From 05e4369f228fdafdb9e23c92129df08d0786ae5e Mon Sep 17 00:00:00 2001 From: guoxiaoqi Date: Thu, 11 Mar 2021 16:14:56 +0800 Subject: [PATCH 1/2] fix CVE-2020-8277 (cherry picked from commit 011e521b3701c7b73ac02a7278e877c50eafbf39) --- CVE-2020-8277.patch | 53 +++++++++++++++++++++++++++++++++++++++++++++ c-ares.spec | 12 +++++++++- 2 files changed, 64 insertions(+), 1 deletion(-) create mode 100644 CVE-2020-8277.patch diff --git a/CVE-2020-8277.patch b/CVE-2020-8277.patch new file mode 100644 index 0000000..a2aa4b6 --- /dev/null +++ b/CVE-2020-8277.patch @@ -0,0 +1,53 @@ +From 0d252eb3b2147179296a3bdb4ef97883c97c54d3 Mon Sep 17 00:00:00 2001 +From: bradh352 +Date: Thu, 12 Nov 2020 10:24:40 -0500 +Subject: [PATCH] ares_parse_{a,aaaa}_reply could return larger *naddrttls than + passed in + +If there are more ttls returned than the maximum provided by the requestor, then +the *naddrttls response would be larger than the actual number of elements in +the addrttls array. + +This bug could lead to invalid memory accesses in applications using c-ares. + +This behavior appeared to break with PR #257 + +Fixes: #371 +Reported By: Momtchil Momtchev (@mmomtchev) +Fix By: Brad House (@bradh352) +--- + ares_parse_a_reply.c | 3 ++- + ares_parse_aaaa_reply.c | 3 ++- + 2 files changed, 4 insertions(+), 2 deletions(-) + +diff --git a/ares_parse_a_reply.c b/ares_parse_a_reply.c +index d8a9e9b..e71c993 100644 +--- a/ares_parse_a_reply.c ++++ b/ares_parse_a_reply.c +@@ -197,7 +197,8 @@ int ares_parse_a_reply(const unsigned char *abuf, int alen, + + if (naddrttls) + { +- *naddrttls = naddrs; ++ /* Truncated to at most *naddrttls entries */ ++ *naddrttls = (naddrs > *naddrttls)?*naddrttls:naddrs; + } + + ares__freeaddrinfo_cnames(ai.cnames); +diff --git a/ares_parse_aaaa_reply.c b/ares_parse_aaaa_reply.c +index 0d39bfa..346d430 100644 +--- a/ares_parse_aaaa_reply.c ++++ b/ares_parse_aaaa_reply.c +@@ -200,7 +200,8 @@ int ares_parse_aaaa_reply(const unsigned char *abuf, int alen, + + if (naddrttls) + { +- *naddrttls = naddrs; ++ /* Truncated to at most *naddrttls entries */ ++ *naddrttls = (naddrs > *naddrttls)?*naddrttls:naddrs; + } + + ares__freeaddrinfo_cnames(ai.cnames); +-- +1.8.3.1 + diff --git a/c-ares.spec b/c-ares.spec index 860029a..b00c88d 100644 --- a/c-ares.spec +++ b/c-ares.spec @@ -1,6 +1,6 @@ Name: c-ares Version: 1.16.1 -Release: 1 +Release: 3 Summary: A C library for asynchronous DNS requests License: MIT @@ -13,6 +13,7 @@ Patch0: 0000-Use-RPM-compiler-options.patch Patch1: 0001-Fix-invalid-read-in-ares_parse_soa_reply.patch Patch2: 0002-Fix-sizeof-sizeof-addr.saX-sizeof-addr.saX-in-readad.patch Patch3: 0003-Avoid-buffer-overflow-in-RC4-loop-comparison-336.patch +Patch4: CVE-2020-8277.patch %description This is c-ares, an asynchronous resolver library. It is intended for applications which need to perform DNS queries without blocking, or need to perform multiple @@ -55,6 +56,15 @@ make %{?_smp_mflags} %{_mandir}/man3/* %changelog +* Thu Mar 11 2021 openEuler Buildteam - 1.16.1-3 +- fix CVE-2020-8277 + +* Tue Sep 8 2020 lunankun - 1.16.1-2 +- Type:bugfix +- ID:NA +- SUG:NA +- DESC:fix source0 url + * Tue Aug 25 2020 gaihuiying - 1.16.1-1 - Type:requirement - ID:NA -- Gitee From 97424e3650f0994404d20017ab0daeddb26e39cc Mon Sep 17 00:00:00 2001 From: guoxiaoqi Date: Mon, 15 Mar 2021 11:14:39 +0800 Subject: [PATCH 2/2] fix sync error --- c-ares.spec | 10 ++-------- 1 file changed, 2 insertions(+), 8 deletions(-) diff --git a/c-ares.spec b/c-ares.spec index b00c88d..ba47387 100644 --- a/c-ares.spec +++ b/c-ares.spec @@ -1,6 +1,6 @@ Name: c-ares Version: 1.16.1 -Release: 3 +Release: 2 Summary: A C library for asynchronous DNS requests License: MIT @@ -56,15 +56,9 @@ make %{?_smp_mflags} %{_mandir}/man3/* %changelog -* Thu Mar 11 2021 openEuler Buildteam - 1.16.1-3 +* Thu Mar 11 2021 openEuler Buildteam - 1.16.1-2 - fix CVE-2020-8277 -* Tue Sep 8 2020 lunankun - 1.16.1-2 -- Type:bugfix -- ID:NA -- SUG:NA -- DESC:fix source0 url - * Tue Aug 25 2020 gaihuiying - 1.16.1-1 - Type:requirement - ID:NA -- Gitee