/patches/ares_expand_name-should-escape-more-characters.patch c-ares-1.17.1/debian/patches/ares_expand_name-should-escape-more-characters.patch --- c-ares-1.17.1/debian/patches/ares_expand_name-should-escape-more-characters.patch 1970-01-01 01:00:00.000000000 +0100 +++ c-ares-1.17.1/debian/patches/ares_expand_name-should-escape-more-characters.patch 2021-08-07 11:43:50.000000000 +0200 @@ -0,0 +1,87 @@ +From: bradh352 <b...@brad-house.com> +Date: Fri, 11 Jun 2021 11:27:45 -0400 +Subject: [1/2] ares_expand_name() should escape more characters +Origin: https://github.com/c-ares/c-ares/commit/362f91d807d293791008cdb7616d40f7784ece83 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-3672 + +RFC1035 5.1 specifies some reserved characters and escaping sequences +that are allowed to be specified. Expand the list of reserved characters +and also escape non-printable characters using the \DDD format as +specified in the RFC. + +Bug Reported By: philipp.jeit...@sit.fraunhofer.de +Fix By: Brad House (@bradh352) +--- + src/lib/ares_expand_name.c | 41 +++++++++++++++++++++++++++++++++++--- + 1 file changed, 38 insertions(+), 3 deletions(-) + +diff --git a/src/lib/ares_expand_name.c b/src/lib/ares_expand_name.c +index 407200ef5b4b..f1c874a97cfc 100644 +--- a/src/lib/ares_expand_name.c ++++ b/src/lib/ares_expand_name.c +@@ -32,6 +32,26 @@ + static int name_length(const unsigned char *encoded, const unsigned char *abuf, + int alen); + ++/* Reserved characters for names that need to be escaped */ ++static int is_reservedch(int ch) ++{ ++ switch (ch) { ++ case '"': ++ case '.': ++ case ';': ++ case '\\': ++ case '(': ++ case ')': ++ case '@': ++ case '$': ++ return 1; ++ default: ++ break; ++ } ++ ++ return 0; ++} ++ + /* Expand an RFC1035-encoded domain name given by encoded. The + * containing message is given by abuf and alen. The result given by + * *s, which is set to a NUL-terminated allocated buffer. *enclen is +@@ -111,9 +131,18 @@ int ares_expand_name(const unsigned char *encoded, const unsigned char *abuf, + p++; + while (len--) + { +- if (*p == '.' || *p == '\\') ++ if (!isprint(*p)) { ++ /* Output as \DDD for consistency with RFC1035 5.1 */ ++ *q++ = '\\'; ++ *q++ = '0' + *p / 100; ++ *q++ = '0' + (*p % 100) / 10; ++ *q++ = '0' + (*p % 10); ++ } else if (is_reservedch(*p)) { + *q++ = '\\'; +- *q++ = *p; ++ *q++ = *p; ++ } else { ++ *q++ = *p; ++ } + p++; + } + *q++ = '.'; +@@ -171,7 +200,13 @@ static int name_length(const unsigned char *encoded, const unsigned char *abuf, + encoded++; + while (offset--) + { +- n += (*encoded == '.' || *encoded == '\\') ? 2 : 1; ++ if (!isprint(*encoded)) { ++ n += 4; ++ } else if (is_reservedch(*encoded)) { ++ n += 2; ++ } else { ++ n += 1; ++ } + encoded++; + } + n++; +-- +2.32.0 + diff -Nru c-ares-1.17.1/debian/patches/series c-ares-1.17.1/debian/patches/series --- c-ares-1.17.1/debian/patches/series 2020-11-19 18:57:27.000000000 +0100 +++ c-ares-1.17.1/debian/patches/series 2021-08-07 11:43:50.000000000 +0200 @@ -1,2 +1,3 @@ disable-cflags-rewrite.diff - +ares_expand_name-should-escape-more-characters.patch +ares_expand_name-fix-formatting-and-handling-of-root.patch
