CVE-2016-5180

Author: bagder

Makefile

@@ -24,7 +24,8 @@ all:    index.html license.html ares_init.html ares_init_options.html		\
 	ares_library_cleanup.html ares_parse_srv_reply.html			\
 	ares_parse_txt_reply.html ares_parse_soa_reply.html			\
 	ares_inet_ntop.html ares_inet_pton.html ares_create_query.html		\
-	security.html changelog.html vulns.html ares_dup.html
+	security.html changelog.html vulns.html ares_dup.html \
+	adv_20160929.html
 	make -C download
 
 index.html: index.t $(MAINPARTS)
@@ -42,6 +43,11 @@ security.html: security.t $(MAINPARTS) security.gen
 security.gen: $(SRCDIR)/SECURITY.md
 	$(MARKDOWN) < $< > $@
 
+adv_20160929.html: adv_20160929.t $(MAINPARTS) adv_20160929.gen
+	$(ACTION)
+adv_20160929.gen: adv_20160929.md
+	$(MARKDOWN) < $< > $@
+
 old.html: old.t $(MAINPARTS)
 	$(ACTION)
 

adv_20160929.md

@@ -0,0 +1,68 @@
+`ares_create_query` single byte out of buffer write
+=================================================
+
+Project c-ares Security Advisory, September 29, 2016 -
+[Permalink](https://c-ares.haxx.se/adv_20160929.html)
+
+VULNERABILITY
+-------------
+
+When a string is passed in to `ares_create_query` or `ares_mkquery` and uses
+an escaped trailing dot, like "hello\.", c-ares calculates the string length
+wrong and subsequently writes outside of the the allocated buffer with one
+byte. The wrongly written byte is the least significant byte of the 'dnsclass'
+argument; most commonly 1.
+
+We have been seen proof of concept code showing how this can be exploited in a
+real-world system, but we are not aware of any such instances having actually
+happened in the wild.
+
+INFO
+----
+
+The Common Vulnerabilities and Exposures (CVE) project has assigned the name
+CVE-2016-5180 to this issue.
+
+AFFECTED VERSIONS
+-----------------
+
+This flaw exists in the following c-ares versions.
+
+- Affected versions: libcurl 1.0.0 to and including 1.11.0
+- Not affected versions: c-ares >= 1.12.0
+
+THE SOLUTION
+------------
+
+In version 1.12.0, the function has been corrected and a test case have been
+added to verify.
+
+A [patch for CVE-2016-5180](https://c-ares.haxx.se/CVE-2016-5180.patch) is
+available.
+
+RECOMMENDATIONS
+---------------
+
+We suggest you take one of the following actions immediately, in order of
+preference:
+
+ A - Upgrade c-ares to version 1.12.0
+
+ B - Apply the patch to your version and rebuild
+
+ C - Make *really* sure you don't pass in strings to either of these functions
+     that use escaped trailing dots.
+
+TIME LINE
+---------
+
+It was reported to the c-ares project on September 22 by Gzob Qq.
+
+c-ares 1.12.0 was released on September 29 2016, coordinated with the
+publication of this advisory.
+
+CREDITS
+-------
+
+Thanks to Gzob Qq for the report and to Mattias Nissler for code reviews of
+the patch.

adv_20160929.t

@@ -0,0 +1,15 @@
+#include "doctype.t"
+<head>
+<title>ares_create_query single byte out of buffer write</title>
+#include "css.t"
+</head>
+#include "body.t"
+#include "setup.t"
+#include "menu.t"
+
+TITLE(CVE-2016-5180)
+BOXTOP
+#include "adv_20160929.gen"
+BOXBOT
+
+#include "footer.t"

vulns.t

@@ -13,6 +13,11 @@ BOXTOP
  This is all known and public c-ares vulnerabilities to date. See also our <a
  href="security.html">security incident process</a>.
 
+<p>
+SUBTITLE(CVE-2016-5180 - Sep 29 2016)
+<p>
+ <a href="adv_20160929.html">ares_create_query single byte out of buffer write</a>
+
 <p>
 SUBTITLE(CVE-2007-3153 - Jun 8 2007)
 <p>