A security issue in c-ares has been announced today (September 29): http://openwall.com/lists/oss-security/2016/09/29/13 The issue is fixed upstream in 1.12.0, and a patch is linked in the message above. Freeze push requested for Cauldron. Patched checked in to Mageia 5 SVN.
Updated package uploaded for Cauldron. Patched package uploaded for Mageia 5. c-ares is used, most prominently, by aria2. Advisory: ======================== Updated c-ares packages fixes security vulnerability: In c-ares before 1.12.0, When a string is passed in to `ares_create_query` or `ares_mkquery` and uses an escaped trailing dot, like "hello\.", c-ares calculates the string length wrong and subsequently writes outside of the the allocated buffer with one byte. The wrongly written byte is the least significant byte of the 'dnsclass' argument; most commonly 1 (CVE-2016-5180). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5180 https://c-ares.haxx.se/adv_20160929.html ======================== Updated packages in core/updates_testing: ======================== libcares2-1.10.0-5.1.mga5 libcares-devel-1.10.0-5.1.mga5 libcares-static-devel-1.10.0-5.1.mga5 from c-ares-1.10.0-5.1.mga5.src.rpm
Assignee: bugsquad => qa-bugs
URL: (none) => http://lwn.net/Vulnerabilities/702314/
Debian has issued an advisory for this on September 30: https://www.debian.org/security/2016/dsa-3682
lib[64]cares2: a library that performs asynchronous DNS operations. No previous updates. Possible test host software: # urpmq --whatrequires libcares2 aria2 Download package; but no man page nor command - so how to drive it? bzflag A multiplayer 3D tank battle game nodejs Server side JavaScript - with its own updates to refer to. sssd System Security Services Daemon xymon A system for monitoring servers and networks.
CC: (none) => lewyssmith
Proof of concept code is alluded to in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=839151 but that does not seem to be publicly available.
CC: (none) => tarazed25
More info on this here too: http://openwall.com/lists/oss-security/2016/10/15/3
Testing M5-64 real H/W using aria2 (In reply to Lewis Smith from comment #3) > aria2 Download package; but no man page nor command - so how to drive it? From Martin Whitaker: Easiest way is to use aria2c from the command line, e.g aria2c ftp://ftp.mirrorservice.org/pub/mageia/mirror.readme Indeed, aria2c exists as a command with a man page. BEFORE the update: Ran that command. It downloaded the file into the current directory. AFTER the update: lib64cares2-1.10.0-5.1.mga5 Re-ran the command; it created mirror.readme.1 $ cmp mirror.readme mirror.readme.1 [the two files were identical] Tried with: $ strace aria2c ftp://ftp.mirrorservice.org/pub/mageia/mirror.readme 2>&1 | grep ares open("/lib64/libcares.so.2", O_RDONLY|O_CLOEXEC) = 3 which shows that the library was called. (But where does the normal command output go?) A meatier trial showing typical output: $ aria2c http://www.cs.cornell.edu/courses/cs664/2003fa/images/project2/part2/part2pairs.zip [#e88310 11MiB/11MiB(98%) CN:1 DL:476KiB] 10/18 21:51:38 [NOTICE] Download complete: /home/lewis/part2pairs.zip Download Results: gid |stat|avg speed |path/URI ======+====+===========+======================================================= e88310|OK | 473KiB/s|/home/lewis/part2pairs.zip Status Legend: (OK):download completed. and the file was good. Run with strace as above shows the same single 'libcares' library call. ------------------------------------------------------------------ Another aria2 suggestion from Charles Edwards: You can set it it as the default "downloader" in /etc/urpmi.cfg and from Herman: Or in the section MCC - Software Management - Configure media - menu Options - Global options which I have just done. Charles again: You can test it anytime you use urpmi by adding --aria2 urpmi --auto-update --aria2 urpmi.update -a --aria2 urpmi --auto-select --aria2 urpmi --aria2 <foo.rpm> and so on...... I am OK'ing the update, but will keep an eye on rpm downloading.
Whiteboard: (none) => MGA5-64-OK
(In reply to Len Lawrence from comment #4) > Proof of concept code is alluded to in > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=839151 but that does not > seem to be publicly available. (In reply to David Walser from comment #5) > More info on this here too: > http://openwall.com/lists/oss-security/2016/10/15/3 These references are essentially the same, and say only "We have been seen proof of concept code showing how this can be exploited in a real-world system, but we are not aware of any such instances having actually happened in the wild." No PoC.
Keywords: (none) => validated_updateWhiteboard: MGA5-64-OK => MGA5-64-OK advisoryCC: (none) => davidwhodgins, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0351.html
Status: NEW => RESOLVEDResolution: (none) => FIXED