c-ares 1.17.0 and 1.17.1 have been released on November 16 and 19: https://c-ares.haxx.se/changelog.html#1_17_1 They list 4 security issues fixed. The last, CVE-2020-8277, does not affect Mageia 7, according to Ubuntu: https://ubuntu.com/security/CVE-2020-8277 https://ubuntu.com/security/notices/USN-4638-1 but I'm not sure about the first three.
Hi, thanks for reporting this bug. Assigned to the package maintainer. (Please set the status to 'assigned' if you are working on it)
Assignee: bugsquad => shlomifKeywords: (none) => Triaged
Assignee: shlomif => pkg-bugs
Updated package uploaded for Mageia 7. Advisory: ======================== Updated c-ares package fixes security vulnerabilities: * Avoid read-heap-buffer-overflow in ares_parse_soa_reply found during fuzzing * Avoid theoretical buffer overflow in RC4 loop comparison * Empty hquery->name could lead to invalid memory access * ares_parse_{a,aaaa}_reply() could return a larger *naddrttls than was passed in References: https://c-ares.haxx.se/changelog.html#1_17_1 ======================== Updated packages in core/updates_testing: ======================== lib64cares2-1.17.1-1.mga7 lib64cares-devel-1.17.1-1.mga7 from c-ares-1.17.1-1.mga7.src.rpm Test procedure: https://bugs.mageia.org/show_bug.cgi?id=21115#c6 https://bugs.mageia.org/show_bug.cgi?id=21115#c7
Assignee: pkg-bugs => qa-bugsKeywords: Triaged => has_procedureCC: (none) => mrambo
mga7, x64 Repeated the aria2c test from https://bugs.mageia.org/show_bug.cgi?id=21115#c7 to download mirror.readme. All in order. Updated the two packages. Repeated the download test under strace. $ strace -o cares.trace aria2c ftp://ftp.mirrorservice.org/pub/mageia/mirror.readme strace: decode_nlattr: [xlat 0x4e7e80, dflt "AF_???", decoders 0x7fff7ea75298] size is zero (going to pass nla_type as decoder argument), but opaque data (0x7fff7ea75330) is not - will be ignored strace: decode_nlattr: [xlat 0x4e7e80, dflt "AF_???", decoders 0x7fff7ea75298] size is zero (going to pass nla_type as decoder argument), but opaque data (0x7fff7ea75330) is not - will be ignored 01/04 11:53:27 [NOTICE] Downloading 1 item(s) 01/04 11:53:27 [NOTICE] Download complete: /home/lcl/mirror.readme Download Results: gid |stat|avg speed |path/URI ======+====+===========+======================================================= 1a632a|OK | 16KiB/s|/home/lcl/mirror.readme Status Legend: (OK):download completed. $ diff mirror.readme /tmp/mirror.readme $ grep cares cares.trace openat(AT_FDCWD, "/usr/lib64/libcares.so.2", O_RDONLY|O_CLOEXEC) = 3 $ sudo strace -o urpmi.trace urpmi --aria2 guava $MIRRORLIST: media/core/updates_testing/guava-25.0-2.1.mga7.noarch.rpm installing guava-25.0-2.1.mga7.noarch.rpm from /var/cache/urpmi/rpms Preparing... ############################################# 1/1: guava ############################################# $ sudo chown lcl:lcl urpmi.trace $ grep cares urpmi.trace stat("/usr/share/doc/lib64cares-devel/", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 That looks a bit odd but we shall let it pass.
CC: (none) => tarazed25Whiteboard: (none) => MGA7-64-OK
Validating. Advisory in Comment 2.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Advisory pushed to SVN.
CC: (none) => ouaurelienKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0007.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED