diff --git a/backport-001-CVE-2023-31130.patch b/backport-001-CVE-2023-31130.patch new file mode 100644 index 0000000000000000000000000000000000000000..a9f2277b1a44be29516a9b9f71b1b62efb5370f8 --- /dev/null +++ b/backport-001-CVE-2023-31130.patch @@ -0,0 +1,325 @@ +From f22cc01039b6473b736d3bf438f56a2654cdf2b2 Mon Sep 17 00:00:00 2001 +From: Brad House +Date: Mon, 22 May 2023 06:51:34 -0400 +Subject: [PATCH] Merge pull request from GHSA-x6mf-cxr9-8q6v + +* Merged latest OpenBSD changes for inet_net_pton_ipv6() into c-ares. +* Always use our own IP conversion functions now, do not delegate to OS + so we can have consistency in testing and fuzzing. +* Removed bogus test cases that never should have passed. +* Add new test case for crash bug found. + +Fix By: Brad House (@bradh352) + +Conflict: src/lib/inet_net_pton.c -> inet_net_pton.c +Reference: https://github.com/c-ares/c-ares/commit/f22cc01039b6473b736d3bf438f56a2654cdf2b2 +--- + inet_net_pton.c | 155 ++++++++++++++++++++----------------- + test/ares-test-internal.cc | 7 +- + 2 files changed, 86 insertions(+), 76 deletions(-) + + +diff --git a/inet_net_pton.c b/inet_net_pton.c +index 840de5065..fc50425b8 100644 +--- a/inet_net_pton.c ++++ b/inet_net_pton.c +@@ -1,19 +1,20 @@ + + /* +- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC") ++ * Copyright (c) 2012 by Gilles Chehade + * Copyright (c) 1996,1999 by Internet Software Consortium. + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * +- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES +- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR +- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT +- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. ++ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS ++ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES ++ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE ++ * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL ++ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR ++ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ++ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS ++ * SOFTWARE. + */ + + #include "ares_setup.h" +@@ -35,9 +36,6 @@ + + const struct ares_in6_addr ares_in6addr_any = { { { 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 } } }; + +- +-#ifndef HAVE_INET_NET_PTON +- + /* + * static int + * inet_net_pton_ipv4(src, dst, size) +@@ -60,7 +58,7 @@ const struct ares_in6_addr ares_in6addr_any = { { { 0,0,0,0,0,0,0,0,0,0,0,0,0,0, + * Paul Vixie (ISC), June 1996 + */ + static int +-inet_net_pton_ipv4(const char *src, unsigned char *dst, size_t size) ++ares_inet_net_pton_ipv4(const char *src, unsigned char *dst, size_t size) + { + static const char xdigits[] = "0123456789abcdef"; + static const char digits[] = "0123456789"; +@@ -261,19 +259,14 @@ getv4(const char *src, unsigned char *dst, int *bitsp) + } + + static int +-inet_net_pton_ipv6(const char *src, unsigned char *dst, size_t size) ++ares_inet_pton6(const char *src, unsigned char *dst) + { + static const char xdigits_l[] = "0123456789abcdef", +- xdigits_u[] = "0123456789ABCDEF"; ++ xdigits_u[] = "0123456789ABCDEF"; + unsigned char tmp[NS_IN6ADDRSZ], *tp, *endp, *colonp; + const char *xdigits, *curtok; +- int ch, saw_xdigit; ++ int ch, saw_xdigit, count_xdigit; + unsigned int val; +- int digits; +- int bits; +- size_t bytes; +- int words; +- int ipv4; + + memset((tp = tmp), '\0', NS_IN6ADDRSZ); + endp = tp + NS_IN6ADDRSZ; +@@ -283,22 +276,22 @@ inet_net_pton_ipv6(const char *src, unsigned char *dst, size_t size) + if (*++src != ':') + goto enoent; + curtok = src; +- saw_xdigit = 0; ++ saw_xdigit = count_xdigit = 0; + val = 0; +- digits = 0; +- bits = -1; +- ipv4 = 0; + while ((ch = *src++) != '\0') { + const char *pch; + + if ((pch = strchr((xdigits = xdigits_l), ch)) == NULL) + pch = strchr((xdigits = xdigits_u), ch); + if (pch != NULL) { ++ if (count_xdigit >= 4) ++ goto enoent; + val <<= 4; +- val |= aresx_sztoui(pch - xdigits); +- if (++digits > 4) ++ val |= (pch - xdigits); ++ if (val > 0xffff) + goto enoent; + saw_xdigit = 1; ++ count_xdigit++; + continue; + } + if (ch == ':') { +@@ -308,78 +301,107 @@ inet_net_pton_ipv6(const char *src, unsigned char *dst, size_t size) + goto enoent; + colonp = tp; + continue; +- } else if (*src == '\0') ++ } else if (*src == '\0') { + goto enoent; ++ } + if (tp + NS_INT16SZ > endp) +- return (0); +- *tp++ = (unsigned char)((val >> 8) & 0xff); +- *tp++ = (unsigned char)(val & 0xff); ++ goto enoent; ++ *tp++ = (unsigned char) (val >> 8) & 0xff; ++ *tp++ = (unsigned char) val & 0xff; + saw_xdigit = 0; +- digits = 0; ++ count_xdigit = 0; + val = 0; + continue; + } + if (ch == '.' && ((tp + NS_INADDRSZ) <= endp) && +- getv4(curtok, tp, &bits) > 0) { +- tp += NS_INADDRSZ; ++ ares_inet_net_pton_ipv4(curtok, tp, INADDRSZ) > 0) { ++ tp += INADDRSZ; + saw_xdigit = 0; +- ipv4 = 1; ++ count_xdigit = 0; + break; /* '\0' was seen by inet_pton4(). */ + } +- if (ch == '/' && getbits(src, &bits) > 0) +- break; + goto enoent; + } + if (saw_xdigit) { + if (tp + NS_INT16SZ > endp) + goto enoent; +- *tp++ = (unsigned char)((val >> 8) & 0xff); +- *tp++ = (unsigned char)(val & 0xff); ++ *tp++ = (unsigned char) (val >> 8) & 0xff; ++ *tp++ = (unsigned char) val & 0xff; + } +- if (bits == -1) +- bits = 128; +- +- words = (bits + 15) / 16; +- if (words < 2) +- words = 2; +- if (ipv4) +- words = 8; +- endp = tmp + 2 * words; +- + if (colonp != NULL) { + /* + * Since some memmove()'s erroneously fail to handle + * overlapping regions, we'll do the shift by hand. + */ +- const ares_ssize_t n = tp - colonp; +- ares_ssize_t i; ++ const int n = tp - colonp; ++ int i; + + if (tp == endp) + goto enoent; + for (i = 1; i <= n; i++) { +- *(endp - i) = *(colonp + n - i); +- *(colonp + n - i) = 0; ++ endp[- i] = colonp[n - i]; ++ colonp[n - i] = 0; + } + tp = endp; + } + if (tp != endp) + goto enoent; + +- bytes = (bits + 7) / 8; +- if (bytes > size) +- goto emsgsize; +- memcpy(dst, tmp, bytes); +- return (bits); ++ memcpy(dst, tmp, NS_IN6ADDRSZ); ++ return (1); + +- enoent: ++enoent: + SET_ERRNO(ENOENT); + return (-1); + +- emsgsize: ++emsgsize: + SET_ERRNO(EMSGSIZE); + return (-1); + } + ++static int ++ares_inet_net_pton_ipv6(const char *src, unsigned char *dst, size_t size) ++{ ++ struct ares_in6_addr in6; ++ int ret; ++ int bits; ++ size_t bytes; ++ char buf[INET6_ADDRSTRLEN + sizeof("/128")]; ++ char *sep; ++ const char *errstr; ++ ++ if (strlen(src) >= sizeof buf) { ++ SET_ERRNO(EMSGSIZE); ++ return (-1); ++ } ++ strncpy(buf, src, sizeof buf); ++ ++ sep = strchr(buf, '/'); ++ if (sep != NULL) ++ *sep++ = '\0'; ++ ++ ret = ares_inet_pton6(buf, (unsigned char *)&in6); ++ if (ret != 1) ++ return (-1); ++ ++ if (sep == NULL) ++ bits = 128; ++ else { ++ if (!getbits(sep, &bits)) { ++ SET_ERRNO(ENOENT); ++ return (-1); ++ } ++ } ++ ++ bytes = (bits + 7) / 8; ++ if (bytes > size) { ++ SET_ERRNO(EMSGSIZE); ++ return (-1); ++ } ++ memcpy(dst, &in6, bytes); ++ return (bits); ++} ++ + /* + * int + * inet_net_pton(af, src, dst, size) +@@ -403,18 +425,15 @@ ares_inet_net_pton(int af, const char *src, void *dst, size_t size) + { + switch (af) { + case AF_INET: +- return (inet_net_pton_ipv4(src, dst, size)); ++ return (ares_inet_net_pton_ipv4(src, dst, size)); + case AF_INET6: +- return (inet_net_pton_ipv6(src, dst, size)); ++ return (ares_inet_net_pton_ipv6(src, dst, size)); + default: + SET_ERRNO(EAFNOSUPPORT); + return (-1); + } + } + +-#endif /* HAVE_INET_NET_PTON */ +- +-#ifndef HAVE_INET_PTON + int ares_inet_pton(int af, const char *src, void *dst) + { + int result; +@@ -434,11 +453,3 @@ int ares_inet_pton(int af, const char *src, void *dst) + return 0; + return (result > -1 ? 1 : -1); + } +-#else /* HAVE_INET_PTON */ +-int ares_inet_pton(int af, const char *src, void *dst) +-{ +- /* just relay this to the underlying function */ +- return inet_pton(af, src, dst); +-} +- +-#endif +diff --git a/test/ares-test-internal.cc b/test/ares-test-internal.cc +index 1cb7e427d..40cc82b86 100644 +--- a/test/ares-test-internal.cc ++++ b/test/ares-test-internal.cc +@@ -123,6 +123,7 @@ TEST_F(LibraryTest, InetPtoN) { + EXPECT_EQ(0, ares_inet_net_pton(AF_INET6, "12:34::ff/0", &a6, sizeof(a6))); + EXPECT_EQ(16 * 8, ares_inet_net_pton(AF_INET6, "12:34::ffff:0.2", &a6, sizeof(a6))); + EXPECT_EQ(16 * 8, ares_inet_net_pton(AF_INET6, "1234:1234:1234:1234:1234:1234:1234:1234", &a6, sizeof(a6))); ++ EXPECT_EQ(2, ares_inet_net_pton(AF_INET6, "0::00:00:00/2", &a6, sizeof(a6))); + + // Various malformed versions + EXPECT_EQ(-1, ares_inet_net_pton(AF_INET, "", &a4, sizeof(a4))); +@@ -160,11 +161,9 @@ TEST_F(LibraryTest, InetPtoN) { + EXPECT_EQ(-1, ares_inet_net_pton(AF_INET6, ":1234:1234:1234:1234:1234:1234:1234:1234", &a6, sizeof(a6))); + EXPECT_EQ(-1, ares_inet_net_pton(AF_INET6, ":1234:1234:1234:1234:1234:1234:1234:1234:", &a6, sizeof(a6))); + EXPECT_EQ(-1, ares_inet_net_pton(AF_INET6, "1234:1234:1234:1234:1234:1234:1234:1234:5678", &a6, sizeof(a6))); +- // TODO(drysdale): check whether the next two tests should give -1. +- EXPECT_EQ(0, ares_inet_net_pton(AF_INET6, "1234:1234:1234:1234:1234:1234:1234:1234:5678:5678", &a6, sizeof(a6))); +- EXPECT_EQ(0, ares_inet_net_pton(AF_INET6, "1234:1234:1234:1234:1234:1234:1234:1234:5678:5678:5678", &a6, sizeof(a6))); ++ EXPECT_EQ(-1, ares_inet_net_pton(AF_INET6, "1234:1234:1234:1234:1234:1234:1234:1234:5678:5678", &a6, sizeof(a6))); ++ EXPECT_EQ(-1, ares_inet_net_pton(AF_INET6, "1234:1234:1234:1234:1234:1234:1234:1234:5678:5678:5678", &a6, sizeof(a6))); + EXPECT_EQ(-1, ares_inet_net_pton(AF_INET6, "12:34::ffff:257.2.3.4", &a6, sizeof(a6))); +- EXPECT_EQ(-1, ares_inet_net_pton(AF_INET6, "12:34::ffff:002.2.3.4", &a6, sizeof(a6))); + EXPECT_EQ(-1, ares_inet_net_pton(AF_INET6, "12:34::ffff:1.2.3.4.5.6", &a6, sizeof(a6))); + EXPECT_EQ(-1, ares_inet_net_pton(AF_INET6, "12:34::ffff:1.2.3.4.5", &a6, sizeof(a6))); + EXPECT_EQ(-1, ares_inet_net_pton(AF_INET6, "12:34::ffff:1.2.3.z", &a6, sizeof(a6))); diff --git a/backport-001-CVE-2023-31147.patch b/backport-001-CVE-2023-31147.patch new file mode 100644 index 0000000000000000000000000000000000000000..f41f13d1046ad368e5038e26419cf64cea805ec6 --- /dev/null +++ b/backport-001-CVE-2023-31147.patch @@ -0,0 +1,721 @@ +From 823df3b989e59465d17b0a2eb1239a5fc048b4e5 Mon Sep 17 00:00:00 2001 +From: Brad House +Date: Mon, 22 May 2023 06:51:06 -0400 +Subject: [PATCH] Merge pull request from GHSA-8r8p-23f3-64c2 + +* segment random number generation into own file + +* abstract random code to make it more modular so we can have multiple backends + +* rand: add support for arc4random_buf() and also direct CARES_RANDOM_FILE reading + +* autotools: fix detection of arc4random_buf + +* rework initial rc4 seed for PRNG as last fallback + +* rc4: more proper implementation, simplified for clarity + +* clarifications + +Conflict: src/lib/Makefile.inc -> Makefile.inc +src/lib/ares_config.h.cmake -> ares_config.h.cmake +src/lib/ares_destroy.c -> ares_destroy.c +src/lib/ares_init.c -> ares_init.c +src/lib/ares_private.h -> ares_private.h +src/lib/ares_query.c -> ares_query.c +src/lib/ares_rand.c -> ares_rand.c +context adapt +Reference: https://github.com/c-ares/c-ares/commit/823df3b989e59465d17b0a2eb1239a5fc048b4e5 +--- + CMakeLists.txt | 2 + + Makefile.inc | 1 + + ares_config.h.cmake | 3 + + ares_destroy.c | 3 + + ares_init.c | 81 ++----------- + ares_private.h | 19 ++- + ares_query.c | 36 +----- + ares_rand.c | 274 ++++++++++++++++++++++++++++++++++++++++++ + configure.ac | 1 + + m4/cares-functions.m4 | 85 +++++++++++++ + 10 files changed, 387 insertions(+), 118 deletions(-) + create mode 100644 ares_rand.c + +diff --git a/CMakeLists.txt b/CMakeLists.txt +index 20b192e..f2ceae8 100644 +--- a/CMakeLists.txt ++++ b/CMakeLists.txt +@@ -370,6 +370,8 @@ CHECK_SYMBOL_EXISTS (strncasecmp "${CMAKE_EXTRA_INCLUDE_FILES}" HAVE_STRNCAS + CHECK_SYMBOL_EXISTS (strncmpi "${CMAKE_EXTRA_INCLUDE_FILES}" HAVE_STRNCMPI) + CHECK_SYMBOL_EXISTS (strnicmp "${CMAKE_EXTRA_INCLUDE_FILES}" HAVE_STRNICMP) + CHECK_SYMBOL_EXISTS (writev "${CMAKE_EXTRA_INCLUDE_FILES}" HAVE_WRITEV) ++CHECK_SYMBOL_EXISTS (arc4random_buf "${CMAKE_EXTRA_INCLUDE_FILES}" HAVE_ARC4RANDOM_BUF) ++ + + # On Android, the system headers may define __system_property_get(), but excluded + # from libc. We need to perform a link test instead of a header/symbol test. +diff --git a/Makefile.inc b/Makefile.inc +index f65df1f..4853c06 100644 +--- a/Makefile.inc ++++ b/Makefile.inc +@@ -41,6 +41,7 @@ CSOURCES = ares__close_sockets.c \ + ares_platform.c \ + ares_process.c \ + ares_query.c \ ++ ares_rand.c \ + ares_search.c \ + ares_send.c \ + ares_strcasecmp.c \ +diff --git a/ares_config.h.cmake b/ares_config.h.cmake +index b76acc1..441d065 100644 +--- a/ares_config.h.cmake ++++ b/ares_config.h.cmake +@@ -346,6 +346,9 @@ + /* Define to 1 if you need the memory.h header file even with stdlib.h */ + #cmakedefine NEED_MEMORY_H + ++/* Define if have arc4random_buf() */ ++#cmakedefine HAVE_ARC4RANDOM_BUF ++ + /* a suitable file/device to read random data from */ + #cmakedefine RANDOM_FILE + +diff --git a/ares_destroy.c b/ares_destroy.c +index fed2009..0447af4 100644 +--- a/ares_destroy.c ++++ b/ares_destroy.c +@@ -90,6 +90,9 @@ void ares_destroy(ares_channel channel) + if (channel->resolvconf_path) + ares_free(channel->resolvconf_path); + ++ if (channel->rand_state) ++ ares__destroy_rand_state(channel->rand_state); ++ + ares_free(channel); + } + +diff --git a/ares_init.c b/ares_init.c +index cde3bfc..236cae0 100644 +--- a/ares_init.c ++++ b/ares_init.c +@@ -79,7 +79,6 @@ static int config_nameserver(struct server_state **servers, int *nservers, + static int set_search(ares_channel channel, const char *str); + static int set_options(ares_channel channel, const char *str); + static const char *try_option(const char *p, const char *q, const char *opt); +-static int init_id_key(rc4_key* key,int key_data_len); + + static int config_sortlist(struct apattern **sortlist, int *nsort, + const char *str); +@@ -170,6 +169,7 @@ int ares_init_options(ares_channel *channelptr, struct ares_options *options, + channel->sock_funcs = NULL; + channel->sock_func_cb_data = NULL; + channel->resolvconf_path = NULL; ++ channel->rand_state = NULL; + + channel->last_server = 0; + channel->last_timeout_processed = (time_t)now.tv_sec; +@@ -223,9 +223,13 @@ int ares_init_options(ares_channel *channelptr, struct ares_options *options, + /* Generate random key */ + + if (status == ARES_SUCCESS) { +- status = init_id_key(&channel->id_key, ARES_ID_KEY_LEN); ++ channel->rand_state = ares__init_rand_state(); ++ if (channel->rand_state == NULL) { ++ status = ARES_ENOMEM; ++ } ++ + if (status == ARES_SUCCESS) +- channel->next_id = ares__generate_new_id(&channel->id_key); ++ channel->next_id = ares__generate_new_id(channel->rand_state); + else + DEBUGF(fprintf(stderr, "Error: init_id_key failed: %s\n", + ares_strerror(status))); +@@ -245,6 +249,8 @@ done: + ares_free(channel->lookups); + if(channel->resolvconf_path) + ares_free(channel->resolvconf_path); ++ if (channel->rand_state) ++ ares__destroy_rand_state(channel->rand_state); + ares_free(channel); + return status; + } +@@ -2466,75 +2472,6 @@ static int sortlist_alloc(struct apattern **sortlist, int *nsort, + return 1; + } + +-/* initialize an rc4 key. If possible a cryptographically secure random key +- is generated using a suitable function (for example win32's RtlGenRandom as +- described in +- http://blogs.msdn.com/michael_howard/archive/2005/01/14/353379.aspx +- otherwise the code defaults to cross-platform albeit less secure mechanism +- using rand +-*/ +-static void randomize_key(unsigned char* key,int key_data_len) +-{ +- int randomized = 0; +- int counter=0; +-#ifdef WIN32 +- BOOLEAN res; +- if (ares_fpSystemFunction036) +- { +- res = (*ares_fpSystemFunction036) (key, key_data_len); +- if (res) +- randomized = 1; +- } +-#else /* !WIN32 */ +-#ifdef RANDOM_FILE +- FILE *f = fopen(RANDOM_FILE, "rb"); +- if(f) { +- counter = aresx_uztosi(fread(key, 1, key_data_len, f)); +- fclose(f); +- } +-#endif +-#endif /* WIN32 */ +- +- if (!randomized) { +- for (;counterstate[0]; +- for(counter = 0; counter < 256; counter++) +- /* unnecessary AND but it keeps some compilers happier */ +- state[counter] = (unsigned char)(counter & 0xff); +- randomize_key(key->state,key_data_len); +- key->x = 0; +- key->y = 0; +- index1 = 0; +- index2 = 0; +- for(counter = 0; counter < 256; counter++) +- { +- index2 = (unsigned char)((key_data_ptr[index1] + state[counter] + +- index2) % 256); +- ARES_SWAP_BYTE(&state[counter], &state[index2]); +- +- index1 = (unsigned char)((index1 + 1) % key_data_len); +- } +- ares_free(key_data_ptr); +- return ARES_SUCCESS; +-} +- + void ares_set_local_ip4(ares_channel channel, unsigned int local_ip) + { + channel->local_ip4 = local_ip; +diff --git a/ares_private.h b/ares_private.h +index 1884c16..887df82 100644 +--- a/ares_private.h ++++ b/ares_private.h +@@ -95,8 +95,6 @@ + + #endif + +-#define ARES_ID_KEY_LEN 31 +- + #include "ares_ipv6.h" + #include "ares_llist.h" + +@@ -256,12 +254,8 @@ struct apattern { + unsigned short type; + }; + +-typedef struct rc4_key +-{ +- unsigned char state[256]; +- unsigned char x; +- unsigned char y; +-} rc4_key; ++struct ares_rand_state; ++typedef struct ares_rand_state ares_rand_state; + + struct ares_channeldata { + /* Configuration data */ +@@ -296,8 +290,8 @@ struct ares_channeldata { + + /* ID to use for next query */ + unsigned short next_id; +- /* key to use when generating new ids */ +- rc4_key id_key; ++ /* random state to use when generating new ids */ ++ ares_rand_state *rand_state; + + /* Generation number to use for the next TCP socket open/close */ + int tcp_connection_generation; +@@ -353,7 +347,10 @@ void ares__close_sockets(ares_channel channel, struct server_state *server); + int ares__get_hostent(FILE *fp, int family, struct hostent **host); + int ares__read_line(FILE *fp, char **buf, size_t *bufsize); + void ares__free_query(struct query *query); +-unsigned short ares__generate_new_id(rc4_key* key); ++ ++ares_rand_state *ares__init_rand_state(void); ++void ares__destroy_rand_state(ares_rand_state *state); ++unsigned short ares__generate_new_id(ares_rand_state *state); + struct timeval ares__tvnow(void); + int ares__expand_name_for_response(const unsigned char *encoded, + const unsigned char *abuf, int alen, +diff --git a/ares_query.c b/ares_query.c +index 5bbb2f5..40b508b 100644 +--- a/ares_query.c ++++ b/ares_query.c +@@ -39,32 +39,6 @@ struct qquery { + + static void qcallback(void *arg, int status, int timeouts, unsigned char *abuf, int alen); + +-static void rc4(rc4_key* key, unsigned char *buffer_ptr, int buffer_len) +-{ +- unsigned char x; +- unsigned char y; +- unsigned char* state; +- unsigned char xorIndex; +- int counter; +- +- x = key->x; +- y = key->y; +- +- state = &key->state[0]; +- for(counter = 0; counter < buffer_len; counter ++) +- { +- x = (unsigned char)((x + 1) % 256); +- y = (unsigned char)((state[x] + y) % 256); +- ARES_SWAP_BYTE(&state[x], &state[y]); +- +- xorIndex = (unsigned char)((state[x] + state[y]) % 256); +- +- buffer_ptr[counter] = (unsigned char)(buffer_ptr[counter]^state[xorIndex]); +- } +- key->x = x; +- key->y = y; +-} +- + static struct query* find_query_by_id(ares_channel channel, unsigned short id) + { + unsigned short qid; +@@ -84,7 +58,6 @@ static struct query* find_query_by_id(ares_channel channel, unsigned short id) + return NULL; + } + +- + /* a unique query id is generated using an rc4 key. Since the id may already + be used by a running query (as infrequent as it may be), a lookup is + performed per id generation. In practice this search should happen only +@@ -95,19 +68,12 @@ static unsigned short generate_unique_id(ares_channel channel) + unsigned short id; + + do { +- id = ares__generate_new_id(&channel->id_key); ++ id = ares__generate_new_id(channel->rand_state); + } while (find_query_by_id(channel, id)); + + return (unsigned short)id; + } + +-unsigned short ares__generate_new_id(rc4_key* key) +-{ +- unsigned short r=0; +- rc4(key, (unsigned char *)&r, sizeof(r)); +- return r; +-} +- + void ares_query(ares_channel channel, const char *name, int dnsclass, + int type, ares_callback callback, void *arg) + { +diff --git a/ares_rand.c b/ares_rand.c +new file mode 100644 +index 0000000..a564bc2 +--- /dev/null ++++ b/ares_rand.c +@@ -0,0 +1,274 @@ ++/* Copyright 1998 by the Massachusetts Institute of Technology. ++ * Copyright (C) 2007-2013 by Daniel Stenberg ++ * ++ * Permission to use, copy, modify, and distribute this ++ * software and its documentation for any purpose and without ++ * fee is hereby granted, provided that the above copyright ++ * notice appear in all copies and that both that copyright ++ * notice and this permission notice appear in supporting ++ * documentation, and that the name of M.I.T. not be used in ++ * advertising or publicity pertaining to distribution of the ++ * software without specific, written prior permission. ++ * M.I.T. makes no representations about the suitability of ++ * this software for any purpose. It is provided "as is" ++ * without express or implied warranty. ++ */ ++ ++#include "ares_setup.h" ++#include "ares.h" ++#include "ares_private.h" ++#include "ares_nowarn.h" ++#include ++ ++typedef enum { ++ ARES_RAND_OS = 1, /* OS-provided such as RtlGenRandom or arc4random */ ++ ARES_RAND_FILE = 2, /* OS file-backed random number generator */ ++ ARES_RAND_RC4 = 3 /* Internal RC4 based PRNG */ ++} ares_rand_backend; ++ ++typedef struct ares_rand_rc4 ++{ ++ unsigned char S[256]; ++ size_t i; ++ size_t j; ++} ares_rand_rc4; ++ ++struct ares_rand_state ++{ ++ ares_rand_backend type; ++ union { ++ FILE *rand_file; ++ ares_rand_rc4 rc4; ++ } state; ++}; ++ ++ ++/* Define RtlGenRandom = SystemFunction036. This is in advapi32.dll. There is ++ * no need to dynamically load this, other software used widely does not. ++ * http://blogs.msdn.com/michael_howard/archive/2005/01/14/353379.aspx ++ * https://docs.microsoft.com/en-us/windows/win32/api/ntsecapi/nf-ntsecapi-rtlgenrandom ++ */ ++#ifdef _WIN32 ++BOOLEAN WINAPI SystemFunction036(PVOID RandomBuffer, ULONG RandomBufferLength); ++# ifndef RtlGenRandom ++# define RtlGenRandom(a,b) SystemFunction036(a,b) ++# endif ++#endif ++ ++ ++#define ARES_RC4_KEY_LEN 32 /* 256 bits */ ++ ++static unsigned int ares_u32_from_ptr(void *addr) ++{ ++ if (sizeof(void *) == 8) { ++ return (unsigned int)((((size_t)addr >> 32) & 0xFFFFFFFF) | ((size_t)addr & 0xFFFFFFFF)); ++ } ++ return (unsigned int)((size_t)addr & 0xFFFFFFFF); ++} ++ ++ ++/* initialize an rc4 key as the last possible fallback. */ ++static void ares_rc4_generate_key(ares_rand_rc4 *rc4_state, unsigned char *key, size_t key_len) ++{ ++ size_t i; ++ size_t len = 0; ++ unsigned int data; ++ struct timeval tv; ++ ++ if (key_len != ARES_RC4_KEY_LEN) ++ return; ++ ++ /* Randomness is hard to come by. Maybe the system randomizes heap and stack addresses. ++ * Maybe the current timestamp give us some randomness. ++ * Use rc4_state (heap), &i (stack), and ares__tvnow() ++ */ ++ data = ares_u32_from_ptr(rc4_state); ++ memcpy(key + len, &data, sizeof(data)); ++ len += sizeof(data); ++ ++ data = ares_u32_from_ptr(&i); ++ memcpy(key + len, &data, sizeof(data)); ++ len += sizeof(data); ++ ++ tv = ares__tvnow(); ++ data = (unsigned int)((tv.tv_sec | tv.tv_usec) & 0xFFFFFFFF); ++ memcpy(key + len, &data, sizeof(data)); ++ len += sizeof(data); ++ ++ srand(ares_u32_from_ptr(rc4_state) | ares_u32_from_ptr(&i) | (unsigned int)((tv.tv_sec | tv.tv_usec) & 0xFFFFFFFF)); ++ ++ for (i=len; iS); i++) { ++ rc4_state->S[i] = i & 0xFF; ++ } ++ ++ for(i = 0, j = 0; i < 256; i++) { ++ j = (j + rc4_state->S[i] + key[i % sizeof(key)]) % 256; ++ ARES_SWAP_BYTE(&rc4_state->S[i], &rc4_state->S[j]); ++ } ++ ++ rc4_state->i = 0; ++ rc4_state->j = 0; ++} ++ ++/* Just outputs the key schedule, no need to XOR with any data since we have none */ ++static void ares_rc4_prng(ares_rand_rc4 *rc4_state, unsigned char *buf, int len) ++{ ++ unsigned char *S = rc4_state->S; ++ size_t i = rc4_state->i; ++ size_t j = rc4_state->j; ++ size_t cnt; ++ ++ for (cnt=0; cnti = i; ++ rc4_state->j = j; ++} ++ ++ ++static int ares__init_rand_engine(ares_rand_state *state) ++{ ++ memset(state, 0, sizeof(*state)); ++ ++#if defined(HAVE_ARC4RANDOM_BUF) || defined(_WIN32) ++ state->type = ARES_RAND_OS; ++ return 1; ++#elif defined(CARES_RANDOM_FILE) ++ state->type = ARES_RAND_FILE; ++ state->state.rand_file = fopen(CARES_RANDOM_FILE, "rb"); ++ if (state->state.rand_file) { ++ setvbuf(state->state.rand_file, NULL, _IONBF, 0); ++ return 1; ++ } ++ /* Fall-Thru on failure to RC4 */ ++#endif ++ ++ state->type = ARES_RAND_RC4; ++ ares_rc4_init(&state->state.rc4); ++ ++ /* Currently cannot fail */ ++ return 1; ++} ++ ++ ++ares_rand_state *ares__init_rand_state() ++{ ++ ares_rand_state *state = NULL; ++ ++ state = ares_malloc(sizeof(*state)); ++ if (!state) ++ return NULL; ++ ++ if (!ares__init_rand_engine(state)) { ++ ares_free(state); ++ return NULL; ++ } ++ ++ return state; ++} ++ ++ ++static void ares__clear_rand_state(ares_rand_state *state) ++{ ++ if (!state) ++ return; ++ ++ switch (state->type) { ++ case ARES_RAND_OS: ++ break; ++ case ARES_RAND_FILE: ++ fclose(state->state.rand_file); ++ break; ++ case ARES_RAND_RC4: ++ break; ++ } ++} ++ ++ ++static void ares__reinit_rand(ares_rand_state *state) ++{ ++ ares__clear_rand_state(state); ++ ares__init_rand_engine(state); ++} ++ ++ ++void ares__destroy_rand_state(ares_rand_state *state) ++{ ++ if (!state) ++ return; ++ ++ ares__clear_rand_state(state); ++ ares_free(state); ++} ++ ++ ++static void ares__rand_bytes(ares_rand_state *state, unsigned char *buf, size_t len) ++{ ++ ++ while (1) { ++ size_t rv; ++ size_t bytes_read = 0; ++ ++ switch (state->type) { ++ case ARES_RAND_OS: ++#ifdef _WIN32 ++ RtlGenRandom(buf, len); ++ return; ++#elif defined(HAVE_ARC4RANDOM_BUF) ++ arc4random_buf(buf, len); ++ return; ++#else ++ /* Shouldn't be possible to be here */ ++ break; ++#endif ++ ++ case ARES_RAND_FILE: ++ while (1) { ++ size_t rv = fread(buf + bytes_read, 1, len - bytes_read, state->state.rand_file); ++ if (rv == 0) ++ break; /* critical error, will reinit rand state */ ++ ++ bytes_read += rv; ++ if (bytes_read == len) ++ return; ++ } ++ break; ++ ++ case ARES_RAND_RC4: ++ ares_rc4_prng(&state->state.rc4, buf, len); ++ return; ++ } ++ ++ /* If we didn't return before we got here, that means we had a critical rand ++ * failure and need to reinitialized */ ++ ares__reinit_rand(state); ++ } ++} ++ ++unsigned short ares__generate_new_id(ares_rand_state *state) ++{ ++ unsigned short r=0; ++ ++ ares__rand_bytes(state, (unsigned char *)&r, sizeof(r)); ++ return r; ++} ++ +diff --git a/configure.ac b/configure.ac +index f5a3b94..e1aaa4e 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -606,6 +606,7 @@ CARES_CHECK_FUNC_STRNCASECMP + CARES_CHECK_FUNC_STRNCMPI + CARES_CHECK_FUNC_STRNICMP + CARES_CHECK_FUNC_WRITEV ++CARES_CHECK_FUNC_ARC4RANDOM_BUF + + + dnl check for AF_INET6 +diff --git a/m4/cares-functions.m4 b/m4/cares-functions.m4 +index 0f3992c..d4f4f99 100644 +--- a/m4/cares-functions.m4 ++++ b/m4/cares-functions.m4 +@@ -3753,3 +3753,88 @@ AC_DEFUN([CARES_CHECK_FUNC_WRITEV], [ + ac_cv_func_writev="no" + fi + ]) ++ ++dnl CARES_CHECK_FUNC_ARC4RANDOM_BUF ++dnl ------------------------------------------------- ++dnl Verify if arc4random_buf is available, prototyped, and ++dnl can be compiled. If all of these are true, and ++dnl usage has not been previously disallowed with ++dnl shell variable cares_disallow_arc4random_buf, then ++dnl HAVE_ARC4RANDOM_BUF will be defined. ++ ++AC_DEFUN([CARES_CHECK_FUNC_ARC4RANDOM_BUF], [ ++ AC_REQUIRE([CARES_INCLUDES_STDLIB])dnl ++ # ++ tst_links_arc4random_buf="unknown" ++ tst_proto_arc4random_buf="unknown" ++ tst_compi_arc4random_buf="unknown" ++ tst_allow_arc4random_buf="unknown" ++ # ++ AC_MSG_CHECKING([if arc4random_buf can be linked]) ++ AC_LINK_IFELSE([ ++ AC_LANG_FUNC_LINK_TRY([arc4random_buf]) ++ ],[ ++ AC_MSG_RESULT([yes]) ++ tst_links_arc4random_buf="yes" ++ ],[ ++ AC_MSG_RESULT([no]) ++ tst_links_arc4random_buf="no" ++ ]) ++ # ++ if test "$tst_links_arc4random_buf" = "yes"; then ++ AC_MSG_CHECKING([if arc4random_buf is prototyped]) ++ AC_EGREP_CPP([arc4random_buf],[ ++ $cares_includes_stdlib ++ ],[ ++ AC_MSG_RESULT([yes]) ++ tst_proto_arc4random_buf="yes" ++ ],[ ++ AC_MSG_RESULT([no]) ++ tst_proto_arc4random_buf="no" ++ ]) ++ fi ++ # ++ if test "$tst_proto_arc4random_buf" = "yes"; then ++ AC_MSG_CHECKING([if arc4random_buf is compilable]) ++ AC_COMPILE_IFELSE([ ++ AC_LANG_PROGRAM([[ ++ $cares_includes_stdlib ++ ]],[[ ++ arc4random_buf(NULL, 0); ++ return 1; ++ ]]) ++ ],[ ++ AC_MSG_RESULT([yes]) ++ tst_compi_arc4random_buf="yes" ++ ],[ ++ AC_MSG_RESULT([no]) ++ tst_compi_arc4random_buf="no" ++ ]) ++ fi ++ # ++ if test "$tst_compi_arc4random_buf" = "yes"; then ++ AC_MSG_CHECKING([if arc4random_buf usage allowed]) ++ if test "x$cares_disallow_arc4random_buf" != "xyes"; then ++ AC_MSG_RESULT([yes]) ++ tst_allow_arc4random_buf="yes" ++ else ++ AC_MSG_RESULT([no]) ++ tst_allow_arc4random_buf="no" ++ fi ++ fi ++ # ++ AC_MSG_CHECKING([if arc4random_buf might be used]) ++ if test "$tst_links_arc4random_buf" = "yes" && ++ test "$tst_proto_arc4random_buf" = "yes" && ++ test "$tst_compi_arc4random_buf" = "yes" && ++ test "$tst_allow_arc4random_buf" = "yes"; then ++ AC_MSG_RESULT([yes]) ++ AC_DEFINE_UNQUOTED(HAVE_ARC4RANDOM_BUF, 1, ++ [Define to 1 if you have the arc4random_buf function.]) ++ ac_cv_func_arc4random_buf="yes" ++ else ++ AC_MSG_RESULT([no]) ++ ac_cv_func_arc4random_buf="no" ++ fi ++]) ++ +-- +2.27.0 + diff --git a/backport-002-CVE-2023-31124_CVE-2023-31147.patch b/backport-002-CVE-2023-31124_CVE-2023-31147.patch new file mode 100644 index 0000000000000000000000000000000000000000..21b5544357247eab81db01e20319a40cee6f4013 --- /dev/null +++ b/backport-002-CVE-2023-31124_CVE-2023-31147.patch @@ -0,0 +1,284 @@ +From 69950390b2d8063b6540dc75941a30ea56d11918 Mon Sep 17 00:00:00 2001 +From: Ben Noordhuis +Date: Thu, 25 May 2023 21:31:33 +0200 +Subject: [PATCH] rand: add support for getrandom() (#526) + +glibc provides arc4random_buf() but musl does not and /dev/urandom is +not always available. + +Conflict: include/ares_build.h.cmake -> ares_build.h.cmake +src/lib/ares_config.h.cmake -> ares_config.h.cmake +src/lib/ares_rand.c -> ares_rand.c +src/lib/setup_once.h -> setup_once.h +context adapt +Reference: https://github.com/c-ares/c-ares/commit/69950390b2d8063b6540dc75941a30ea56d11918 +--- + CMakeLists.txt | 6 +++ + ares_build.h.cmake | 5 +++ + ares_config.h.cmake | 3 ++ + ares_rand.c | 17 ++++++- + configure.ac | 1 + + m4/cares-functions.m4 | 102 ++++++++++++++++++++++++++++++++++++++++++ + setup_once.h | 4 ++ + 7 files changed, 137 insertions(+), 1 deletion(-) + +diff --git a/CMakeLists.txt b/CMakeLists.txt +index f2ceae8..ddab7ae 100644 +--- a/CMakeLists.txt ++++ b/CMakeLists.txt +@@ -153,6 +153,7 @@ CARES_FUNCTION_IN_LIBRARY (clock_gettime rt HAVE_LIBRT) + + # Look for necessary includes + CHECK_INCLUDE_FILES (sys/types.h HAVE_SYS_TYPES_H) ++CHECK_INCLUDE_FILES (sys/random.h HAVE_SYS_RANDOM_H) + CHECK_INCLUDE_FILES (sys/socket.h HAVE_SYS_SOCKET_H) + CHECK_INCLUDE_FILES (arpa/inet.h HAVE_ARPA_INET_H) + CHECK_INCLUDE_FILES (arpa/nameser_compat.h HAVE_ARPA_NAMESER_COMPAT_H) +@@ -259,6 +260,7 @@ CARES_EXTRAINCLUDE_IFSET (HAVE_STDLIB_H stdlib.h) + CARES_EXTRAINCLUDE_IFSET (HAVE_STRING_H string.h) + CARES_EXTRAINCLUDE_IFSET (HAVE_STRINGS_H strings.h) + CARES_EXTRAINCLUDE_IFSET (HAVE_SYS_IOCTL_H sys/ioctl.h) ++CARES_EXTRAINCLUDE_IFSET (HAVE_SYS_RANDOM_H sys/random.h) + CARES_EXTRAINCLUDE_IFSET (HAVE_SYS_SELECT_H sys/select.h) + CARES_EXTRAINCLUDE_IFSET (HAVE_SYS_SOCKET_H sys/socket.h) + CARES_EXTRAINCLUDE_IFSET (HAVE_SYS_TIME_H sys/time.h) +@@ -342,6 +344,7 @@ CHECK_SYMBOL_EXISTS (gethostbyaddr "${CMAKE_EXTRA_INCLUDE_FILES}" HAVE_GETHOST + CHECK_SYMBOL_EXISTS (gethostbyname "${CMAKE_EXTRA_INCLUDE_FILES}" HAVE_GETHOSTBYNAME) + CHECK_SYMBOL_EXISTS (gethostname "${CMAKE_EXTRA_INCLUDE_FILES}" HAVE_GETHOSTNAME) + CHECK_SYMBOL_EXISTS (getnameinfo "${CMAKE_EXTRA_INCLUDE_FILES}" HAVE_GETNAMEINFO) ++CHECK_SYMBOL_EXISTS (getrandom "${CMAKE_EXTRA_INCLUDE_FILES}" HAVE_GETRANDOM) + CHECK_SYMBOL_EXISTS (getservbyport_r "${CMAKE_EXTRA_INCLUDE_FILES}" HAVE_GETSERVBYPORT_R) + CHECK_SYMBOL_EXISTS (getservbyname_r "${CMAKE_EXTRA_INCLUDE_FILES}" HAVE_GETSERVBYNAME_R) + CHECK_SYMBOL_EXISTS (gettimeofday "${CMAKE_EXTRA_INCLUDE_FILES}" HAVE_GETTIMEOFDAY) +@@ -537,6 +540,9 @@ ENDIF () + IF (HAVE_SYS_TYPES_H) + SET (CARES_HAVE_SYS_TYPES_H 1) + ENDIF () ++IF (HAVE_SYS_RANDOM_H) ++ SET (CARES_HAVE_SYS_RANDOM_H 1) ++ENDIF() + IF (HAVE_SYS_SOCKET_H) + SET (CARES_HAVE_SYS_SOCKET_H 1) + ENDIF() +diff --git a/ares_build.h.cmake b/ares_build.h.cmake +index ac32d47..862bfe4 100644 +--- a/ares_build.h.cmake ++++ b/ares_build.h.cmake +@@ -8,6 +8,7 @@ + * files. We need to include some dependent headers that may be system specific + * for C-Ares */ + #cmakedefine CARES_HAVE_SYS_TYPES_H ++#cmakedefine CARES_HAVE_SYS_RANDOM_H + #cmakedefine CARES_HAVE_SYS_SOCKET_H + #cmakedefine CARES_HAVE_WINDOWS_H + #cmakedefine CARES_HAVE_WS2TCPIP_H +@@ -18,6 +19,10 @@ + # include + #endif + ++#ifdef CARES_HAVE_SYS_RANDOM_H ++# include ++#endif ++ + #ifdef CARES_HAVE_SYS_SOCKET_H + # include + #endif +diff --git a/ares_config.h.cmake b/ares_config.h.cmake +index 441d065..669572f 100644 +--- a/ares_config.h.cmake ++++ b/ares_config.h.cmake +@@ -123,6 +123,9 @@ + /* Define to 1 if you have the getnameinfo function. */ + #cmakedefine HAVE_GETNAMEINFO + ++/* Define to 1 if you have the getrandom function. */ ++#cmakedefine HAVE_GETRANDOM ++ + /* Define to 1 if you have the getservbyport_r function. */ + #cmakedefine HAVE_GETSERVBYPORT_R + +diff --git a/ares_rand.c b/ares_rand.c +index a564bc2..dbdfef7 100644 +--- a/ares_rand.c ++++ b/ares_rand.c +@@ -149,7 +149,7 @@ static int ares__init_rand_engine(ares_rand_state *state) + { + memset(state, 0, sizeof(*state)); + +-#if defined(HAVE_ARC4RANDOM_BUF) || defined(_WIN32) ++#if defined(HAVE_ARC4RANDOM_BUF) || defined(HAVE_GETRANDOM) || defined(_WIN32) + state->type = ARES_RAND_OS; + return 1; + #elif defined(CARES_RANDOM_FILE) +@@ -236,6 +236,21 @@ static void ares__rand_bytes(ares_rand_state *state, unsigned char *buf, size_t + #elif defined(HAVE_ARC4RANDOM_BUF) + arc4random_buf(buf, len); + return; ++#elif defined(HAVE_GETRANDOM) ++ while (1) { ++ size_t n = len - bytes_read; ++ /* getrandom() on Linux always succeeds and is never ++ * interrupted by a signal when requesting <= 256 bytes. ++ */ ++ ssize_t rv = getrandom(buf + bytes_read, n > 256 ? 256 : n, 0); ++ if (rv <= 0) ++ continue; /* Just retry. */ ++ ++ bytes_read += rv; ++ if (bytes_read == len) ++ return; ++ } ++ break; + #else + /* Shouldn't be possible to be here */ + break; +diff --git a/configure.ac b/configure.ac +index e1aaa4e..201abdf 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -589,6 +589,7 @@ CARES_CHECK_FUNC_GETENV + CARES_CHECK_FUNC_GETHOSTBYADDR + CARES_CHECK_FUNC_GETHOSTBYNAME + CARES_CHECK_FUNC_GETHOSTNAME ++CARES_CHECK_FUNC_GETRANDOM + CARES_CHECK_FUNC_GETSERVBYPORT_R + CARES_CHECK_FUNC_INET_NET_PTON + CARES_CHECK_FUNC_INET_NTOP +diff --git a/m4/cares-functions.m4 b/m4/cares-functions.m4 +index d4f4f99..ce8d2f9 100644 +--- a/m4/cares-functions.m4 ++++ b/m4/cares-functions.m4 +@@ -186,6 +186,24 @@ cares_includes_stropts="\ + ]) + + ++dnl CARES_INCLUDES_SYS_RANDOM ++dnl ------------------------------------------------- ++dnl Set up variable with list of headers that must be ++dnl included when sys/random.h is to be included. ++ ++AC_DEFUN([CARES_INCLUDES_SYS_RANDOM], [ ++cares_includes_sys_random="\ ++/* includes start */ ++#ifdef HAVE_SYS_RANDOM_H ++# include ++#endif ++/* includes end */" ++ AC_CHECK_HEADERS( ++ sys/random.h, ++ [], [], [$cares_includes_sys_random]) ++]) ++ ++ + dnl CARES_INCLUDES_SYS_SOCKET + dnl ------------------------------------------------- + dnl Set up variable with list of headers that must be +@@ -1520,6 +1538,90 @@ AC_DEFUN([CARES_CHECK_FUNC_GETHOSTNAME], [ + fi + ]) + ++dnl CARES_CHECK_FUNC_GETRANDOM ++dnl ------------------------------------------------- ++dnl Verify if getrandom is available, prototyped, and ++dnl can be compiled. If all of these are true, and ++dnl usage has not been previously disallowed with ++dnl shell variable cares_disallow_getrandom, then ++dnl HAVE_GETRANDOM will be defined. ++ ++AC_DEFUN([CARES_CHECK_FUNC_GETRANDOM], [ ++ AC_REQUIRE([CARES_INCLUDES_SYS_RANDOM])dnl ++ # ++ tst_links_getrandom="unknown" ++ tst_proto_getrandom="unknown" ++ tst_compi_getrandom="unknown" ++ tst_allow_getrandom="unknown" ++ # ++ AC_MSG_CHECKING([if getrandom can be linked]) ++ AC_LINK_IFELSE([ ++ AC_LANG_FUNC_LINK_TRY([getrandom]) ++ ],[ ++ AC_MSG_RESULT([yes]) ++ tst_links_getrandom="yes" ++ ],[ ++ AC_MSG_RESULT([no]) ++ tst_links_getrandom="no" ++ ]) ++ # ++ if test "$tst_links_getrandom" = "yes"; then ++ AC_MSG_CHECKING([if getrandom is prototyped]) ++ AC_EGREP_CPP([getrandom],[ ++ $cares_includes_sys_random ++ ],[ ++ AC_MSG_RESULT([yes]) ++ tst_proto_getrandom="yes" ++ ],[ ++ AC_MSG_RESULT([no]) ++ tst_proto_getrandom="no" ++ ]) ++ fi ++ # ++ if test "$tst_proto_getrandom" = "yes"; then ++ AC_MSG_CHECKING([if getrandom is compilable]) ++ AC_COMPILE_IFELSE([ ++ AC_LANG_PROGRAM([[ ++ $cares_includes_sys_random ++ ]],[[ ++ if(0 != getrandom(0, 0, 0)) ++ return 1; ++ ]]) ++ ],[ ++ AC_MSG_RESULT([yes]) ++ tst_compi_getrandom="yes" ++ ],[ ++ AC_MSG_RESULT([no]) ++ tst_compi_getrandom="no" ++ ]) ++ fi ++ # ++ if test "$tst_compi_getrandom" = "yes"; then ++ AC_MSG_CHECKING([if getrandom usage allowed]) ++ if test "x$cares_disallow_getrandom" != "xyes"; then ++ AC_MSG_RESULT([yes]) ++ tst_allow_getrandom="yes" ++ else ++ AC_MSG_RESULT([no]) ++ tst_allow_getrandom="no" ++ fi ++ fi ++ # ++ AC_MSG_CHECKING([if getrandom might be used]) ++ if test "$tst_links_getrandom" = "yes" && ++ test "$tst_proto_getrandom" = "yes" && ++ test "$tst_compi_getrandom" = "yes" && ++ test "$tst_allow_getrandom" = "yes"; then ++ AC_MSG_RESULT([yes]) ++ AC_DEFINE_UNQUOTED(HAVE_GETRANDOM, 1, ++ [Define to 1 if you have the getrandom function.]) ++ ac_cv_func_getrandom="yes" ++ else ++ AC_MSG_RESULT([no]) ++ ac_cv_func_getrandom="no" ++ fi ++]) ++ + + dnl CARES_CHECK_FUNC_GETSERVBYPORT_R + dnl ------------------------------------------------- +diff --git a/setup_once.h b/setup_once.h +index a8cfe6b..4b0f9ce 100644 +--- a/setup_once.h ++++ b/setup_once.h +@@ -91,6 +91,10 @@ + # endif + #endif + ++#ifdef HAVE_SYS_RANDOM_H ++#include ++#endif ++ + #ifdef HAVE_SYS_SOCKET_H + #include + #endif +-- +2.27.0 + diff --git a/backport-002-CVE-2023-31130.patch b/backport-002-CVE-2023-31130.patch new file mode 100644 index 0000000000000000000000000000000000000000..b6b3e1f0d3090f7597feea5c13436d3d8ecec3e8 --- /dev/null +++ b/backport-002-CVE-2023-31130.patch @@ -0,0 +1,27 @@ +From 424012216c40c8498015b942353e9bb7267e929b Mon Sep 17 00:00:00 2001 +From: bradh352 +Date: Mon, 22 May 2023 06:57:23 -0400 +Subject: [PATCH] windows build fix + +Conflict: src/lib/inet_net_pton.c -> inet_net_pton.c +Reference:https://github.com/c-ares/c-ares/commit/424012216c40c8498015b942353e9bb7267e929b + +--- + inet_net_pton.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/inet_net_pton.c b/inet_net_pton.c +index fc50425b..d94a5f41 100644 +--- a/inet_net_pton.c ++++ b/inet_net_pton.c +@@ -314,8 +314,8 @@ ares_inet_pton6(const char *src, unsigned char *dst) + continue; + } + if (ch == '.' && ((tp + NS_INADDRSZ) <= endp) && +- ares_inet_net_pton_ipv4(curtok, tp, INADDRSZ) > 0) { +- tp += INADDRSZ; ++ ares_inet_net_pton_ipv4(curtok, tp, NS_INADDRSZ) > 0) { ++ tp += NS_INADDRSZ; + saw_xdigit = 0; + count_xdigit = 0; + break; /* '\0' was seen by inet_pton4(). */ diff --git a/backport-003-CVE-2023-31130.patch b/backport-003-CVE-2023-31130.patch new file mode 100644 index 0000000000000000000000000000000000000000..134573a733fec51003259c7f5a8d3eeac315a256 --- /dev/null +++ b/backport-003-CVE-2023-31130.patch @@ -0,0 +1,111 @@ +From fb79ae7bede940f0fef538472ff8a726df780f8f Mon Sep 17 00:00:00 2001 +From: bradh352 +Date: Mon, 22 May 2023 07:09:40 -0400 +Subject: [PATCH] minor CI issues fixes for imported inet_net_pton + +Conflict: src/lib/inet_net_pton.c -> inet_net_pton.c +Reference: https://github.com/c-ares/c-ares/commit/fb79ae7bede940f0fef538472ff8a726df780f8f + +--- + inet_net_pton.c | 53 ++--------------------------------------- + 1 file changed, 2 insertions(+), 51 deletions(-) + +diff --git a/inet_net_pton.c b/inet_net_pton.c +index d94a5f41..7130f0f1 100644 +--- a/inet_net_pton.c ++++ b/inet_net_pton.c +@@ -214,49 +214,6 @@ getbits(const char *src, int *bitsp) + return (1); + } + +-static int +-getv4(const char *src, unsigned char *dst, int *bitsp) +-{ +- static const char digits[] = "0123456789"; +- unsigned char *odst = dst; +- int n; +- unsigned int val; +- char ch; +- +- val = 0; +- n = 0; +- while ((ch = *src++) != '\0') { +- const char *pch; +- +- pch = strchr(digits, ch); +- if (pch != NULL) { +- if (n++ != 0 && val == 0) /* no leading zeros */ +- return (0); +- val *= 10; +- val += aresx_sztoui(pch - digits); +- if (val > 255) /* range */ +- return (0); +- continue; +- } +- if (ch == '.' || ch == '/') { +- if (dst - odst > 3) /* too many octets? */ +- return (0); +- *dst++ = (unsigned char)val; +- if (ch == '/') +- return (getbits(src, bitsp)); +- val = 0; +- n = 0; +- continue; +- } +- return (0); +- } +- if (n == 0) +- return (0); +- if (dst - odst > 3) /* too many octets? */ +- return (0); +- *dst = (unsigned char)val; +- return 1; +-} + + static int + ares_inet_pton6(const char *src, unsigned char *dst) +@@ -287,7 +244,7 @@ ares_inet_pton6(const char *src, unsigned char *dst) + if (count_xdigit >= 4) + goto enoent; + val <<= 4; +- val |= (pch - xdigits); ++ val |= (unsigned int)(pch - xdigits); + if (val > 0xffff) + goto enoent; + saw_xdigit = 1; +@@ -317,7 +274,6 @@ ares_inet_pton6(const char *src, unsigned char *dst) + ares_inet_net_pton_ipv4(curtok, tp, NS_INADDRSZ) > 0) { + tp += NS_INADDRSZ; + saw_xdigit = 0; +- count_xdigit = 0; + break; /* '\0' was seen by inet_pton4(). */ + } + goto enoent; +@@ -333,7 +289,7 @@ ares_inet_pton6(const char *src, unsigned char *dst) + * Since some memmove()'s erroneously fail to handle + * overlapping regions, we'll do the shift by hand. + */ +- const int n = tp - colonp; ++ const int n = (int)(tp - colonp); + int i; + + if (tp == endp) +@@ -353,10 +309,6 @@ ares_inet_pton6(const char *src, unsigned char *dst) + enoent: + SET_ERRNO(ENOENT); + return (-1); +- +-emsgsize: +- SET_ERRNO(EMSGSIZE); +- return (-1); + } + + static int +@@ -368,7 +320,6 @@ ares_inet_net_pton_ipv6(const char *src, unsigned char *dst, size_t size) + size_t bytes; + char buf[INET6_ADDRSTRLEN + sizeof("/128")]; + char *sep; +- const char *errstr; + + if (strlen(src) >= sizeof buf) { + SET_ERRNO(EMSGSIZE); diff --git a/backport-003-CVE-2023-31147.patch b/backport-003-CVE-2023-31147.patch new file mode 100644 index 0000000000000000000000000000000000000000..79885893bd36c3ca5645fe27901fc528f61c7700 --- /dev/null +++ b/backport-003-CVE-2023-31147.patch @@ -0,0 +1,32 @@ +From 00f47ed830fc22775ffdc2bc2a691372684fae4f Mon Sep 17 00:00:00 2001 +From: bradh352 +Date: Mon, 22 May 2023 07:02:59 -0400 +Subject: [PATCH] ares_rand static analysis fixes from CI + +Conflict: src/lib/ares_rand.c -> ares_rand.c +Reference: https://github.com/c-ares/c-ares/commit/00f47ed830fc22775ffdc2bc2a691372684fae4f +--- + ares_rand.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/ares_rand.c b/ares_rand.c +index a564bc23..a55a90bf 100644 +--- a/ares_rand.c ++++ b/ares_rand.c +@@ -125,7 +125,7 @@ static void ares_rc4_init(ares_rand_rc4 *rc4_state) + } + + /* Just outputs the key schedule, no need to XOR with any data since we have none */ +-static void ares_rc4_prng(ares_rand_rc4 *rc4_state, unsigned char *buf, int len) ++static void ares_rc4_prng(ares_rand_rc4 *rc4_state, unsigned char *buf, size_t len) + { + unsigned char *S = rc4_state->S; + size_t i = rc4_state->i; +@@ -225,7 +225,6 @@ static void ares__rand_bytes(ares_rand_state *state, unsigned char *buf, size_t + { + + while (1) { +- size_t rv; + size_t bytes_read = 0; + + switch (state->type) { diff --git a/backport-004-CVE-2023-31147.patch b/backport-004-CVE-2023-31147.patch new file mode 100644 index 0000000000000000000000000000000000000000..798e1f4a276b765f360459ec350e9bf64e7ed5a9 --- /dev/null +++ b/backport-004-CVE-2023-31147.patch @@ -0,0 +1,33 @@ +From 7da53555c284e896baabdaef441e883bf5245f11 Mon Sep 17 00:00:00 2001 +From: bradh352 +Date: Mon, 22 May 2023 07:37:38 -0400 +Subject: [PATCH] windows MSVC compiler fix on 32bit + +Conflict: src/lib/ares_rand.c -> ares_rand.c +Reference: https://github.com/c-ares/c-ares/commit/7da53555c284e896baabdaef441e883bf5245f11 +--- + ares_rand.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/ares_rand.c b/ares_rand.c +index a55a90bf..766c1e6e 100644 +--- a/ares_rand.c ++++ b/ares_rand.c +@@ -58,10 +58,16 @@ BOOLEAN WINAPI SystemFunction036(PVOID RandomBuffer, ULONG RandomBufferLength); + + #define ARES_RC4_KEY_LEN 32 /* 256 bits */ + ++#ifdef _MSC_VER ++typedef unsigned __int64 cares_u64; ++#else ++typedef unsigned long long cares_u64; ++#endif ++ + static unsigned int ares_u32_from_ptr(void *addr) + { + if (sizeof(void *) == 8) { +- return (unsigned int)((((size_t)addr >> 32) & 0xFFFFFFFF) | ((size_t)addr & 0xFFFFFFFF)); ++ return (unsigned int)((((cares_u64)addr >> 32) & 0xFFFFFFFF) | ((cares_u64)addr & 0xFFFFFFFF)); + } + return (unsigned int)((size_t)addr & 0xFFFFFFFF); + } diff --git a/backport-CVE-2023-31124.patch b/backport-CVE-2023-31124.patch new file mode 100644 index 0000000000000000000000000000000000000000..f19ee6f01652ac7305a5ec2970571bf184bcd68b --- /dev/null +++ b/backport-CVE-2023-31124.patch @@ -0,0 +1,61 @@ +From c4930223e51d0e3dbfd8b2a814f4be2e269e2a9d Mon Sep 17 00:00:00 2001 +From: Brad House +Date: Sun, 30 Apr 2023 14:53:34 -0400 +Subject: [PATCH] Merge pull request from GHSA-54xr-f67r-4pc4 + +* CARES_RANDOM_FILE should always default to /dev/urandom + +During cross-compilation, CARES_RANDOM_FILE may not be able to be appropriately +detected, therefore we should always set it to /dev/urandom and allow the +entity requesting compilation override the value. The code does appropriately +fall back if CARES_RANDOM_FILE cannot be opened. + +* use set not option + +Conflict: remove: "find_file(CARES_RANDOM_FILE urandom /dev)" and "find_file(CARES_RANDOM_FILE urandom /dev)" +rename: CARES_RANDOM_FILE -> RANDOM_FILE +Reference: https://github.com/c-ares/c-ares/commit/c4930223e51d0e3dbfd8b2a814f4be2e269e2a9d +--- + CMakeLists.txt | 2 ++ + configure.ac | 12 +----------- + 2 files changed, 3 insertions(+), 11 deletions(-) + +diff --git a/CMakeLists.txt b/CMakeLists.txt +index ddab7ae..2ddb1bf 100644 +--- a/CMakeLists.txt ++++ b/CMakeLists.txt +@@ -36,6 +36,8 @@ OPTION (CARES_STATIC_PIC "Build the static library as PIC (position independent) + OPTION (CARES_BUILD_TESTS "Build and run tests" OFF) + OPTION (CARES_BUILD_CONTAINER_TESTS "Build and run container tests (implies CARES_BUILD_TESTS, Linux only)" OFF) + OPTION (CARES_BUILD_TOOLS "Build tools" ON) ++SET (RANDOM_FILE "/dev/urandom" CACHE STRING "Suitable File / Device Path for entropy, such as /dev/urandom") ++ + + # Tests require static to be enabled + IF (CARES_BUILD_TESTS) +diff --git a/configure.ac b/configure.ac +index 201abdf..496414b 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -821,17 +821,7 @@ AC_ARG_WITH(random, + AC_HELP_STRING([--with-random=FILE], + [read randomness from FILE (default=/dev/urandom)]), + [ RANDOM_FILE="$withval" ], +- [ +- dnl Check for random device. If we're cross compiling, we can't +- dnl check, and it's better to assume it doesn't exist than it is +- dnl to fail on AC_CHECK_FILE or later. +- if test "$cross_compiling" = "no"; then +- AC_CHECK_FILE("/dev/urandom", [ RANDOM_FILE="/dev/urandom"] ) +- else +- AC_MSG_WARN([cannot check for /dev/urandom while cross compiling; assuming none]) +- fi +- +- ] ++ [ RANDOM_FILE="/dev/urandom" ] + ) + if test -n "$RANDOM_FILE" && test X"$RANDOM_FILE" != Xno ; then + AC_SUBST(RANDOM_FILE) +-- +2.27.0 + diff --git a/c-ares.spec b/c-ares.spec index 72459fa7bd5ea894ad293f8df92ced3269458ef7..bd669360bb975e8147df4d2698e79b18bb7ed9ef 100644 --- a/c-ares.spec +++ b/c-ares.spec @@ -1,6 +1,6 @@ Name: c-ares Version: 1.16.1 -Release: 6 +Release: 7 Summary: A C library for asynchronous DNS requests License: MIT @@ -19,6 +19,14 @@ Patch6: backport-002-CVE-2021-3672.patch Patch7: backport-add-str-len-check-in-config_sortlist-to-avoid-stack-overflow.patch Patch8: backport-disable-live-tests.patch Patch9: backport-CVE-2023-32067.patch +Patch10: backport-001-CVE-2023-31130.patch +Patch11: backport-002-CVE-2023-31130.patch +Patch12: backport-003-CVE-2023-31130.patch +Patch13: backport-001-CVE-2023-31147.patch +Patch14: backport-002-CVE-2023-31124_CVE-2023-31147.patch +Patch15: backport-003-CVE-2023-31147.patch +Patch16: backport-004-CVE-2023-31147.patch +Patch17: backport-CVE-2023-31124.patch %description This is c-ares, an asynchronous resolver library. It is intended for applications @@ -66,6 +74,12 @@ make %{?_smp_mflags} %{_mandir}/man3/* %changelog +* Thu Jun 08 2023 xinghe - 1.16.1-7 +- Type:cves +- CVE:CVE-2023-31130 CVE-2023-31124 CVE-2023-31147 +- SUG:NA +- DESC:fix CVE-2023-31130 CVE-2023-31124 CVE-2023-31147 + * Mon May 29 2023 xinghe - 1.16.1-6 - Type:cves - CVE:CVE-2023-32067