Debian Bug report logs -
#865360
c-ares: CVE-2017-1000381: NAPTR parser out of bounds access
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Tue, 20 Jun 2017 17:12:07 UTC
Severity: important
Tags: patch, security, upstream
Found in versions c-ares/1.10.0-2, c-ares/1.12.0-2
Fixed in versions c-ares/1.12.0-4, c-ares/1.12.0-1+deb9u1, c-ares/1.10.0-2+deb8u2
Done: Gregor Jasny <gjasny@googlemail.com>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Gregor Jasny <gjasny@googlemail.com>:
Bug#865360; Package src:c-ares.
(Tue, 20 Jun 2017 17:12:10 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Gregor Jasny <gjasny@googlemail.com>.
(Tue, 20 Jun 2017 17:12:10 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: c-ares
Version: 1.12.0-2
Severity: important
Tags: security patch upstream
Hi,
the following vulnerability was published for c-ares.
CVE-2017-1000381[0]:
c-ares NAPTR parser out of bounds access
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-1000381
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000381
[1] http://www.openwall.com/lists/oss-security/2017/06/20/1
[2] https://c-ares.haxx.se/adv_20170620.html
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Marked as found in versions c-ares/1.10.0-2.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 20 Jun 2017 17:18:02 GMT) (full text, mbox, link).
Reply sent
to Gregor Jasny <gjasny@googlemail.com>:
You have taken responsibility.
(Sun, 25 Jun 2017 21:51:05 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sun, 25 Jun 2017 21:51:05 GMT) (full text, mbox, link).
Message #12 received at 865360-close@bugs.debian.org (full text, mbox, reply):
Source: c-ares
Source-Version: 1.12.0-4
We believe that the bug you reported is fixed in the latest version of
c-ares, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 865360@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Gregor Jasny <gjasny@googlemail.com> (supplier of updated c-ares package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 25 Jun 2017 22:53:15 +0200
Source: c-ares
Binary: libc-ares-dev libc-ares2
Architecture: source amd64
Version: 1.12.0-4
Distribution: unstable
Urgency: high
Maintainer: Gregor Jasny <gjasny@googlemail.com>
Changed-By: Gregor Jasny <gjasny@googlemail.com>
Description:
libc-ares-dev - asynchronous name resolver - development files
libc-ares2 - asynchronous name resolver
Closes: 865360
Changes:
c-ares (1.12.0-4) unstable; urgency=high
.
* Add patch for CVE-2017-1000381 (Closes: #865360)
Checksums-Sha1:
ea6fe2224ea763f4af5d9589f6e02739f7345b6e 1954 c-ares_1.12.0-4.dsc
415fca001f9d9cfe64f2b62e7298694eb176e6fe 9656 c-ares_1.12.0-4.debian.tar.xz
21196be9cb7f4fa77dfa6067a03e233be5c98008 6723 c-ares_1.12.0-4_amd64.buildinfo
a9bdafab2bd82b9c2d1c0c62a8a0042d3773e043 154378 libc-ares-dev_1.12.0-4_amd64.deb
ec356515a517a8587cdd2f0446ad885aabac2796 109118 libc-ares2-dbgsym_1.12.0-4_amd64.deb
3837f233db2bbc228d3853a52df178afd9e964ab 81548 libc-ares2_1.12.0-4_amd64.deb
Checksums-Sha256:
469885970cf3ba5536ea1ee4d24487babd808a2156d7eac4ae1cad71b927fe94 1954 c-ares_1.12.0-4.dsc
d9ae0ce9deb5ef4caef6564fc91a305485657dc29ca582278bcf3e1d371c68ae 9656 c-ares_1.12.0-4.debian.tar.xz
8e56315ed4a6cac714c31f075c7033a285a5bbef7a4e7088f4476301016af1a5 6723 c-ares_1.12.0-4_amd64.buildinfo
2075bc6611b4b6bd062e0f5a2a4c2b28eedbe94627f2102b3ae0a8b219d0b006 154378 libc-ares-dev_1.12.0-4_amd64.deb
0fa619e32d3521d8447b13842be3d61e95c0d66686148611a7ca5eeef4d5198d 109118 libc-ares2-dbgsym_1.12.0-4_amd64.deb
4d051f69c53c60f90d86225a63ae80197dcb7cdf41f8d13ee1a7336e237074ce 81548 libc-ares2_1.12.0-4_amd64.deb
Files:
9933ba2ef4a1ac986b322026feef056a 1954 libs extra c-ares_1.12.0-4.dsc
697f0acac0e6ceb389beba4ee81403a0 9656 libs extra c-ares_1.12.0-4.debian.tar.xz
c5abb1b3bd72661fac0916656e06b35b 6723 libs extra c-ares_1.12.0-4_amd64.buildinfo
94a607f78583d3cf6981e7f2dcf1e2de 154378 libdevel extra libc-ares-dev_1.12.0-4_amd64.deb
71ef8a55963050a7f713ae1fc0470fb2 109118 debug extra libc-ares2-dbgsym_1.12.0-4_amd64.deb
1aeba9f16b513a7294366f6973ab5f89 81548 libs extra libc-ares2_1.12.0-4_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQJKBAEBCAA0FiEEBdAWnCbkFZNBgSnfGZpk+t+1AP8FAllQJbAWHGdqYXNueUBn
b29nbGVtYWlsLmNvbQAKCRAZmmT637UA/w7OEADTsBS39R7eSTG9jvgOMGuIuF6c
pNyAC3nskkJOjs253QZj19Qaa+Fvb/ulr3wEhhwha9K+ihncvjbyEKJ2v/Bk2O0k
dUWNTdq7LAVwGRVfX1U2pY9blkusvd0/txXixP19go4FebGYBkmG2mLefKlSl5Ti
QCjJcATYZLG1YcKK9q6XD7JP7J48XG+8pySPjAiTxg9pwxwuIsoqxU0z+wZ9P+Rb
su7lGE0qbQJOxw0KAS0Jsq7/zElobm3jABFFAFj2JZXF9PaMsMpzzUbY408SrI8Q
i9Ggo5MvcA/h8zcGp8DvVvPWQO7OKKRBgFNOqvYL1qtyNQxNyNn2stfaCKLhZEOh
Kb5DSVc98Lj6CZ6RtGB5CE6yg0IOUXFLJtoo4XeU6Dz1Vp4aaUXfT7Jw+6WfYkYe
LNqCNkMjiwLoutKp+uJX9CdazFcZx9P1OdkkKI3xsOY2VvojOzjnDr1Qd/ZAPdmT
Jl4ksD8vbzEichxs6cpzuGnAPte8al1cyIZocAy/k6HwciHvI+4Y/kqQfMHigqre
UagddJjfPeTdsAO5SpMv7NCkx1GhMzGmKLPV5CTul7ySWi1pnGjxj16UfU+1H0H8
A0JlB2RwQLtSn9KHRvmLqRVtJ68SX2BmRNGYEAo5zIRNNoVgGKVqLWeMp5EMhVbR
+NdBfkL7i/V8TgLqrQ==
=Wuo7
-----END PGP SIGNATURE-----
Reply sent
to Gregor Jasny <gjasny@googlemail.com>:
You have taken responsibility.
(Sun, 02 Jul 2017 23:21:15 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sun, 02 Jul 2017 23:21:15 GMT) (full text, mbox, link).
Message #17 received at 865360-close@bugs.debian.org (full text, mbox, reply):
Source: c-ares
Source-Version: 1.12.0-1+deb9u1
We believe that the bug you reported is fixed in the latest version of
c-ares, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 865360@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Gregor Jasny <gjasny@googlemail.com> (supplier of updated c-ares package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 26 Jun 2017 22:00:03 +0200
Source: c-ares
Binary: libc-ares-dev libc-ares2
Architecture: source amd64
Version: 1.12.0-1+deb9u1
Distribution: stretch
Urgency: medium
Maintainer: Andreas Schuldei <andreas@debian.org>
Changed-By: Gregor Jasny <gjasny@googlemail.com>
Description:
libc-ares-dev - asynchronous name resolver - development files
libc-ares2 - asynchronous name resolver
Closes: 865360
Changes:
c-ares (1.12.0-1+deb9u1) stretch; urgency=medium
.
* Add patch for CVE-2017-1000381 (Closes: #865360)
Checksums-Sha1:
e0468a0183b62a2f94d40ccc3d33134c3a985ba9 2030 c-ares_1.12.0-1+deb9u1.dsc
3d70f9a0a68e3f9f568958da297db591b3444ecf 9612 c-ares_1.12.0-1+deb9u1.debian.tar.xz
9b7b6b3a4922b4ded88e64c175e67cd9168c3137 6018 c-ares_1.12.0-1+deb9u1_amd64.buildinfo
6713d67d096bdb46a3990460d1a14b1e065f78c5 154290 libc-ares-dev_1.12.0-1+deb9u1_amd64.deb
30cefc80dd104ea6d7f394fb9dc8559d24abfbb3 109210 libc-ares2-dbgsym_1.12.0-1+deb9u1_amd64.deb
1cb5c61f00fbccbc8f45d7ea99cb80ab0d75b4e8 81590 libc-ares2_1.12.0-1+deb9u1_amd64.deb
Checksums-Sha256:
65213f4f627ec1eb44ed00572b19c22ec78994b614471b193a43152a23281715 2030 c-ares_1.12.0-1+deb9u1.dsc
1ac58883be8827c570fce51f8a2fd73f15bcf31ca95c26f211c02ef4570e4315 9612 c-ares_1.12.0-1+deb9u1.debian.tar.xz
3d3eb56664b6806ec6e49d6e8dc1d9483d601369de521fcea6b24041fde58841 6018 c-ares_1.12.0-1+deb9u1_amd64.buildinfo
2c4d9ba12cdacd7f314b48b22add7a9a1042a7d4c86a93eb820f4eb8b7e25a8b 154290 libc-ares-dev_1.12.0-1+deb9u1_amd64.deb
c799f3ab9f30e20adec4f9a6e490da917a37eabf0125e4dd84cafe5fa6076ada 109210 libc-ares2-dbgsym_1.12.0-1+deb9u1_amd64.deb
3e6de7d302403332140980abd95a59796d893cf8171d912a67934e6591dfe959 81590 libc-ares2_1.12.0-1+deb9u1_amd64.deb
Files:
17299c2dc78787e5e9a0d6c0f9fb13cd 2030 libs extra c-ares_1.12.0-1+deb9u1.dsc
330edcb2465ccf1f6606fdf2ae1dd138 9612 libs extra c-ares_1.12.0-1+deb9u1.debian.tar.xz
8317367f48dbad34a3cfc4771d270b5e 6018 libs extra c-ares_1.12.0-1+deb9u1_amd64.buildinfo
5a605bd59386d1cf838fcef07cec328e 154290 libdevel extra libc-ares-dev_1.12.0-1+deb9u1_amd64.deb
a141c3296afa55b4890698b634b54f0f 109210 debug extra libc-ares2-dbgsym_1.12.0-1+deb9u1_amd64.deb
e45a33ff43203cd0a6942010788c2090 81590 libs extra libc-ares2_1.12.0-1+deb9u1_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQJKBAEBCAA0FiEEBdAWnCbkFZNBgSnfGZpk+t+1AP8FAllXjm4WHGdqYXNueUBn
b29nbGVtYWlsLmNvbQAKCRAZmmT637UA/4boEACm0Z4esBa619LyHhNfyDSKA7lU
gA+TActtVB9UEbun5Fm1N+N93Vi+zrzY5UEiKl/i/2ezNxVuVrgSROY6kAMh+YYK
JWl2A3QHq/EM0NbfLtfVuIErAKAO/bPLpm8iEu/S6sR+sp9UUgjQrl1q3VxcHiOp
Su+Tvrjv66/4S0VsH0hLM2mhin3pNkE/dzlrIv5Is6pMCg5NZs00+DZTqCXfc93r
IUVu30kmgg1p4q3wZBcpA/WxWEn56wAtw3PaUqXEf1GQXzNpz3jQKoIijvHn4cn6
ncvOIce3XipcQ+wXpYgzEUZGZliAxbOrhSH8a8dAaI8F6R54TWaSKGIrFHFbu7be
DgLYNS158kXK2MPl582N2LaNcBKGBsZLGLxNcG2k/PNJHFrja/o4H47/AGQGUEmo
ZfB4bNLpyY0aedTsY6rCf7+hBoDOAVoyW+1jj8zdZ0+TfjeAPiuiRkH0mnbk/QtP
enHW9RnyhT6b77maBESquPHI31cLzyTYlo4i5C6bEDHcAAwFNmWF7x783bnoE1DX
PzRLj0Ats4FDKuP3rCJQhxhSTJPAClNrWfxQdJ1vkAL+I34wSJeYyAhCgTyrM9KA
hfEE0i30L5guIgEd1R6JyactbqCaihvSmnRyG0BaSgjrdhDz7MrFcQ91z3CywTGn
S/xJijQ9Il3K6g8tdQ==
=cTdW
-----END PGP SIGNATURE-----
Reply sent
to Gregor Jasny <gjasny@googlemail.com>:
You have taken responsibility.
(Sun, 02 Jul 2017 23:33:11 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sun, 02 Jul 2017 23:33:11 GMT) (full text, mbox, link).
Message #22 received at 865360-close@bugs.debian.org (full text, mbox, reply):
Source: c-ares
Source-Version: 1.10.0-2+deb8u2
We believe that the bug you reported is fixed in the latest version of
c-ares, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 865360@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Gregor Jasny <gjasny@googlemail.com> (supplier of updated c-ares package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 26 Jun 2017 22:03:42 +0200
Source: c-ares
Binary: libc-ares-dev libc-ares2
Architecture: source amd64
Version: 1.10.0-2+deb8u2
Distribution: jessie
Urgency: medium
Maintainer: Andreas Schuldei <andreas@debian.org>
Changed-By: Gregor Jasny <gjasny@googlemail.com>
Description:
libc-ares-dev - asynchronous name resolver - development files
libc-ares2 - asynchronous name resolver
Closes: 865360
Changes:
c-ares (1.10.0-2+deb8u2) jessie; urgency=medium
.
* Add patch for CVE-2017-1000381 (Closes: #865360)
Checksums-Sha1:
246b32772461b671b3e0ed522f4da27e05b6eedb 2020 c-ares_1.10.0-2+deb8u2.dsc
632f53654f49647c285f688aea322e7bb4905540 6904 c-ares_1.10.0-2+deb8u2.debian.tar.xz
e821cb398513ebdb18279a1c44fadbee7861d30f 137460 libc-ares-dev_1.10.0-2+deb8u2_amd64.deb
bfb9ce73dbb97bc3f647276148a04f1a8fd79640 72454 libc-ares2_1.10.0-2+deb8u2_amd64.deb
Checksums-Sha256:
9ff28ddd26eebdde1cd097795571f904972de61d6f437682cffddd03b544aa4c 2020 c-ares_1.10.0-2+deb8u2.dsc
9eedce105381f839828ffa3b33e1388da7f42d3c8dc1da2c87f07a2cd5eb5ec7 6904 c-ares_1.10.0-2+deb8u2.debian.tar.xz
dd7cdbad80513627042ce4523c111862bf2a5f74c8c7b35731be3b09817bc964 137460 libc-ares-dev_1.10.0-2+deb8u2_amd64.deb
b6eedf9b50b29fe68b31201744b52adee55a914daf4d41d1b03807849d1e0f5f 72454 libc-ares2_1.10.0-2+deb8u2_amd64.deb
Files:
931524268d7b3377829ea6253db29a5a 2020 libs extra c-ares_1.10.0-2+deb8u2.dsc
b24de3fe85e3c10d9ad941d5fd273fe2 6904 libs extra c-ares_1.10.0-2+deb8u2.debian.tar.xz
f1c267629e68db51127e481f14e56d50 137460 libdevel extra libc-ares-dev_1.10.0-2+deb8u2_amd64.deb
ce6dc862d66ce99c39953f84015a0793 72454 libs extra libc-ares2_1.10.0-2+deb8u2_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQJKBAEBCAA0FiEEBdAWnCbkFZNBgSnfGZpk+t+1AP8FAllXjmMWHGdqYXNueUBn
b29nbGVtYWlsLmNvbQAKCRAZmmT637UA/5cqEACvPlMCi+v9w2A623OIzFWiX0Fj
oSqIuliAMc+L023dEJDfjXJ7Z2YEmrnkBZAGn24lMDC4ZbFGlksjZJfL6Xs9dfph
M47O9M0jw4beDGkdt3NnMqaPM4JcEWyS1fljYYq8Jy1NxPeZiISqRrM7vSiudb+p
aIIfnNj3wG7Go1FFh9/wFcXqleV0oF8WfNZddViTNjNFmgqJYytPmiUEKi8JRX3H
HW34uaUAMPuVr6CfE5kkXI4oUYGkjzW/7g6zzCcowPTM8eScRbiHopleMRC5S3qR
wcjP9RaqSYOjXngKYqDWRPR32cq7gkIau50dmlW2RaCSErS7wKVyiQ/p430axfRf
2CP+BoCzMFAQ2X58AGYv63rAWRMw8GgbY530+KpnuZsfNzrh/FDWEy6ZEjoXKvl6
wXaPAI0lTxoQ621zTS6PFiHwU3/e0JbSG6mW7SU0ke0HoogGUyBcagkuLFzXUiEc
D9aAxRdVNsY5tzbndnSpleHBzxqYVo/AT6y1oXYTZtz3bRmu1moRo/mcdlpiIfIc
yHKgQLZcadw1tzUqpWwpITHbgJnC/qXCmBf3owkXBtZU3TSTHcbcsf6ykezPNCNP
Bn2iNKlaI9FFIJYHEKw1RDX4K/2rA78JeN6kouezMoBhiuE76rwhM1Rg488mbt0e
tApW5ebltPNtnamw/A==
=GhDc
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sat, 19 Aug 2017 07:30:13 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:11:38 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon