Debian Bug report logs -
#1031525
c-ares: CVE-2022-4904
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Gregor Jasny <gjasny@googlemail.com>
:
Bug#1031525
; Package src:c-ares
.
(Fri, 17 Feb 2023 20:33:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Gregor Jasny <gjasny@googlemail.com>
.
(Fri, 17 Feb 2023 20:33:07 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: c-ares
Version: 1.18.1-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/c-ares/c-ares/pull/497
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Control: fixed -1 1.19.0-1
Hi,
The following vulnerability was published for c-ares.
CVE-2022-4904[0]:
| buffer overflow in config_sortlist() due to missing string length check
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-4904
https://www.cve.org/CVERecord?id=CVE-2022-4904
[1] https://github.com/c-ares/c-ares/pull/497
[2] https://github.com/c-ares/c-ares/commit/9903253c347f9e0bffd285ae3829aef251cc852d
Regards,
Salvatore
Marked as fixed in versions c-ares/1.19.0-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org
.
(Fri, 17 Feb 2023 20:33:07 GMT) (full text, mbox, link).
Added tag(s) pending.
Request was from Gregor Jasny <gjasny@googlemail.com>
to control@bugs.debian.org
.
(Fri, 17 Feb 2023 22:15:04 GMT) (full text, mbox, link).
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug#1031525.
(Fri, 17 Feb 2023 23:21:10 GMT) (full text, mbox, link).
Message #12 received at 1031525-submitter@bugs.debian.org (full text, mbox, reply):
Control: tag -1 pending
Hello,
Bug #1031525 in c-ares reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:
https://salsa.debian.org/debian/c-ares/-/commit/a7fb346983328704107ca1d068022f2b623571bf
------------------------------------------------------------------------
Add str len check in config_sortlist to avoid stack overflow (CVE-2022-4904) (Closes: #1031525)
------------------------------------------------------------------------
(this message was generated automatically)
--
Greetings
https://bugs.debian.org/1031525
Reply sent
to Gregor Jasny <gjasny@googlemail.com>
:
You have taken responsibility.
(Fri, 17 Feb 2023 23:36:03 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Fri, 17 Feb 2023 23:36:03 GMT) (full text, mbox, link).
Message #17 received at 1031525-close@bugs.debian.org (full text, mbox, reply):
Source: c-ares
Source-Version: 1.18.1-2
Done: Gregor Jasny <gjasny@googlemail.com>
We believe that the bug you reported is fixed in the latest version of
c-ares, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1031525@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Gregor Jasny <gjasny@googlemail.com> (supplier of updated c-ares package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 17 Feb 2023 23:34:35 +0100
Source: c-ares
Architecture: source
Version: 1.18.1-2
Distribution: unstable
Urgency: medium
Maintainer: Gregor Jasny <gjasny@googlemail.com>
Changed-By: Gregor Jasny <gjasny@googlemail.com>
Closes: 1031525
Changes:
c-ares (1.18.1-2) unstable; urgency=medium
.
* Add str len check in config_sortlist to avoid stack overflow
(CVE-2022-4904) (Closes: #1031525)
Checksums-Sha1:
ad5350fcf03f90a428d0b82538d231e0480cdae0 2143 c-ares_1.18.1-2.dsc
665b5db4cc152b9c0f8ebf57773db749b9501d51 9360 c-ares_1.18.1-2.debian.tar.xz
4983f7cf796ff6bc7c08cf2db5c39f9eba4db828 7985 c-ares_1.18.1-2_amd64.buildinfo
Checksums-Sha256:
77374b808ed5807c4c9d5c145e28950bb114340a8e71fff0422a569d22213a8c 2143 c-ares_1.18.1-2.dsc
a6c4397aceb1f20381ce084be577e70562f3a1a5176e96d1fe9ab469a5794c8f 9360 c-ares_1.18.1-2.debian.tar.xz
dfdda45e1bbbdc8046a938d004c1e885737b492ed5614106dd9cb72cdd16f2e4 7985 c-ares_1.18.1-2_amd64.buildinfo
Files:
8f62d8d494ba607d163e8f53791becf4 2143 libs optional c-ares_1.18.1-2.dsc
ccab7e57e3a8694d3e9f7ddd682a27f9 9360 libs optional c-ares_1.18.1-2.debian.tar.xz
675440b3fc04f37e449c470ba2e5d5d0 7985 libs optional c-ares_1.18.1-2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJKBAEBCAA0FiEEBdAWnCbkFZNBgSnfGZpk+t+1AP8FAmPwA3MWHGdqYXNueUBn
b29nbGVtYWlsLmNvbQAKCRAZmmT637UA//6cEADWYhRQ3a7gcDz8JupTFW0rgiUF
EVt9hJwQxHLwfv7EPwllz1QvEiHYuUB54TNj+u0FMIcaUxGykgamYdZmUaIp4AOr
4srjjKt+TSVwv5YrBLXwxdAD5LYhmzt2lPd+IExe5gD86N9Hv9lWwozSsOeUvTZ/
SbfF2pU2cRZI0llPg6rauMOI4Ra7hRKYrK89e5AXq6jRNPwKUvNdinCsHYwq4BTU
srIYtXz+0UtxRs64zenEdMJUuJLwzGsKJBxDq2FdqfRxd+ZA2Yx5KbeQm8W7aY3t
zzgYaAonO1u/g8lgX7v/orIrJk/koizLwzpkcCFNrEof+TE9nRK9n7r9d/3/8E6U
z2EiF+8ieg1gioO2XC5SqhMp+rr1ow1m2KlJBrs/+Zhd5l1jLBHX5TXJ72nvdIaE
L2lHK6pO6NrCIPgC0fftSAE3xOjVhsqjcIuhN7M/kGIQap3qGfI2tHQBEHkETzfL
LPedldorW8Evgs3yX2Lv44564R7gjpO0b1K6VKQv+RL+rqKEyef2FB/v2lsLcVxX
8cpXIeyh0JPhcpjqV2gyaI5sm5l0QMwbVIL0l9yu74HBpAACLV3YVr6qn5QiNapN
QSVnbvFC097RexaptRw56PmmY1S58FNS9aI71L/SEyqHiU8MRU1VqOPRf2c8eklO
G+u5Rh0ujjnpBCkH3Q==
=+eTz
-----END PGP SIGNATURE-----
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug#1031525.
(Fri, 17 Feb 2023 23:36:04 GMT) (full text, mbox, link).
Message #20 received at 1031525-submitter@bugs.debian.org (full text, mbox, reply):
Control: tag -1 pending
Hello,
Bug #1031525 in c-ares reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:
https://salsa.debian.org/debian/c-ares/-/commit/c6c2fc8e42917c696bb11bb2875f2984aa227209
------------------------------------------------------------------------
Add str len check in config_sortlist to avoid stack overflow (CVE-2022-4904) (Closes: #1031525)
------------------------------------------------------------------------
(this message was generated automatically)
--
Greetings
https://bugs.debian.org/1031525
Added tag(s) pending.
Request was from Gregor Jasny <noreply@salsa.debian.org>
to 1031525-submitter@bugs.debian.org
.
(Fri, 17 Feb 2023 23:36:05 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org
:
Bug#1031525
; Package src:c-ares
.
(Sat, 18 Feb 2023 00:00:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Gregor Jasny <gjasny@googlemail.com>
:
Extra info received and forwarded to list.
(Sat, 18 Feb 2023 00:00:02 GMT) (full text, mbox, link).
Message #27 received at 1031525@bugs.debian.org (full text, mbox, reply):
Hi Salvatore,
On 17.02.23 21:31, Salvatore Bonaccorso wrote:
> The following vulnerability was published for c-ares.
>
> CVE-2022-4904[0]:
> | buffer overflow in config_sortlist() due to missing string length check
I uploaded a fixed package for sid and prepared an update for bullseye
and buster:
https://salsa.debian.org/debian/c-ares/-/commits/bullseye/
https://salsa.debian.org/debian/c-ares/-/commits/buster/
Are you a member of the Debian Security team and could give me the green
light to upload those two packages into the "security upload queue".
Thanks,
Gregor
Information forwarded
to debian-bugs-dist@lists.debian.org, Gregor Jasny <gjasny@googlemail.com>
:
Bug#1031525
; Package src:c-ares
.
(Sat, 18 Feb 2023 08:48:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Extra info received and forwarded to list. Copy sent to Gregor Jasny <gjasny@googlemail.com>
.
(Sat, 18 Feb 2023 08:48:03 GMT) (full text, mbox, link).
Message #32 received at 1031525@bugs.debian.org (full text, mbox, reply):
Hi Gregor,
On Sat, Feb 18, 2023 at 12:56:39AM +0100, Gregor Jasny wrote:
> Hi Salvatore,
>
> On 17.02.23 21:31, Salvatore Bonaccorso wrote:
> > The following vulnerability was published for c-ares.
> >
> > CVE-2022-4904[0]:
> > | buffer overflow in config_sortlist() due to missing string length check
>
> I uploaded a fixed package for sid and prepared an update for bullseye and
> buster:
Perfect thanks for the upload to unstable. Can you monitor the
situation and make sure the fix land in upcoming bookworm? We are now
in soft freeze (cf.
https://lists.debian.org/debian-devel-announce/2023/02/msg00003.html).
> https://salsa.debian.org/debian/c-ares/-/commits/bullseye/
> https://salsa.debian.org/debian/c-ares/-/commits/buster/
>
> Are you a member of the Debian Security team and could give me the green
> light to upload those two packages into the "security upload queue".
Thanks for peparing them. Yes I am. We have assessed the issue to be
no-dsa (see the security-tracker CVE page), but a fix would be very
welcome in bullseye as well via a point release, can I route you
trough that path?
https://www.debian.org/doc/manuals/developers-reference/pkgs.en.html#special-case-uploads-to-the-stable-and-oldstable-distributions
That said, I cannot say about buster, which is now in LTS team hands.
I do not see a no-dsa tag but as well not listed it in the dla-needed
file (triaging in LTS context has probably not yet happened there).
But I suggest to propose the LTS update accordingly to the LTS team.
You can there either do all alone (including the DLA release), or ask
for help in the "paper work" part, and ask a LTS team member to
release the advisory, you doing the upload.
https://lts-team.pages.debian.net/wiki/Development.html
conains information, but as said, you can simply as well just propose
the update, debdiff and prepare the package update only, there is no
requirement you need to do as well the organizational and DLA advisory
releasing part involving the variuous steps.
Thanks already!
Regards,
Salvatore
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sat Feb 18 13:06:40 2023;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.