c-ares: CVE-2016-5180: out-of-bounds write in ares_create_query and ares_mkquery

Debian Bug report logs - #839151
c-ares: CVE-2016-5180: out-of-bounds write in ares_create_query and ares_mkquery

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Florian Weimer <fw@deneb.enyo.de>

To: submit@bugs.debian.org

Subject: c-ares: CVE-2016-5180: out-of-bounds write in ares_create_query and ares_mkquery

Date: Thu, 29 Sep 2016 16:24:36 +0200

Package: src:c-ares
Version: 1.11.0-1
Tags: security
Severity: important

A new upstream version of c-ares has been released which addresses a
security vulnerability.

From: Daniel Stenberg <daniel@haxx.se>
Date: Thu, 29 Sep 2016 16:02:10 +0200 (CEST)

`ares_create_query` single byte out of buffer write
=================================================

Project c-ares Security Advisory, September 29, 2016 -
[Permalink](https://c-ares.haxx.se/adv_20160929.html)

VULNERABILITY
-------------

When a string is passed in to `ares_create_query` or `ares_mkquery` and uses
an escaped trailing dot, like "hello\.", c-ares calculates the string length
wrong and subsequently writes outside of the the allocated buffer with one
byte. The wrongly written byte is the least significant byte of the 'dnsclass'
argument; most commonly 1.

We have been seen proof of concept code showing how this can be exploited in a
real-world system, but we are not aware of any such instances having actually
happened in the wild.

INFO
----

The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2016-5180 to this issue.

AFFECTED VERSIONS
-----------------

This flaw exists in the following c-ares versions.

- Affected versions: libcurl 1.0.0 to and including 1.11.0
- Not affected versions: c-ares >= 1.12.0

[...]

A [patch for CVE-2016-5180](https://c-ares.haxx.se/CVE-2016-5180.patch) is
available.

Message #16 received at 839151-close@bugs.debian.org (full text, mbox, reply):

From: Gregor Jasny <gjasny@googlemail.com>

To: 839151-close@bugs.debian.org

Subject: Bug#839151: fixed in c-ares 1.12.0-1

Date: Thu, 29 Sep 2016 17:21:31 +0000

Source: c-ares
Source-Version: 1.12.0-1

We believe that the bug you reported is fixed in the latest version of
c-ares, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 839151@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Gregor Jasny <gjasny@googlemail.com> (supplier of updated c-ares package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 29 Sep 2016 18:19:09 +0200
Source: c-ares
Binary: libc-ares-dev libc-ares2
Architecture: source amd64
Version: 1.12.0-1
Distribution: unstable
Urgency: high
Maintainer: Andreas Schuldei <andreas@debian.org>
Changed-By: Gregor Jasny <gjasny@googlemail.com>
Description:
 libc-ares-dev - asynchronous name resolver - development files
 libc-ares2 - asynchronous name resolver
Closes: 839151
Changes:
 c-ares (1.12.0-1) unstable; urgency=high
 .
   [ Daniel Stenberg ]
   * bump: start working on the next version
   * AUTHORS: added contributors from the 1.11.0 release
   * configure: acknowledge --disable-tests
 .
   [ Gregor Jasny ]
   * Fix man page typos detected by Lintian
 .
   [ David Drysdale ]
   * test: add missing #includes for dns-proto.cc
   * test: avoid in6addr_* constants
   * test: Build with MinGW on AppVeyor
 .
   [ Viktor Szakats ]
   * Makefile.m32: add support for extra flags
   * Makefile.m32: add support for CROSSPREFIX
 .
   [ Brad House ]
   * configure: check if tests can get built before enabled
 .
   [ David Drysdale ]
   * ares_library_cleanup: reset ares_realloc too
   * ahost.c: add cast to fix C++ compile
   * test: Only pass unused args to GoogleTest
   * test: Use different name in live test
   * build: commonize MSVC version detection
 .
   [ Chris Araman ]
   * msvc_ver.inc: support Visual Studio 2015 Update 1
 .
   [ David Drysdale ]
   * test: for AF_UNSPEC, return CNAME only for AAAA, but valid A record
   * Explicitly clear struct servent before use
   * test: Update fuzzing function prototype
   * test: Check setting nsort=0 option is respected
 .
   [ nordsturm ]
   * Fix nsort initialization
 .
   [ David Drysdale ]
   * test: Add utility to show DNS packet from file
   * test: Add corpus of DNS packets
   * test: allow multiple files in aresfuzz command line
   * test: add fuzzing check script to tests
   * test: Run fuzzcheck.sh in Travis build
 .
   [ svante karlsson ]
   * Update msvc_ver.inc
 .
   [ David Drysdale ]
   * test: drop superfluous fuzz inputs
 .
   [ Daniel Stenberg ]
   * email: use Gisle's "new" address
 .
   [ David Drysdale ]
   * Fix trailing comment for #endif
 .
   [ Chris Araman ]
   * Update msvc_ver.inc
 .
   [ Daniel Stenberg ]
   * web: http => https
   * read_tcp_data: remove superfluous NULL check
 .
   [ David Drysdale ]
   * test: disable MinGW tests
   * test: simplify deps for fuzzer entrypoint
   * test: fuzzer mode for AFL's persistent mode
   * test: make fuzzer driver code C not C++
   * test: more info on how to run fuzz testing
   * test: Add Clang static analysis build to Travis
 .
   [ Daniel Stenberg ]
   * SECURITY.md: suggested "security process" for the project
   * README: added "CII best practices" badge
   * LICENSE.md: add a stand-alone license file
   * AUTHORS: added contributors from the git log
   * AUTHOR: maybe gitgub isn't really an author =)
 .
   [ David Drysdale ]
   * test: Add null pointer to gtest args
   * test: Add valgrind build variant
   * test: Force reinstall of libtool on OSX
   * ares_init_options: only propagate init failures from options
   * api: add ARES_OPT_NOROTATE optmask value
 .
   [ Brad House ]
   * headers: remove checks for and defines of variable sizes
 .
   [ David Drysdale ]
   * test: fix gMock to work with gcc >= 6.x
 .
   [ Daniel Stenberg ]
   * ares_create_query.3: edit language
   * RELEASE-NOTES: synced with daa7235b1a5
   * SECURITY: point to the vulnerabilities page now
   * ares_init.3: split the init docs into two separate man pages
   * ares_destroy.3: formatting polish
   * docs: minor formatting edits
   * README: link to the correct c-ares badge!
   * README.md: remove space from link
   * ares_library_init.3: corrected the ares_library_init_mem proto
 .
   [ David Drysdale ]
   * man: update ares_init_options.3
 .
   [ Daniel Stenberg ]
   * make: bump CARES_VERSION_INFO for release
   * ares_library_initialized.3: added
   * ares_create_query: avoid single-byte buffer overwrite
 .
   [ David Drysdale ]
   * ares-test-misc: test ares_create_query with escaped trailing dot
 .
   [ Daniel Stenberg ]
   * RELEASE-NOTES: 1.12.0
 .
   [ Gregor Jasny ]
   * Import c-ares 1.12.0 (Closes: #839151)
   * Bump standards to 3.9.8 (no changes needed)
   * Stop moving ares_build.h to multiarch include path
Checksums-Sha1:
 6cac39ef10ca98eaf97045d1bde7d425397c2bbf 1969 c-ares_1.12.0-1.dsc
 8abfce61d2d788fb60a3441d05275162a460cbed 1769879 c-ares_1.12.0.orig.tar.gz
 13c78432683fc4e29c1b6af51861d4eb8176b5b7 9164 c-ares_1.12.0-1.debian.tar.xz
 201bbcf0f4967140e5f61c70aa5a77276e950988 154246 libc-ares-dev_1.12.0-1_amd64.deb
 998ed64506d3b36f5654bffecce5760a3ecd853b 109124 libc-ares2-dbgsym_1.12.0-1_amd64.deb
 9bd55d238914e20661f6dd2dca2f91199f1d4335 81500 libc-ares2_1.12.0-1_amd64.deb
Checksums-Sha256:
 249c32ac600480538a0830ad81bded4d9b3652ac6f43b5a7ab9acd5560e129f7 1969 c-ares_1.12.0-1.dsc
 8692f9403cdcdf936130e045c84021665118ee9bfea905d1a76f04d4e6f365fb 1769879 c-ares_1.12.0.orig.tar.gz
 22b16dc5a6fe63319a24abbc49f4837b486f855ab3f190585a14411d40cb1f24 9164 c-ares_1.12.0-1.debian.tar.xz
 0d9cace7db69b6e570f2f5735f36d204c1fd2102078b48482740498d2635634e 154246 libc-ares-dev_1.12.0-1_amd64.deb
 46397537e0005b95784bfcce6b9ffe7966637878b9b7ce17f83f9dfd4d4fb0cb 109124 libc-ares2-dbgsym_1.12.0-1_amd64.deb
 bb91557a630421214a14be06df0cb0939d3af969a03ba2481c7e4d6f5d2d75f6 81500 libc-ares2_1.12.0-1_amd64.deb
Files:
 12b81b165d3301c13d8312bda29dda21 1969 libs extra c-ares_1.12.0-1.dsc
 2ca44be1715cd2c5666a165d35788424 1769879 libs extra c-ares_1.12.0.orig.tar.gz
 d5a2e251d2a9731cfe957994d15be3e5 9164 libs extra c-ares_1.12.0-1.debian.tar.xz
 6e008a105c58519c1249cda369dd43ff 154246 libdevel extra libc-ares-dev_1.12.0-1_amd64.deb
 24046a70fbdabdbe1c27344e3e5e1c8e 109124 debug extra libc-ares2-dbgsym_1.12.0-1_amd64.deb
 359f67cf6148ec025f2f704f55665e58 81500 libs extra libc-ares2_1.12.0-1_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdBQJX7UUyFhxnamFzbnlAZ29vZ2xlbWFpbC5jb20ACgkQGZpk+t+1
AP9sYQ//fYIh0JnxwjjCfFN5h4Z1y2vz2fbnGj82RCV8tQTyqSwXGdIU6WEsVbnb
Wu5FCbvwdK06qRngVzkPiIkZY/R+vf2UUrLPT5Po1nnaesMco59EMz8tM9nPrWFp
7SL4JBLCjkRcC4CxjqUJNlHM4mPcbV/NF7KCQMBqr0SevG8b//zNCm4lcA/ahp3y
GR+wTlotovPC3KcmBLhuy64AJ2vujMAexXXlaoUdT3T6qlvtOP1CnGF9x3458FEn
+NCO2qvF65S+Z1TU9BZx8E0I9XguDcsLsO6JUmh9r4jTPBClceAPyYBTvJnRac8j
8MYbIk7Eyt0F07xcxbJUEwaSe4mx8WFqI4HU6aqnnrvxeI7nOk2CyrDledhYPjfU
Fz1I7ARqJjVe1EMPR3kI511rZzc5IIY6azT/XKX+9fmwlLB51gzfyLfwpJYGahLB
RDiB/40JPpOi8uPOo3J4jdJ8I5XzYYLJCr8N49rpsvl40ZVeAzV9m9fG5lPO39tQ
HeNwfUOoe3Gqwsk//NI501TM8bNdkUAMwQFJYKWlzIpUrWUmFZi7qWtXuGZOC9PI
ocP//aS2FZI5GGtRpA88N/ZPOK5c/LbTyMnkx86N8AKtGvwpP7gA58QIQfETjFLx
YEJZpuaS1yKbBaG/4CqOzgUaeCtDAtR2c/YGr0liYoq/A1xJqr0=
=JzDG
-----END PGP SIGNATURE-----

Message #23 received at 839151@bugs.debian.org (full text, mbox, reply):

From: Gregor Jasny <gjasny@googlemail.com>

To: team@security.debian.org, 839151@bugs.debian.org

Subject: Re: Bug#839151: c-ares: CVE-2016-5180: out-of-bounds write in ares_create_query and ares_mkquery

Date: Thu, 29 Sep 2016 21:05:29 +0200

[Message part 1 (text/plain, inline)]

Hello Security Team,

This about https://security-tracker.debian.org/tracker/CVE-2016-5180 and
my first security upload. Please be gentle :)

For Sid and Stretch I uploaded 1.12.0-1 with urgency high.

For Jessie I backported the patch and prepared an upload to
jessie-security (debdiff also attached). Please review and tell me how
to proceed.

https://anonscm.debian.org/cgit/collab-maint/c-ares.git/log/?id=refs/heads/jessie
https://mentors.debian.net/debian/pool/main/c/c-ares/c-ares_1.10.0-2+deb8u1.dsc

Wheezy with c-ares 1.9.1 in not affected (stated in upstream announcement).

Thanks,
Gregor

[CVE-2016-5180-839151.diff (text/plain, attachment)]

Message #28 received at 839151@bugs.debian.org (full text, mbox, reply):

From: Daniel Stenberg <daniel@haxx.se>

To: Gregor Jasny <gjasny@googlemail.com>, 839151@bugs.debian.org

Cc: team@security.debian.org, debian-bugs-dist@lists.debian.org, Andreas Schuldei <andreas@debian.org>

Subject: Re: Bug#839151: c-ares: CVE-2016-5180: out-of-bounds write in ares_create_query and ares_mkquery

Date: Thu, 29 Sep 2016 22:59:52 +0200 (CEST)

On Thu, 29 Sep 2016, Gregor Jasny wrote:

> Wheezy with c-ares 1.9.1 in not affected (stated in upstream announcement).

That isn't entirely accurate. This flaw is present in every c-ares release 
ever made until 1.12.0 unless you've done some changes not provided by 
upstream.

Before c-ares 1.10.0, the flaw is only present in the ares_mkquery() function 
which isn't identical to ares_create_query so the patch needs a little 
adjustment to apply there.

If you think I can clarify this better in the upstream advisory, please 
suggest a wording that would make it harder to misunderstand!

-- 

 / daniel.haxx.se

Message #33 received at 839151@bugs.debian.org (full text, mbox, reply):

From: Florian Weimer <fw@deneb.enyo.de>

To: Gregor Jasny <gjasny@googlemail.com>

Cc: team@security.debian.org, 839151@bugs.debian.org

Subject: Re: Bug#839151: c-ares: CVE-2016-5180: out-of-bounds write in ares_create_query and ares_mkquery

Date: Fri, 30 Sep 2016 21:11:37 +0200

* Gregor Jasny:

> For Jessie I backported the patch and prepared an upload to
> jessie-security (debdiff also attached). Please review and tell me how
> to proceed.
>
> https://anonscm.debian.org/cgit/collab-maint/c-ares.git/log/?id=refs/heads/jessie
> https://mentors.debian.net/debian/pool/main/c/c-ares/c-ares_1.10.0-2+deb8u1.dsc

Thanks for working on this.

This looks good, I'll sponser an upload for you.

> Wheezy with c-ares 1.9.1 in not affected (stated in upstream announcement).

This is something the LTS folks may want to care of (see Daniel's
comment on the bug).

Message #40 received at 839151-close@bugs.debian.org (full text, mbox, reply):

From: Gregor Jasny <gjasny@googlemail.com>

To: 839151-close@bugs.debian.org

Subject: Bug#839151: fixed in c-ares 1.10.0-2+deb8u1

Date: Mon, 03 Oct 2016 22:03:23 +0000

Source: c-ares
Source-Version: 1.10.0-2+deb8u1

We believe that the bug you reported is fixed in the latest version of
c-ares, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 839151@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Gregor Jasny <gjasny@googlemail.com> (supplier of updated c-ares package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 29 Sep 2016 20:30:48 +0200
Source: c-ares
Binary: libc-ares-dev libc-ares2
Architecture: source amd64
Version: 1.10.0-2+deb8u1
Distribution: jessie-security
Urgency: high
Maintainer: Andreas Schuldei <andreas@debian.org>
Changed-By: Gregor Jasny <gjasny@googlemail.com>
Description:
 libc-ares-dev - asynchronous name resolver - development files
 libc-ares2 - asynchronous name resolver
Closes: 839151
Changes:
 c-ares (1.10.0-2+deb8u1) jessie-security; urgency=high
 .
   * Apply patch for CVE-2016-5180 (Closes: #839151)
Checksums-Sha1:
 f06eb0a9d1802c2a918a6472b6ea9d60c59a6cd3 1642 c-ares_1.10.0-2+deb8u1.dsc
 e44e6575d5af99cb3a38461486e1ee8b49810eb5 809073 c-ares_1.10.0.orig.tar.gz
 b6d2f687e7b6ad04dc6def5768fd1ad81e8922ec 6496 c-ares_1.10.0-2+deb8u1.debian.tar.xz
 37f6c27398eda3bc2f5030176d86036bd1cddf2a 137300 libc-ares-dev_1.10.0-2+deb8u1_amd64.deb
 6642247fba5d21305564dd70e39cf0386a0c9a64 72490 libc-ares2_1.10.0-2+deb8u1_amd64.deb
Checksums-Sha256:
 146a7599f25c9fc19494d4c211724a59615e5875d066a3782c0f0dd9115c4c85 1642 c-ares_1.10.0-2+deb8u1.dsc
 3d701674615d1158e56a59aaede7891f2dde3da0f46a6d3c684e0ae70f52d3db 809073 c-ares_1.10.0.orig.tar.gz
 ec75bcca4210757db03408f31c485fa43c1baba2cd8e196cf6fe8bbd51c12f89 6496 c-ares_1.10.0-2+deb8u1.debian.tar.xz
 9e13a09f8d5db02742f5866ac3e0cd5da9280fbd980758e814f8f9508a66bed7 137300 libc-ares-dev_1.10.0-2+deb8u1_amd64.deb
 2328f59a71993b89ff7f41ab45b31190550d33291b9a9e53a5c287595f9bb5ef 72490 libc-ares2_1.10.0-2+deb8u1_amd64.deb
Files:
 709831eee46cd97dbb0472d0a03290ff 1642 libs extra c-ares_1.10.0-2+deb8u1.dsc
 1196067641411a75d3cbebe074fd36d8 809073 libs extra c-ares_1.10.0.orig.tar.gz
 f9a657d7f729ebca40961ed8ce696bc9 6496 libs extra c-ares_1.10.0-2+deb8u1.debian.tar.xz
 8b785ab031dd3caea0f60021f828f40a 137300 libdevel extra libc-ares-dev_1.10.0-2+deb8u1_amd64.deb
 8d7d9ff10f17087ae5c1963410510654 72490 libs extra libc-ares2_1.10.0-2+deb8u1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJX7sSuAAoJEL97/wQC1SS+PeIIAJ94Us9U2krP0+Ya4Sdz24cJ
EEgzpJ+PM+NpEyZVI/iQvfwgnK5ga31s6NpF9GuQ0zdoj/w8OFL40LibU3z8FzyO
GQRaojlMIC2tZiyPydZUjTynvm3N1Wqy9cZUa97qZWnCnftgOkCDvL92heRiKIu3
DYDql7EWuO7xkn3fLxxHS4+nb6D6iIF12rik870kRj6fNxP1xgzquJnT7GGUWI7E
Sx/0XRdzaWkc8CA3YWlygIJobrySVVF9Yt+nuOkFHcWVgET3eS/TSRyE8BXLW5i6
jeenuven+5jD+bz1uF1gXFBAmxeCbY46l9Yr/5xdtF1tbeYy7NeYqfnSnycIVeQ=
=3k2v
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.