packages/c-ares
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2020-8277

Browse Source 
(cherry picked from commit 011e521b3701c7b73ac02a7278e877c50eafbf39)
This commit is contained in:
guoxiaoqi 2021-03-11 16:14:56 +08:00 committed by openeuler-sync-bot
parent 6d6556ba04
commit 79f5320e52
2 changed files with 64 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

53
CVE-2020-8277.patch Normal file
View File

@ -0,0 +1,53 @@
From 0d252eb3b2147179296a3bdb4ef97883c97c54d3 Mon Sep 17 00:00:00 2001
From: bradh352 <brad@brad-house.com>
Date: Thu, 12 Nov 2020 10:24:40 -0500
Subject: [PATCH] ares_parse_{a,aaaa}_reply could return larger *naddrttls than
passed in
If there are more ttls returned than the maximum provided by the requestor, then
the *naddrttls response would be larger than the actual number of elements in
the addrttls array.
This bug could lead to invalid memory accesses in applications using c-ares.
This behavior appeared to break with PR #257
Fixes: #371
Reported By: Momtchil Momtchev (@mmomtchev)
Fix By: Brad House (@bradh352)
---
ares_parse_a_reply.c | 3 ++-
ares_parse_aaaa_reply.c | 3 ++-
2 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/ares_parse_a_reply.c b/ares_parse_a_reply.c
index d8a9e9b..e71c993 100644
--- a/ares_parse_a_reply.c
+++ b/ares_parse_a_reply.c
@@ -197,7 +197,8 @@ int ares_parse_a_reply(const unsigned char *abuf, int alen,
if (naddrttls)
{
- *naddrttls = naddrs;
+ /* Truncated to at most *naddrttls entries */
+ *naddrttls = (naddrs > *naddrttls)?*naddrttls:naddrs;
}
ares__freeaddrinfo_cnames(ai.cnames);
diff --git a/ares_parse_aaaa_reply.c b/ares_parse_aaaa_reply.c
index 0d39bfa..346d430 100644
--- a/ares_parse_aaaa_reply.c
+++ b/ares_parse_aaaa_reply.c
@@ -200,7 +200,8 @@ int ares_parse_aaaa_reply(const unsigned char *abuf, int alen,
if (naddrttls)
{
- *naddrttls = naddrs;
+ /* Truncated to at most *naddrttls entries */
+ *naddrttls = (naddrs > *naddrttls)?*naddrttls:naddrs;
}
ares__freeaddrinfo_cnames(ai.cnames);
--
1.8.3.1

12
c-ares.spec
View File

@ -1,6 +1,6 @@
Name: c-ares Name: c-ares
Version: 1.16.1 Version: 1.16.1
Release: 1 Release: 3
Summary: A C library for asynchronous DNS requests Summary: A C library for asynchronous DNS requests
License: MIT License: MIT
@ -13,6 +13,7 @@ Patch0: 0000-Use-RPM-compiler-options.patch
Patch1: 0001-Fix-invalid-read-in-ares_parse_soa_reply.patch Patch1: 0001-Fix-invalid-read-in-ares_parse_soa_reply.patch
Patch2: 0002-Fix-sizeof-sizeof-addr.saX-sizeof-addr.saX-in-readad.patch Patch2: 0002-Fix-sizeof-sizeof-addr.saX-sizeof-addr.saX-in-readad.patch
Patch3: 0003-Avoid-buffer-overflow-in-RC4-loop-comparison-336.patch Patch3: 0003-Avoid-buffer-overflow-in-RC4-loop-comparison-336.patch
Patch4: CVE-2020-8277.patch
%description %description
This is c-ares, an asynchronous resolver library. It is intended for applications This is c-ares, an asynchronous resolver library. It is intended for applications
which need to perform DNS queries without blocking, or need to perform multiple which need to perform DNS queries without blocking, or need to perform multiple
@ -55,6 +56,15 @@ make %{?_smp_mflags}
%{_mandir}/man3/* %{_mandir}/man3/*
%changelog %changelog
* Thu Mar 11 2021 openEuler Buildteam <buildteam@openeuler.org> - 1.16.1-3
- fix CVE-2020-8277
* Tue Sep 8 2020 lunankun <lunankun@huawei.com> - 1.16.1-2
- Type:bugfix
- ID:NA
- SUG:NA
- DESC:fix source0 url
* Tue Aug 25 2020 gaihuiying <gaihuiying1@huawei.com> - 1.16.1-1 * Tue Aug 25 2020 gaihuiying <gaihuiying1@huawei.com> - 1.16.1-1
- Type:requirement - Type:requirement
- ID:NA - ID:NA