adv_20170620: CVE-2017-XXXX

bagder · bagder · commit a33b2f97c258 · 2017-06-20T07:58:30.000+02:00
diff --git a/CVE-2017-1000381.patch b/CVE-2017-1000381.patch
@@ -0,0 +1,37 @@
+From e1f43d4d7e89ef8db479d6efd0389c6b6ee1d116 Mon Sep 17 00:00:00 2001
+From: David Drysdale <drysdale@google.com>
+Date: Mon, 22 May 2017 10:54:10 +0100
+Subject: [PATCH 5/5] ares_parse_naptr_reply: check sufficient data
+
+Check that there is enough data for the required elements
+of an NAPTR record (2 int16, 3 bytes for string lengths)
+before processing a record.
+---
+ ares_parse_naptr_reply.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/ares_parse_naptr_reply.c b/ares_parse_naptr_reply.c
+index 11634df9847c..717d35577811 100644
+--- a/ares_parse_naptr_reply.c
++++ b/ares_parse_naptr_reply.c
+@@ -110,6 +110,12 @@ ares_parse_naptr_reply (const unsigned char *abuf, int alen,
+           status = ARES_EBADRESP;
+           break;
+         }
++      /* RR must contain at least 7 bytes = 2 x int16 + 3 x name */
++      if (rr_len < 7)
++        {
++          status = ARES_EBADRESP;
++          break;
++        }
+ 
+       /* Check if we are really looking at a NAPTR record */
+       if (rr_class == C_IN && rr_type == T_NAPTR)
+@@ -185,4 +191,3 @@ ares_parse_naptr_reply (const unsigned char *abuf, int alen,
+ 
+   return ARES_SUCCESS;
+ }
+-
+-- 
+2.13.0.303.g4ebf302169-goog
+
diff --git a/Makefile b/Makefile
@@ -32,7 +32,8 @@ all: index.html license.html ares_init.html ares_init_options.html	\
  ares_gethostbyname_file.html ares_set_socket_callback.html		\
  ares_set_socket_configure_callback.html ares_set_sortlist.html		\
  ares_parse_mx_reply.html ares_parse_naptr_reply.html			\
- ares_set_local_dev.html ares_set_socket_functions.html
+ ares_set_local_dev.html ares_set_socket_functions.html \
+ adv_20170620.html
 	make -C download
 
 index.html: index.t $(MAINPARTS)
@@ -55,6 +56,11 @@ adv_20160929.html: adv_20160929.t $(MAINPARTS) adv_20160929.gen
 adv_20160929.gen: adv_20160929.md
 	$(MARKDOWN) < $< > $@
 
+adv_20170620.html: adv_20170620.t $(MAINPARTS) adv_20170620.gen
+	$(ACTION)
+adv_20170620.gen: adv_20170620.md
+	$(MARKDOWN) < $< > $@
+
 old.html: old.t $(MAINPARTS)
 	$(ACTION)
 
diff --git a/adv_20170620.md b/adv_20170620.md
@@ -0,0 +1,64 @@
+c-ares NAPTR parser out of bounds access
+========================================
+
+Project c-ares Security Advisory, June 20, 2017 -
+[Permalink](https://c-ares.haxx.se/adv_20170620.html)
+
+VULNERABILITY
+-------------
+
+The c-ares function `ares_parse_naptr_reply()`, which is used for parsing
+NAPTR responses, could be triggered to read memory outside of the given input
+buffer if the passed in DNS response packet was crafted in a particular way.
+
+We are not aware of any exploits of this flaw.
+
+INFO
+----
+
+The Common Vulnerabilities and Exposures (CVE) project has assigned the name
+CVE-2017-1000381 to this issue.
+
+AFFECTED VERSIONS
+-----------------
+
+This flaw exists in the following c-ares versions.
+
+- Affected versions: c-ares 1.8.0 to and including 1.12.0
+- Not affected versions: c-ares >= 1.13.0
+
+THE SOLUTION
+------------
+
+In version 1.13.0, the `RR_len` value gets checked properly and the function
+is also added to the fuzz testing. It was previously accidentally left out
+from that.
+
+A [patch for CVE-2017-1000381](https://c-ares.haxx.se/CVE-2017-1000381.patch)
+is available.
+
+RECOMMENDATIONS
+---------------
+
+We suggest you take one of the following actions immediately, in order of
+preference:
+
+ A - Upgrade c-ares to version 1.13.0
+
+ B - Apply the patch to your version and rebuild
+
+ C - Do not use `ares_parse_naptr_reply()`.
+
+TIME LINE
+---------
+
+It was reported to the c-ares project on May 20. We contacted distros@openall
+on June 16.
+
+c-ares 1.13.0 was released on June 20 2017, coordinated with the publication
+of this advisory.
+
+CREDITS
+-------
+
+Thanks to LCatro for the report and to David Drysdale for the fix.
diff --git a/adv_20170620.t b/adv_20170620.t
@@ -0,0 +1,15 @@
+#include "doctype.t"
+<head>
+<title>ares_create_query single byte out of buffer write</title>
+#include "css.t"
+</head>
+#include "body.t"
+#include "setup.t"
+#include "menu.t"
+
+TITLE(CVE-2017-1000381)
+BOXTOP
+#include "adv_20170620.gen"
+BOXBOT
+
+#include "footer.t"
diff --git a/vulns.t b/vulns.t
@@ -13,6 +13,11 @@ BOXTOP
  This is all known and public c-ares vulnerabilities to date. See also our <a
  href="security.html">security incident process</a>.
 
+<p>
+SUBTITLE(CVE-2017-1000381 - June 20 2017)
+<p>
+ <a href="adv_20170620.html">NAPTR parser out of bounds access</a>
+
 <p>
 SUBTITLE(CVE-2016-5180 - Sep 29 2016)
 <p>
