CVE-2017-1000381: ares_create_query single byte out of buffer write

c-ares NAPTR parser out of bounds access

Project c-ares Security Advisory, June 20, 2017 - Permalink

VULNERABILITY

The c-ares function ares_parse_naptr_reply(), which is used for parsing NAPTR responses, could be triggered to read memory outside of the given input buffer if the passed in DNS response packet was crafted in a particular way.

We are not aware of any exploits of this flaw.

INFO

The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2017-1000381 to this issue.

AFFECTED VERSIONS

This flaw exists in the following c-ares versions.

• Affected versions: c-ares 1.8.0 to and including 1.12.0
• Not affected versions: c-ares >= 1.13.0

THE SOLUTION

In version 1.13.0, the RR_len value gets checked properly and the function is also added to the fuzz testing. It was previously accidentally left out from that.

A patch for CVE-2017-1000381 is available.

RECOMMENDATIONS

We suggest you take one of the following actions immediately, in order of preference:

A - Upgrade c-ares to version 1.13.0

B - Apply the patch to your version and rebuild

C - Do not use ares_parse_naptr_reply().

TIME LINE

It was reported to the c-ares project on May 20. We contacted distros@openall on June 16.

c-ares 1.13.0 was released on June 20 2017, coordinated with the publication of this advisory.

CREDITS

Thanks to LCatro for the report and to David Drysdale for the fix.