Bug 21115

Summary: c-ares new security issue CVE-2017-1000381
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: herman.viaene, lewyssmith, marja11, sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA5-32-OK advisory MGA5-64-OK
Source RPM: c-ares-1.12.0-1.mga6.src.rpm CVE:
Status comment:

Description David Walser 2017-06-20 14:57:34 CEST 
Upstream has issued an advisory today (June 20):
https://c-ares.haxx.se/adv_20170620.html

The page above includes a link to a patch.  The issue is also fixed in 1.13.0.

Mageia 5 is also affected.
David Walser 2017-06-20 14:57:44 CEST

Whiteboard: (none) => MGA5TOO

Comment 1 Marja Van Waes 2017-06-20 22:17:08 CEST 
Assigning to the registered maintainer.

CC: (none) => marja11
Assignee: bugsquad => shlomif

Comment 2 David Walser 2017-06-23 22:47:03 CEST 
Fedora has issued an advisory for this on June 22:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/WSDFKTQNDIAOE6HOLX7AP55ELR5SNJI2/
Comment 3 David Walser 2017-06-24 23:54:04 CEST 
c-ares-1.13.0-1.mga6 uploaded for Cauldron to fix this.

Version: Cauldron => 5
Whiteboard: MGA5TOO => (none)

Comment 4 Shlomi Fish 2017-07-05 15:23:40 CEST 
c-ares-1.10.0-5.2.mga5 	uploaded to mga5 core/updates_testing with the patch. Assiging to QA. Please test.

Status: NEW => ASSIGNED
Assignee: shlomif => qa-bugs

Comment 5 David Walser 2017-07-06 01:43:13 CEST 
Advisory:
========================

Updated c-ares packages fix security vulnerability:

The c-ares function ares_parse_naptr_reply(), which is used for parsing NAPTR
responses, could be triggered to read memory outside of the given input buffer
if the passed in DNS response packet was crafted in a particular way
(CVE-2017-1000381).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000381
https://c-ares.haxx.se/adv_20170620.html
========================

Updated packages in core/updates_testing:
========================
libcares2-1.10.0-5.2.mga5
libcares-devel-1.10.0-5.2.mga5
libcares-static-devel-1.10.0-5.2.mga5

from c-ares-1.10.0-5.2.mga5.src.rpm
Comment 6 Herman Viaene 2017-07-19 11:00:39 CEST 
MGA-32 on Asus A6000VM Xfce
No installation issues
Ref. to bug 19489 Comment 6 I run at CLI:
$ strace -o /home/tester5/Documenten/libcarestxt aria2c http://www.cs.cornell.edu/courses/cs664/2003fa/images/project2/part2/part2pairs.zip
[#ce37cf 11MiB/11MiB(97%) CN:1 DL:1.0MiB]                                                                             
07/19 10:52:31 [NOTICE] Download afgerond: /home/tester5/Downloads/part2pairs.zip

Download Results:
gid   |stat|avg speed  |path/URI
======+====+===========+=======================================================
ce37cf|OK  |   1.0MiB/s|/home/tester5/Downloads/part2pairs.zip

Status Legend:
(OK):download completed.

Which gave me a nice set of pictures and the trace shows calling libcares.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA5-32-OK

Lewis Smith 2017-07-20 20:46:27 CEST

CC: (none) => lewyssmith
Whiteboard: MGA5-32-OK => MGA5-32-OK advisory

Comment 7 Lewis Smith 2017-07-23 09:36:12 CEST 
Testing M5 x64 as per https://bugs.mageia.org/show_bug.cgi?id=19489#c6

BEFORE the update: lib64cares2-1.10.0-5.1.mga5

1a)
 $  aria2c ftp://ftp.mirrorservice.org/pub/mageia/mirror.readme
07/23 09:09:42 [NOTICE] Download complete: /home/lewis/mirror.readme
Download Results:
gid   |stat|avg speed  |path/URI
======+====+===========+=======================================================
4ca206|OK  |    11KiB/s|/home/lewis/mirror.readme

AFTER updating the pkg to: lib64cares2-1.10.0-5.2.mga5
 
1b)
 $ aria2c ftp://ftp.mirrorservice.org/pub/mageia/mirror.readme
07/23 09:13:11 [NOTICE] File already exists. Renamed to /home/lewis/mirror.readme.1.
07/23 09:13:11 [NOTICE] Download complete: /home/lewis/mirror.readme.1
Download Results:
gid   |stat|avg speed  |path/URI
======+====+===========+=======================================================
642863|OK  |    12KiB/s|/home/lewis/mirror.readme.1
Status Legend:
(OK):download completed.

1c)
 $ cmp mirror.readme mirror.readme.1
 $                                 [both files identical]

2)
 $ aria2c http://www.cs.cornell.edu/courses/cs664/2003fa/images/project2/part2/part2pairs.zip
[#deaaf7 11MiB/11MiB(96%) CN:1 DL:464KiB]                                      
07/23 09:17:10 [NOTICE] Download complete: /home/lewis/part2pairs.zip
Download Results:
gid   |stat|avg speed  |path/URI
======+====+===========+=======================================================
deaaf7|OK  |   461KiB/s|/home/lewis/part2pairs.zip
Status Legend:
(OK):download completed.

The zip files contains several .ppm image files, all viewed correctly.
Strace showed for all commands that the library is opened:
 open("/lib64/libcares.so.2", O_RDONLY|O_CLOEXEC) = 3
Update looks good. Validating.

Keywords: (none) => validated_update
Whiteboard: MGA5-32-OK advisory => MGA5-32-OK advisory MGA5-64-OK
CC: (none) => sysadmin-bugs

Comment 8 Mageia Robot 2017-07-23 22:08:06 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0215.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED