Bug 21115 - c-ares new security issue CVE-2017-1000381
Summary: c-ares new security issue CVE-2017-1000381
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA5-32-OK advisory MGA5-64-OK
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2017-06-20 14:57 CEST by David Walser
Modified: 2017-07-23 22:08 CEST (History)
4 users (show)

See Also:
Source RPM: c-ares-1.12.0-1.mga6.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2017-06-20 14:57:34 CEST
Upstream has issued an advisory today (June 20):
https://c-ares.haxx.se/adv_20170620.html

The page above includes a link to a patch.  The issue is also fixed in 1.13.0.

Mageia 5 is also affected.
David Walser 2017-06-20 14:57:44 CEST

Whiteboard: (none) => MGA5TOO

Comment 1 Marja van Waes 2017-06-20 22:17:08 CEST
Assigning to the registered maintainer.

CC: (none) => marja11
Assignee: bugsquad => shlomif

Comment 2 David Walser 2017-06-23 22:47:03 CEST
Fedora has issued an advisory for this on June 22:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/WSDFKTQNDIAOE6HOLX7AP55ELR5SNJI2/
Comment 3 David Walser 2017-06-24 23:54:04 CEST
c-ares-1.13.0-1.mga6 uploaded for Cauldron to fix this.

Version: Cauldron => 5
Whiteboard: MGA5TOO => (none)

Comment 4 Shlomi Fish 2017-07-05 15:23:40 CEST
c-ares-1.10.0-5.2.mga5 	uploaded to mga5 core/updates_testing with the patch. Assiging to QA. Please test.

Assignee: shlomif => qa-bugs
Status: NEW => ASSIGNED

Comment 5 David Walser 2017-07-06 01:43:13 CEST
Advisory:
========================

Updated c-ares packages fix security vulnerability:

The c-ares function ares_parse_naptr_reply(), which is used for parsing NAPTR
responses, could be triggered to read memory outside of the given input buffer
if the passed in DNS response packet was crafted in a particular way
(CVE-2017-1000381).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000381
https://c-ares.haxx.se/adv_20170620.html
========================

Updated packages in core/updates_testing:
========================
libcares2-1.10.0-5.2.mga5
libcares-devel-1.10.0-5.2.mga5
libcares-static-devel-1.10.0-5.2.mga5

from c-ares-1.10.0-5.2.mga5.src.rpm
Comment 6 Herman Viaene 2017-07-19 11:00:39 CEST
MGA-32 on Asus A6000VM Xfce
No installation issues
Ref. to bug 19489 Comment 6 I run at CLI:
$ strace -o /home/tester5/Documenten/libcarestxt aria2c http://www.cs.cornell.edu/courses/cs664/2003fa/images/project2/part2/part2pairs.zip
[#ce37cf 11MiB/11MiB(97%) CN:1 DL:1.0MiB]                                                                             
07/19 10:52:31 [NOTICE] Download afgerond: /home/tester5/Downloads/part2pairs.zip

Download Results:
gid   |stat|avg speed  |path/URI
======+====+===========+=======================================================
ce37cf|OK  |   1.0MiB/s|/home/tester5/Downloads/part2pairs.zip

Status Legend:
(OK):download completed.

Which gave me a nice set of pictures and the trace shows calling libcares.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA5-32-OK

Lewis Smith 2017-07-20 20:46:27 CEST

Whiteboard: MGA5-32-OK => MGA5-32-OK advisory
CC: (none) => lewyssmith

Comment 7 Lewis Smith 2017-07-23 09:36:12 CEST
Testing M5 x64 as per https://bugs.mageia.org/show_bug.cgi?id=19489#c6

BEFORE the update: lib64cares2-1.10.0-5.1.mga5

1a)
 $  aria2c ftp://ftp.mirrorservice.org/pub/mageia/mirror.readme
07/23 09:09:42 [NOTICE] Download complete: /home/lewis/mirror.readme
Download Results:
gid   |stat|avg speed  |path/URI
======+====+===========+=======================================================
4ca206|OK  |    11KiB/s|/home/lewis/mirror.readme

AFTER updating the pkg to: lib64cares2-1.10.0-5.2.mga5
 
1b)
 $ aria2c ftp://ftp.mirrorservice.org/pub/mageia/mirror.readme
07/23 09:13:11 [NOTICE] File already exists. Renamed to /home/lewis/mirror.readme.1.
07/23 09:13:11 [NOTICE] Download complete: /home/lewis/mirror.readme.1
Download Results:
gid   |stat|avg speed  |path/URI
======+====+===========+=======================================================
642863|OK  |    12KiB/s|/home/lewis/mirror.readme.1
Status Legend:
(OK):download completed.

1c)
 $ cmp mirror.readme mirror.readme.1
 $                                 [both files identical]

2)
 $ aria2c http://www.cs.cornell.edu/courses/cs664/2003fa/images/project2/part2/part2pairs.zip
[#deaaf7 11MiB/11MiB(96%) CN:1 DL:464KiB]                                      
07/23 09:17:10 [NOTICE] Download complete: /home/lewis/part2pairs.zip
Download Results:
gid   |stat|avg speed  |path/URI
======+====+===========+=======================================================
deaaf7|OK  |   461KiB/s|/home/lewis/part2pairs.zip
Status Legend:
(OK):download completed.

The zip files contains several .ppm image files, all viewed correctly.
Strace showed for all commands that the library is opened:
 open("/lib64/libcares.so.2", O_RDONLY|O_CLOEXEC) = 3
Update looks good. Validating.

Keywords: (none) => validated_update
Whiteboard: MGA5-32-OK advisory => MGA5-32-OK advisory MGA5-64-OK
CC: (none) => sysadmin-bugs

Comment 8 Mageia Robot 2017-07-23 22:08:06 CEST
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0215.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.