Bug 21115 - c-ares new security issue CVE-2017-1000381
Summary: c-ares new security issue CVE-2017-1000381
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Whiteboard: MGA5-32-OK advisory MGA5-64-OK
Keywords: validated_update
Depends on:
Reported: 2017-06-20 14:57 CEST by David Walser
Modified: 2017-07-23 22:08 CEST (History)
4 users (show)

See Also:
Source RPM: c-ares-1.12.0-1.mga6.src.rpm
Status comment:


Description David Walser 2017-06-20 14:57:34 CEST
Upstream has issued an advisory today (June 20):

The page above includes a link to a patch.  The issue is also fixed in 1.13.0.

Mageia 5 is also affected.
Comment 1 Marja van Waes 2017-06-20 22:17:08 CEST
Assigning to the registered maintainer.
Comment 2 David Walser 2017-06-23 22:47:03 CEST
Fedora has issued an advisory for this on June 22:
Comment 3 David Walser 2017-06-24 23:54:04 CEST
c-ares-1.13.0-1.mga6 uploaded for Cauldron to fix this.
Comment 4 Shlomi Fish 2017-07-05 15:23:40 CEST
c-ares-1.10.0-5.2.mga5 	uploaded to mga5 core/updates_testing with the patch. Assiging to QA. Please test.
Comment 5 David Walser 2017-07-06 01:43:13 CEST

Updated c-ares packages fix security vulnerability:

The c-ares function ares_parse_naptr_reply(), which is used for parsing NAPTR
responses, could be triggered to read memory outside of the given input buffer
if the passed in DNS response packet was crafted in a particular way


Updated packages in core/updates_testing:

from c-ares-1.10.0-5.2.mga5.src.rpm
Comment 6 Herman Viaene 2017-07-19 11:00:39 CEST
MGA-32 on Asus A6000VM Xfce
No installation issues
Ref. to bug 19489 Comment 6 I run at CLI:
$ strace -o /home/tester5/Documenten/libcarestxt aria2c http://www.cs.cornell.edu/courses/cs664/2003fa/images/project2/part2/part2pairs.zip
[#ce37cf 11MiB/11MiB(97%) CN:1 DL:1.0MiB]                                                                             
07/19 10:52:31 [NOTICE] Download afgerond: /home/tester5/Downloads/part2pairs.zip

Download Results:
gid   |stat|avg speed  |path/URI
ce37cf|OK  |   1.0MiB/s|/home/tester5/Downloads/part2pairs.zip

Status Legend:
(OK):download completed.

Which gave me a nice set of pictures and the trace shows calling libcares.
Comment 7 Lewis Smith 2017-07-23 09:36:12 CEST
Testing M5 x64 as per https://bugs.mageia.org/show_bug.cgi?id=19489#c6

BEFORE the update: lib64cares2-1.10.0-5.1.mga5

 $  aria2c ftp://ftp.mirrorservice.org/pub/mageia/mirror.readme
07/23 09:09:42 [NOTICE] Download complete: /home/lewis/mirror.readme
Download Results:
gid   |stat|avg speed  |path/URI
4ca206|OK  |    11KiB/s|/home/lewis/mirror.readme

AFTER updating the pkg to: lib64cares2-1.10.0-5.2.mga5
 $ aria2c ftp://ftp.mirrorservice.org/pub/mageia/mirror.readme
07/23 09:13:11 [NOTICE] File already exists. Renamed to /home/lewis/mirror.readme.1.
07/23 09:13:11 [NOTICE] Download complete: /home/lewis/mirror.readme.1
Download Results:
gid   |stat|avg speed  |path/URI
642863|OK  |    12KiB/s|/home/lewis/mirror.readme.1
Status Legend:
(OK):download completed.

 $ cmp mirror.readme mirror.readme.1
 $                                 [both files identical]

 $ aria2c http://www.cs.cornell.edu/courses/cs664/2003fa/images/project2/part2/part2pairs.zip
[#deaaf7 11MiB/11MiB(96%) CN:1 DL:464KiB]                                      
07/23 09:17:10 [NOTICE] Download complete: /home/lewis/part2pairs.zip
Download Results:
gid   |stat|avg speed  |path/URI
deaaf7|OK  |   461KiB/s|/home/lewis/part2pairs.zip
Status Legend:
(OK):download completed.

The zip files contains several .ppm image files, all viewed correctly.
Strace showed for all commands that the library is opened:
 open("/lib64/libcares.so.2", O_RDONLY|O_CLOEXEC) = 3
Update looks good. Validating.
Comment 8 Mageia Robot 2017-07-23 22:08:06 CEST
An update for this issue has been pushed to the Mageia Updates repository.


Note You need to log in before you can comment on or make changes to this bug.