New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 734931 link

Starred by 1 user
Status: Verified
Owner:
mnissler@chromium.org
Closed: Nov 2017
Cc:
vapier@chromium.org
ejcaruso@chromium.org
cernekee@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: ----
Type: Bug-Security



Sign in to add a comment

Security: c-ares NAPTR parser out of bounds access

Project Member Reported by mnissler@chromium.org, Jun 20 2017 
Per https://c-ares.haxx.se/adv_20170620.html:


VULNERABILITY
-------------

The c-ares function `ares_parse_naptr_reply()`, which is used for parsing
NAPTR responses, could be triggered to read memory outside of the given input
buffer if the passed in DNS response packet was crafted in a particular way.

We are not aware of any exploits of this flaw.

INFO
----

The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2017-1000381 to this issue.

AFFECTED VERSIONS
-----------------

This flaw exists in the following c-ares versions.

- Affected versions: c-ares 1.8.0 to and including 1.12.0
- Not affected versions: c-ares >= 1.13.0

THE SOLUTION
------------

In version 1.13.0, the `RR_len` value gets checked properly and the function
is also added to the fuzz testing. It was previously accidentally left out
from that.

A [patch for CVE-2017-1000381](https://c-ares.haxx.se/CVE-2017-1000381.patch)
is available.

RECOMMENDATIONS
---------------

We suggest you take one of the following actions immediately, in order of
preference:

 A - Upgrade c-ares to version 1.13.0

 B - Apply the patch to your version and rebuild

 C - Do not use `ares_parse_naptr_reply()`.



I don't think we're calling into ares_parse_naptr_reply(), so we're not affected as far as I can tell. It still makes sense to pull in 1.13.0 once gentoo has it.

CC'ing a few folks FYI.

Comment 1 by mnissler@chromium.org, Jun 20 2017

Owner: mnissler@chromium.org
Status: Assigned (was: Unconfirmed)
To prevent a dangling security bug, assigning to me for now. Feel free to grab any time.
Project Member

Comment 2 by bugdroid1@chromium.org, Nov 28 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/overlays/portage-stable/+/c4fcb92ebcc82ecc25360665f2ddde8caba32820

commit c4fcb92ebcc82ecc25360665f2ddde8caba32820
Author: Mattias Nissler <mnissler@chromium.org>
Date: Tue Nov 28 21:34:29 2017

net-dns/c-ares: Uprev to net-dns/c-ares-1.13.0 from upstream

BUG= chromium:734931 
TEST=Builds.

Change-Id: Ied95545622020a9d04ae86838ddd61894532f2dd
Reviewed-on: https://chromium-review.googlesource.com/790512
Commit-Ready: Mattias Nissler <mnissler@chromium.org>
Tested-by: Mattias Nissler <mnissler@chromium.org>
Reviewed-by: Chirantan Ekbote <chirantan@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>

[modify] https://crrev.com/c4fcb92ebcc82ecc25360665f2ddde8caba32820/net-dns/c-ares/Manifest
[rename] https://crrev.com/c4fcb92ebcc82ecc25360665f2ddde8caba32820/net-dns/c-ares/c-ares-1.13.0.ebuild

Comment 3 by mnissler@chromium.org, Nov 29 2017

Status: Fixed (was: Assigned)
Project Member

Comment 4 by sheriffbot@chromium.org, Nov 29 2017

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Project Member

Comment 5 by sheriffbot@chromium.org, Mar 7 2018

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 6 by harpreet@chromium.org, Sep 13

Status: Verified (was: Fixed)
Bulk verify old fixed bugs...

Sign in to add a comment