Assigning to the registered maintainer.

CC: (none) => marja11
Assignee: bugsquad => shlomif

Fedora has issued an advisory for this on June 22:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/WSDFKTQNDIAOE6HOLX7AP55ELR5SNJI2/

c-ares-1.13.0-1.mga6 uploaded for Cauldron to fix this.

Version: Cauldron => 5
Whiteboard: MGA5TOO => (none)

c-ares-1.10.0-5.2.mga5 	uploaded to mga5 core/updates_testing with the patch. Assiging to QA. Please test.

Status: NEW => ASSIGNED
Assignee: shlomif => qa-bugs

Advisory:
========================

Updated c-ares packages fix security vulnerability:

The c-ares function ares_parse_naptr_reply(), which is used for parsing NAPTR
responses, could be triggered to read memory outside of the given input buffer
if the passed in DNS response packet was crafted in a particular way
(CVE-2017-1000381).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000381
https://c-ares.haxx.se/adv_20170620.html
========================

Updated packages in core/updates_testing:
========================
libcares2-1.10.0-5.2.mga5
libcares-devel-1.10.0-5.2.mga5
libcares-static-devel-1.10.0-5.2.mga5

from c-ares-1.10.0-5.2.mga5.src.rpm

MGA-32 on Asus A6000VM Xfce
No installation issues
Ref. to bug 19489 Comment 6 I run at CLI:
$ strace -o /home/tester5/Documenten/libcarestxt aria2c http://www.cs.cornell.edu/courses/cs664/2003fa/images/project2/part2/part2pairs.zip
[#ce37cf 11MiB/11MiB(97%) CN:1 DL:1.0MiB]                                                                             
07/19 10:52:31 [NOTICE] Download afgerond: /home/tester5/Downloads/part2pairs.zip

Download Results:
gid   |stat|avg speed  |path/URI
======+====+===========+=======================================================
ce37cf|OK  |   1.0MiB/s|/home/tester5/Downloads/part2pairs.zip

Status Legend:
(OK):download completed.

Which gave me a nice set of pictures and the trace shows calling libcares.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA5-32-OK

Testing M5 x64 as per https://bugs.mageia.org/show_bug.cgi?id=19489#c6

BEFORE the update: lib64cares2-1.10.0-5.1.mga5

1a)
 $  aria2c ftp://ftp.mirrorservice.org/pub/mageia/mirror.readme
07/23 09:09:42 [NOTICE] Download complete: /home/lewis/mirror.readme
Download Results:
gid   |stat|avg speed  |path/URI
======+====+===========+=======================================================
4ca206|OK  |    11KiB/s|/home/lewis/mirror.readme

AFTER updating the pkg to: lib64cares2-1.10.0-5.2.mga5
 
1b)
 $ aria2c ftp://ftp.mirrorservice.org/pub/mageia/mirror.readme
07/23 09:13:11 [NOTICE] File already exists. Renamed to /home/lewis/mirror.readme.1.
07/23 09:13:11 [NOTICE] Download complete: /home/lewis/mirror.readme.1
Download Results:
gid   |stat|avg speed  |path/URI
======+====+===========+=======================================================
642863|OK  |    12KiB/s|/home/lewis/mirror.readme.1
Status Legend:
(OK):download completed.

1c)
 $ cmp mirror.readme mirror.readme.1
 $                                 [both files identical]

2)
 $ aria2c http://www.cs.cornell.edu/courses/cs664/2003fa/images/project2/part2/part2pairs.zip
[#deaaf7 11MiB/11MiB(96%) CN:1 DL:464KiB]                                      
07/23 09:17:10 [NOTICE] Download complete: /home/lewis/part2pairs.zip
Download Results:
gid   |stat|avg speed  |path/URI
======+====+===========+=======================================================
deaaf7|OK  |   461KiB/s|/home/lewis/part2pairs.zip
Status Legend:
(OK):download completed.

The zip files contains several .ppm image files, all viewed correctly.
Strace showed for all commands that the library is opened:
 open("/lib64/libcares.so.2", O_RDONLY|O_CLOEXEC) = 3
Update looks good. Validating.

Keywords: (none) => validated_update
Whiteboard: MGA5-32-OK advisory => MGA5-32-OK advisory MGA5-64-OK
CC: (none) => sysadmin-bugs

An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0215.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED