Bug 27654 - c-ares possible new security issues fixed upstream in 1.17.1
Summary: c-ares possible new security issues fixed upstream in 1.17.1
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, has_procedure, validated_update
Depends on:
Blocks:
 
Reported: 2020-11-23 20:08 CET by David Walser
Modified: 2021-01-08 15:00 CET (History)
5 users (show)

See Also:
Source RPM: c-ares-1.15.0-1.mga7.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2020-11-23 20:08:44 CET
c-ares 1.17.0 and 1.17.1 have been released on November 16 and 19:
https://c-ares.haxx.se/changelog.html#1_17_1

They list 4 security issues fixed.  The last, CVE-2020-8277, does not affect Mageia 7, according to Ubuntu:
https://ubuntu.com/security/CVE-2020-8277
https://ubuntu.com/security/notices/USN-4638-1

but I'm not sure about the first three.
Comment 1 Aurelien Oudelet 2020-11-25 18:32:30 CET
Hi, thanks for reporting this bug.
Assigned to the package maintainer.

(Please set the status to 'assigned' if you are working on it)

Assignee: bugsquad => shlomif
Keywords: (none) => Triaged

David Walser 2020-12-27 23:47:52 CET

Assignee: shlomif => pkg-bugs

Comment 2 Mike Rambo 2020-12-30 18:08:27 CET
Updated package uploaded for Mageia 7.

Advisory:
========================

Updated c-ares package fixes security vulnerabilities:

* Avoid read-heap-buffer-overflow in ares_parse_soa_reply found during fuzzing
* Avoid theoretical buffer overflow in RC4 loop comparison
* Empty hquery->name could lead to invalid memory access
* ares_parse_{a,aaaa}_reply() could return a larger *naddrttls than was passed in


References:
https://c-ares.haxx.se/changelog.html#1_17_1
========================

Updated packages in core/updates_testing:
========================
lib64cares2-1.17.1-1.mga7
lib64cares-devel-1.17.1-1.mga7

from c-ares-1.17.1-1.mga7.src.rpm


Test procedure:
https://bugs.mageia.org/show_bug.cgi?id=21115#c6
https://bugs.mageia.org/show_bug.cgi?id=21115#c7

Assignee: pkg-bugs => qa-bugs
Keywords: Triaged => has_procedure
CC: (none) => mrambo

Comment 3 Len Lawrence 2021-01-04 13:23:48 CET
mga7, x64

Repeated the aria2c test from https://bugs.mageia.org/show_bug.cgi?id=21115#c7 to download mirror.readme.  All in order.

Updated the two packages.
Repeated the download test under strace.
$ strace -o cares.trace aria2c ftp://ftp.mirrorservice.org/pub/mageia/mirror.readme
strace: decode_nlattr: [xlat 0x4e7e80, dflt "AF_???", decoders 0x7fff7ea75298] size is zero (going to pass nla_type as decoder argument), but opaque data (0x7fff7ea75330) is not - will be ignored
strace: decode_nlattr: [xlat 0x4e7e80, dflt "AF_???", decoders 0x7fff7ea75298] size is zero (going to pass nla_type as decoder argument), but opaque data (0x7fff7ea75330) is not - will be ignored

01/04 11:53:27 [NOTICE] Downloading 1 item(s)

01/04 11:53:27 [NOTICE] Download complete: /home/lcl/mirror.readme

Download Results:
gid   |stat|avg speed  |path/URI
======+====+===========+=======================================================
1a632a|OK  |    16KiB/s|/home/lcl/mirror.readme

Status Legend:
(OK):download completed.
$ diff mirror.readme /tmp/mirror.readme
$ grep cares cares.trace
openat(AT_FDCWD, "/usr/lib64/libcares.so.2", O_RDONLY|O_CLOEXEC) = 3

$ sudo strace -o urpmi.trace urpmi --aria2 guava
    $MIRRORLIST: media/core/updates_testing/guava-25.0-2.1.mga7.noarch.rpm
installing guava-25.0-2.1.mga7.noarch.rpm from /var/cache/urpmi/rpms           
Preparing...                     #############################################
      1/1: guava                 #############################################
$ sudo chown lcl:lcl urpmi.trace
$ grep cares urpmi.trace
stat("/usr/share/doc/lib64cares-devel/", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0

That looks a bit odd but we shall let it pass.

CC: (none) => tarazed25
Whiteboard: (none) => MGA7-64-OK

Comment 4 Thomas Andrews 2021-01-04 18:32:38 CET
Validating. Advisory in Comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 5 Aurelien Oudelet 2021-01-08 11:16:24 CET
Advisory pushed to SVN.

CC: (none) => ouaurelien
Keywords: (none) => advisory

Comment 6 Mageia Robot 2021-01-08 15:00:48 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0007.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.