[Desktop-packages] [Bug 1629085] Re: CVE-2016-5180: out-of-bounds write in ares_create_query and ares_mkquery

Wed, 30 Nov 2016 10:06:07 -0800 

This bug was fixed in the package c-ares - 1.7.5-1ubuntu0.1

---------------
c-ares (1.7.5-1ubuntu0.1) precise-security; urgency=medium

  * SECURITY UPDATE: denial of service and possible execution via hostname
    with an escaped trailing dot (LP: #1629085)
    - debian/patches/CVE-2016-5180.patch: properly handle escaped dot in
      ares_mkquery.c.
    - CVE-2016-5180

 -- Marc Deslauriers <marc.deslauri...@ubuntu.com>  Thu, 06 Oct 2016
10:23:45 -0400

** Changed in: c-ares (Ubuntu Precise)
       Status: Confirmed => Fix Released

** Changed in: c-ares (Ubuntu Trusty)
       Status: Confirmed => Fix Released

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to c-ares in Ubuntu.
https://bugs.launchpad.net/bugs/1629085

Title:
  CVE-2016-5180: out-of-bounds write in ares_create_query and
  ares_mkquery

Status in c-ares package in Ubuntu:
  Confirmed
Status in c-ares source package in Precise:
  Fix Released
Status in c-ares source package in Trusty:
  Fix Released
Status in c-ares source package in Xenial:
  Fix Released
Status in c-ares source package in Yakkety:
  Fix Released
Status in c-ares package in Debian:
  Fix Released

Bug description:
  A new upstream version of c-ares has been released which addresses a
  security vulnerability.

  From: Daniel Stenberg <dan...@haxx.se>
  Date: Thu, 29 Sep 2016 16:02:10 +0200 (CEST)

  `ares_create_query` single byte out of buffer write
  =================================================

  Project c-ares Security Advisory, September 29, 2016 -
  [Permalink](https://c-ares.haxx.se/adv_20160929.html)

  VULNERABILITY
  -------------

  When a string is passed in to `ares_create_query` or `ares_mkquery` and uses
  an escaped trailing dot, like "hello\.", c-ares calculates the string length
  wrong and subsequently writes outside of the the allocated buffer with one
  byte. The wrongly written byte is the least significant byte of the 'dnsclass'
  argument; most commonly 1.

  We have been seen proof of concept code showing how this can be exploited in a
  real-world system, but we are not aware of any such instances having actually
  happened in the wild.

  INFO
  ----

  The Common Vulnerabilities and Exposures (CVE) project has assigned the name
  CVE-2016-5180 to this issue.

  AFFECTED VERSIONS
  -----------------

  This flaw exists in the following c-ares versions.

  - Affected versions: libcurl 1.0.0 to and including 1.11.0
  - Not affected versions: c-ares >= 1.12.0

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/c-ares/+bug/1629085/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to     : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to