Headline
CVE-2017-1000381: ares_create_query single byte out of buffer write
The c-ares function ares_parse_naptr_reply()
, which is used for parsing NAPTR responses, could be triggered to read memory outside of the given input buffer if the passed in DNS response packet was crafted in a particular way.
c-ares NAPTR parser out of bounds access
Project c-ares Security Advisory, June 20, 2017 - Permalink
VULNERABILITY
The c-ares function ares_parse_naptr_reply(), which is used for parsing NAPTR responses, could be triggered to read memory outside of the given input buffer if the passed in DNS response packet was crafted in a particular way.
We are not aware of any exploits of this flaw.
INFO
The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2017-1000381 to this issue.
AFFECTED VERSIONS
This flaw exists in the following c-ares versions.
- Affected versions: c-ares 1.8.0 to and including 1.12.0
- Not affected versions: c-ares >= 1.13.0
THE SOLUTION
In version 1.13.0, the RR_len value gets checked properly and the function is also added to the fuzz testing. It was previously accidentally left out from that.
A patch for CVE-2017-1000381 is available.
RECOMMENDATIONS
We suggest you take one of the following actions immediately, in order of preference:
A - Upgrade c-ares to version 1.13.0
B - Apply the patch to your version and rebuild
C - Do not use ares_parse_naptr_reply().
TIME LINE
It was reported to the c-ares project on May 20. We contacted distros@openall on June 16.
c-ares 1.13.0 was released on June 20 2017, coordinated with the publication of this advisory.
CREDITS
Thanks to LCatro for the report and to David Drysdale for the fix.