Bug 32894 - c-ares new security issue CVE-2024-25629
Summary: c-ares new security issue CVE-2024-25629
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA9-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2024-02-26 10:29 CET by Nicolas Salguero
Modified: 2024-02-28 06:49 CET (History)
2 users (show)

See Also:
Source RPM: c-ares-1.19.1-1.mga9.src.rpm
CVE: CVE-2024-25629
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2024-02-26 10:29:08 CET 
Security issue in c-ares has been announced on February 23:
https://www.openwall.com/lists/oss-security/2024/02/23/2

The issues are fixed upstream in 1.27.0:
https://c-ares.org/changelog.html
https://github.com/c-ares/c-ares/security/advisories/GHSA-mg26-v6qh-x48q

The following commit fixes the issue:
https://github.com/c-ares/c-ares/commit/a804c04ddc8245fc8adf0e92368709639125e183

Mageia 9 is also affected.
Nicolas Salguero 2024-02-26 10:30:06 CET

Whiteboard: (none) => MGA9TOO
CVE: (none) => CVE-2024-25629
Status comment: (none) => Patch available from upstream and fixed upstream in 1.27.0
Source RPM: (none) => c-ares-1.21.0-1.mga10.src.rpm

Comment 1 Lewis Smith 2024-02-26 21:23:51 CET 
Our current v1.21.0 is only 3 months old. The update to v1.27.0 looks the easiest option.

No particular packager for this SRPM, so assigning globally.

Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2024-02-27 11:58:55 CET 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

Out of bounds read in ares__read_line(). (CVE-2024-25629)

References:
https://www.openwall.com/lists/oss-security/2024/02/23/2
https://github.com/c-ares/c-ares/security/advisories/GHSA-mg26-v6qh-x48q
========================

Updated packages in core/updates_testing:
========================
lib(64)cares2-1.19.1-1.1.mga9
lib(64)cares-devel-1.19.1-1.1.mga9

from SRPM:
c-ares-1.19.1-1.1.mga9.src.rpm

Assignee: pkg-bugs => qa-bugs
Status: NEW => ASSIGNED
Version: Cauldron => 9
Source RPM: c-ares-1.21.0-1.mga10.src.rpm => c-ares-1.19.1-1.mga9.src.rpm
Whiteboard: MGA9TOO => (none)
Status comment: Patch available from upstream and fixed upstream in 1.27.0 => (none)

katnatek 2024-02-27 21:46:50 CET

Keywords: (none) => advisory

Comment 3 katnatek 2024-02-27 21:55:39 CET 
Real Hardware Mageia 9 x86_64

installing lib64cares2-1.19.1-1.1.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ##################################################################################################
      1/1: lib64cares2           ##################################################################################################
      1/1: removing lib64cares2-1.19.1-1.mga9.x86_64
                                 ##################################################################################################

My package of megasync requires this library
install the package not produce complain 
run from terminal without issue and still working

Whiteboard: (none) => MGA9-64-OK

Comment 4 Thomas Andrews 2024-02-28 01:32:17 CET 
Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 5 Mageia Robot 2024-02-28 06:49:17 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0051.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.