From 8495d333c28bb0b5ac955e03204481445d36fb2a Mon Sep 17 00:00:00 2001
From: lwg <liweiganga@uniontech.com>
Date: Tue, 27 Feb 2024 11:19:40 +0800
Subject: [PATCH] fix CVE-2024-25629

Signed-off-by: lwg <liweiganga@uniontech.com>
---
 backport-CVE-2024-25629.patch | 30 ++++++++++++++++++++++++++++++
 c-ares.spec                   |  9 ++++++++-
 2 files changed, 38 insertions(+), 1 deletion(-)
 create mode 100644 backport-CVE-2024-25629.patch

diff --git a/backport-CVE-2024-25629.patch b/backport-CVE-2024-25629.patch
new file mode 100644
index 0000000..9121acf
--- /dev/null
+++ b/backport-CVE-2024-25629.patch
@@ -0,0 +1,30 @@
+From a804c04ddc8245fc8adf0e92368709639125e183 Mon Sep 17 00:00:00 2001
+From: Brad House <brad@brad-house.com>
+Date: Thu, 22 Feb 2024 16:23:33 -0500
+Subject: [PATCH] Merge pull request from GHSA-mg26-v6qh-x48q
+
+---
+ src/lib/ares__read_line.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/ares__read_line.c b/ares__read_line.c
+index d65ac1fcf..018f55e8b 100644
+--- a/ares__read_line.c
++++ b/ares__read_line.c
+@@ -49,6 +49,14 @@ int ares__read_line(FILE *fp, char **buf, size_t *bufsize)
+       if (!fgets(*buf + offset, bytestoread, fp))
+         return (offset != 0) ? 0 : (ferror(fp)) ? ARES_EFILE : ARES_EOF;
+       len = offset + strlen(*buf + offset);
++
++      /* Probably means there was an embedded NULL as the first character in
++       * the line, throw away line */
++      if (len == 0) {
++        offset = 0;
++        continue;
++      }
++
+       if ((*buf)[len - 1] == '\n')
+         {
+           (*buf)[len - 1] = 0;
+-- 
+2.20.1
diff --git a/c-ares.spec b/c-ares.spec
index eb0047e..d4c40a4 100644
--- a/c-ares.spec
+++ b/c-ares.spec
@@ -1,6 +1,6 @@
 Name:           c-ares
 Version:        1.16.1
-Release:        7
+Release:        9
 Summary:        A C library for asynchronous DNS requests
 
 License:        MIT
@@ -27,6 +27,7 @@ Patch14:        backport-002-CVE-2023-31124_CVE-2023-31147.patch
 Patch15:        backport-003-CVE-2023-31147.patch
 Patch16:        backport-004-CVE-2023-31147.patch
 Patch17:        backport-CVE-2023-31124.patch
+Patch18:        backport-CVE-2024-25629.patch
 
 %description
 This is c-ares, an asynchronous resolver library. It is intended for applications
@@ -74,6 +75,12 @@ make %{?_smp_mflags}
 %{_mandir}/man3/*
 
 %changelog
+* Tue Feb 27 2024 liweigang <izmirvii@gmail.com> - 1.16.1-9
+- Type: cve
+- CVE: CVE-2024-25629
+- SUG: NA
+- DESC: fix CVE-2024-25629
+
 * Wed Jan 31 2024 lifeifei<lifeifei@kylinos.cn> - 1.16.1-8
 - Type:bugfix
 - ID:NA
-- 
Gitee