Project c-ares Security Advisory, June 20, 2017 - Permalink
The c-ares function
ares_parse_naptr_reply(), which is used for parsing
NAPTR responses, could be triggered to read memory outside of the given input
buffer if the passed in DNS response packet was crafted in a particular way.
We are not aware of any exploits of this flaw.
The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2017-1000381 to this issue.
This flaw exists in the following c-ares versions.
In version 1.13.0, the
RR_len value gets checked properly and the function
is also added to the fuzz testing. It was previously accidentally left out
A patch for CVE-2017-1000381 is available.
We suggest you take one of the following actions immediately, in order of preference:
A - Upgrade c-ares to version 1.13.0
B - Apply the patch to your version and rebuild
C - Do not use
It was reported to the c-ares project on May 20. We contacted distros@openall on June 16.
c-ares 1.13.0 was released on June 20 2017, coordinated with the publication of this advisory.
Thanks to LCatro for the report and to David Drysdale for the fix.