c-ares: CVE-2022-4904

Debian Bug report logs - #1031525
c-ares: CVE-2022-4904

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: c-ares: CVE-2022-4904

Date: Fri, 17 Feb 2023 21:31:26 +0100

Source: c-ares
Version: 1.18.1-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/c-ares/c-ares/pull/497
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Control: fixed -1 1.19.0-1

Hi,

The following vulnerability was published for c-ares.

CVE-2022-4904[0]:
| buffer overflow in config_sortlist() due to missing string length check

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2022-4904
    https://www.cve.org/CVERecord?id=CVE-2022-4904
[1] https://github.com/c-ares/c-ares/pull/497
[2] https://github.com/c-ares/c-ares/commit/9903253c347f9e0bffd285ae3829aef251cc852d

Regards,
Salvatore

Message #12 received at 1031525-submitter@bugs.debian.org (full text, mbox, reply):

From: Gregor Jasny <noreply@salsa.debian.org>

To: 1031525-submitter@bugs.debian.org

Subject: Bug#1031525 marked as pending in c-ares

Date: Fri, 17 Feb 2023 23:16:39 +0000

Control: tag -1 pending

Hello,

Bug #1031525 in c-ares reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/debian/c-ares/-/commit/a7fb346983328704107ca1d068022f2b623571bf

------------------------------------------------------------------------
Add str len check in config_sortlist to avoid stack overflow (CVE-2022-4904) (Closes: #1031525)
------------------------------------------------------------------------

(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/1031525

Message #17 received at 1031525-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

To: 1031525-close@bugs.debian.org

Subject: Bug#1031525: fixed in c-ares 1.18.1-2

Date: Fri, 17 Feb 2023 23:34:12 +0000

Source: c-ares
Source-Version: 1.18.1-2
Done: Gregor Jasny <gjasny@googlemail.com>

We believe that the bug you reported is fixed in the latest version of
c-ares, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1031525@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Gregor Jasny <gjasny@googlemail.com> (supplier of updated c-ares package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 17 Feb 2023 23:34:35 +0100
Source: c-ares
Architecture: source
Version: 1.18.1-2
Distribution: unstable
Urgency: medium
Maintainer: Gregor Jasny <gjasny@googlemail.com>
Changed-By: Gregor Jasny <gjasny@googlemail.com>
Closes: 1031525
Changes:
 c-ares (1.18.1-2) unstable; urgency=medium
 .
   * Add str len check in config_sortlist to avoid stack overflow
     (CVE-2022-4904) (Closes: #1031525)
Checksums-Sha1:
 ad5350fcf03f90a428d0b82538d231e0480cdae0 2143 c-ares_1.18.1-2.dsc
 665b5db4cc152b9c0f8ebf57773db749b9501d51 9360 c-ares_1.18.1-2.debian.tar.xz
 4983f7cf796ff6bc7c08cf2db5c39f9eba4db828 7985 c-ares_1.18.1-2_amd64.buildinfo
Checksums-Sha256:
 77374b808ed5807c4c9d5c145e28950bb114340a8e71fff0422a569d22213a8c 2143 c-ares_1.18.1-2.dsc
 a6c4397aceb1f20381ce084be577e70562f3a1a5176e96d1fe9ab469a5794c8f 9360 c-ares_1.18.1-2.debian.tar.xz
 dfdda45e1bbbdc8046a938d004c1e885737b492ed5614106dd9cb72cdd16f2e4 7985 c-ares_1.18.1-2_amd64.buildinfo
Files:
 8f62d8d494ba607d163e8f53791becf4 2143 libs optional c-ares_1.18.1-2.dsc
 ccab7e57e3a8694d3e9f7ddd682a27f9 9360 libs optional c-ares_1.18.1-2.debian.tar.xz
 675440b3fc04f37e449c470ba2e5d5d0 7985 libs optional c-ares_1.18.1-2_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJKBAEBCAA0FiEEBdAWnCbkFZNBgSnfGZpk+t+1AP8FAmPwA3MWHGdqYXNueUBn
b29nbGVtYWlsLmNvbQAKCRAZmmT637UA//6cEADWYhRQ3a7gcDz8JupTFW0rgiUF
EVt9hJwQxHLwfv7EPwllz1QvEiHYuUB54TNj+u0FMIcaUxGykgamYdZmUaIp4AOr
4srjjKt+TSVwv5YrBLXwxdAD5LYhmzt2lPd+IExe5gD86N9Hv9lWwozSsOeUvTZ/
SbfF2pU2cRZI0llPg6rauMOI4Ra7hRKYrK89e5AXq6jRNPwKUvNdinCsHYwq4BTU
srIYtXz+0UtxRs64zenEdMJUuJLwzGsKJBxDq2FdqfRxd+ZA2Yx5KbeQm8W7aY3t
zzgYaAonO1u/g8lgX7v/orIrJk/koizLwzpkcCFNrEof+TE9nRK9n7r9d/3/8E6U
z2EiF+8ieg1gioO2XC5SqhMp+rr1ow1m2KlJBrs/+Zhd5l1jLBHX5TXJ72nvdIaE
L2lHK6pO6NrCIPgC0fftSAE3xOjVhsqjcIuhN7M/kGIQap3qGfI2tHQBEHkETzfL
LPedldorW8Evgs3yX2Lv44564R7gjpO0b1K6VKQv+RL+rqKEyef2FB/v2lsLcVxX
8cpXIeyh0JPhcpjqV2gyaI5sm5l0QMwbVIL0l9yu74HBpAACLV3YVr6qn5QiNapN
QSVnbvFC097RexaptRw56PmmY1S58FNS9aI71L/SEyqHiU8MRU1VqOPRf2c8eklO
G+u5Rh0ujjnpBCkH3Q==
=+eTz
-----END PGP SIGNATURE-----

Message #20 received at 1031525-submitter@bugs.debian.org (full text, mbox, reply):

From: Gregor Jasny <noreply@salsa.debian.org>

To: 1031525-submitter@bugs.debian.org

Subject: Bug#1031525 marked as pending in c-ares

Date: Fri, 17 Feb 2023 23:34:18 +0000

Control: tag -1 pending

Hello,

Bug #1031525 in c-ares reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/debian/c-ares/-/commit/c6c2fc8e42917c696bb11bb2875f2984aa227209

------------------------------------------------------------------------
Add str len check in config_sortlist to avoid stack overflow (CVE-2022-4904) (Closes: #1031525)
------------------------------------------------------------------------

(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/1031525

Message #27 received at 1031525@bugs.debian.org (full text, mbox, reply):

From: Gregor Jasny <gjasny@googlemail.com>

To: Salvatore Bonaccorso <carnil@debian.org>, 1031525@bugs.debian.org

Subject: Re: Bug#1031525: c-ares: CVE-2022-4904

Date: Sat, 18 Feb 2023 00:56:39 +0100

Hi Salvatore,

On 17.02.23 21:31, Salvatore Bonaccorso wrote:
> The following vulnerability was published for c-ares.
> 
> CVE-2022-4904[0]:
> | buffer overflow in config_sortlist() due to missing string length check

I uploaded a fixed package for sid and prepared an update for bullseye 
and buster:

https://salsa.debian.org/debian/c-ares/-/commits/bullseye/
https://salsa.debian.org/debian/c-ares/-/commits/buster/

Are you a member of the Debian Security team and could give me the green 
light to upload those two packages into the "security upload queue".

Thanks,
Gregor

Message #32 received at 1031525@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Gregor Jasny <gjasny@googlemail.com>, 1031525@bugs.debian.org

Cc: team@security.debian.org

Subject: Re: Bug#1031525: c-ares: CVE-2022-4904

Date: Sat, 18 Feb 2023 09:46:03 +0100

Hi Gregor,

On Sat, Feb 18, 2023 at 12:56:39AM +0100, Gregor Jasny wrote:
> Hi Salvatore,
> 
> On 17.02.23 21:31, Salvatore Bonaccorso wrote:
> > The following vulnerability was published for c-ares.
> > 
> > CVE-2022-4904[0]:
> > | buffer overflow in config_sortlist() due to missing string length check
> 
> I uploaded a fixed package for sid and prepared an update for bullseye and
> buster:

Perfect thanks for the upload to unstable. Can you monitor the
situation and make sure the fix land in upcoming bookworm? We are now
in soft freeze (cf.
https://lists.debian.org/debian-devel-announce/2023/02/msg00003.html).

> https://salsa.debian.org/debian/c-ares/-/commits/bullseye/
> https://salsa.debian.org/debian/c-ares/-/commits/buster/
> 
> Are you a member of the Debian Security team and could give me the green
> light to upload those two packages into the "security upload queue".

Thanks for peparing them. Yes I am. We have assessed the issue to be
no-dsa (see the security-tracker CVE page), but a fix would be very
welcome in bullseye as well via a point release, can I route you
trough that path?

https://www.debian.org/doc/manuals/developers-reference/pkgs.en.html#special-case-uploads-to-the-stable-and-oldstable-distributions


That said, I cannot say about buster, which is now in LTS team hands.
I do not see a no-dsa tag but as well not listed it in the dla-needed
file (triaging in LTS context has probably not yet happened there).
But I suggest to propose the LTS update accordingly to the LTS team.
You can there either do all alone (including the DLA release), or ask
for help in the "paper work" part, and ask a LTS team member to
release the advisory, you doing the upload.

https://lts-team.pages.debian.net/wiki/Development.html

conains information, but as said, you can simply as well just propose
the update, debdiff and prepare the package update only, there is no
requirement you need to do as well the organizational and DLA advisory
releasing part involving the variuous steps.

Thanks already!

Regards,
Salvatore

Send a report that this bug log contains spam.