Ubuntu
c-ares package

CVE-2016-5180: out-of-bounds write in ares_create_query and ares_mkquery

Bug #1629085 reported by Gregor Jasny
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
c-ares (Debian)
Fix Released
Unknown
c-ares (Ubuntu)
Fix Released
Medium
Unassigned
Precise
Fix Released
Medium
Unassigned
Trusty
Fix Released
Medium
Unassigned
Xenial
Fix Released
Medium
Unassigned
Yakkety
Fix Released
Medium
Unassigned

Bug Description

A new upstream version of c-ares has been released which addresses a
security vulnerability.

From: Daniel Stenberg <email address hidden>
Date: Thu, 29 Sep 2016 16:02:10 +0200 (CEST)

`ares_create_query` single byte out of buffer write
=================================================

Project c-ares Security Advisory, September 29, 2016 -
[Permalink](https://c-ares.haxx.se/adv_20160929.html)

VULNERABILITY
-------------

When a string is passed in to `ares_create_query` or `ares_mkquery` and uses
an escaped trailing dot, like "hello\.", c-ares calculates the string length
wrong and subsequently writes outside of the the allocated buffer with one
byte. The wrongly written byte is the least significant byte of the 'dnsclass'
argument; most commonly 1.

We have been seen proof of concept code showing how this can be exploited in a
real-world system, but we are not aware of any such instances having actually
happened in the wild.

INFO
----

The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2016-5180 to this issue.

AFFECTED VERSIONS
-----------------

This flaw exists in the following c-ares versions.

- Affected versions: libcurl 1.0.0 to and including 1.11.0
- Not affected versions: c-ares >= 1.12.0

CVE References

Revision history for this message
Gregor Jasny (gjasny) wrote :

For Debian I provided the following updates:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=839151#23

Bug Watch Updater (bug-watch-updater)
Changed in c-ares (Debian):
status: Unknown → Fix Released
Revision history for this message
Emily Ratliff (emilyr) wrote :

Thanks for reporting this bug/CVE. It has been added to the Ubuntu CVE tracker and a package update will be prepared for it. Since the CVE is public, I'm marking the bug public as well.

information type: Private Security → Public Security
Marc Deslauriers (mdeslaur)
Changed in c-ares (Ubuntu Precise):
status: New → Confirmed
Changed in c-ares (Ubuntu Trusty):
status: New → Confirmed
Changed in c-ares (Ubuntu Xenial):
status: New → Confirmed
Changed in c-ares (Ubuntu Yakkety):
status: New → Confirmed
Changed in c-ares (Ubuntu Precise):
importance: Undecided → Medium
Changed in c-ares (Ubuntu Trusty):
importance: Undecided → Medium
Changed in c-ares (Ubuntu Xenial):
importance: Undecided → Medium
Changed in c-ares (Ubuntu Yakkety):
importance: Undecided → Medium
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package c-ares - 1.7.5-1ubuntu0.1

---------------
c-ares (1.7.5-1ubuntu0.1) precise-security; urgency=medium

  * SECURITY UPDATE: denial of service and possible execution via hostname
    with an escaped trailing dot (LP: #1629085)
    - debian/patches/CVE-2016-5180.patch: properly handle escaped dot in
      ares_mkquery.c.
    - CVE-2016-5180

 -- Marc Deslauriers <email address hidden> Thu, 06 Oct 2016 10:23:45 -0400

Changed in c-ares (Ubuntu Precise):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package c-ares - 1.10.0-2ubuntu0.1

---------------
c-ares (1.10.0-2ubuntu0.1) trusty-security; urgency=medium

  * SECURITY UPDATE: denial of service and possible execution via hostname
    with an escaped trailing dot (LP: #1629085)
    - debian/patches/CVE-2016-5180.patch: properly handle escaped dot in
      ares_create_query.c.
    - CVE-2016-5180

 -- Marc Deslauriers <email address hidden> Thu, 06 Oct 2016 10:15:41 -0400

Changed in c-ares (Ubuntu Trusty):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package c-ares - 1.10.0-3ubuntu0.1

---------------
c-ares (1.10.0-3ubuntu0.1) xenial-security; urgency=medium

  * SECURITY UPDATE: denial of service and possible execution via hostname
    with an escaped trailing dot (LP: #1629085)
    - debian/patches/CVE-2016-5180.patch: properly handle escaped dot in
      ares_create_query.c.
    - CVE-2016-5180

 -- Marc Deslauriers <email address hidden> Thu, 06 Oct 2016 10:15:11 -0400

Changed in c-ares (Ubuntu Xenial):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package c-ares - 1.11.0-1ubuntu0.1

---------------
c-ares (1.11.0-1ubuntu0.1) yakkety-security; urgency=medium

  * SECURITY UPDATE: denial of service and possible execution via hostname
    with an escaped trailing dot (LP: #1629085)
    - debian/patches/CVE-2016-5180.patch: properly handle escaped dot in
      ares_create_query.c.
    - CVE-2016-5180

 -- Marc Deslauriers <email address hidden> Thu, 06 Oct 2016 10:08:23 -0400

Changed in c-ares (Ubuntu Yakkety):
status: Confirmed → Fix Released
Marc Deslauriers (mdeslaur)
Changed in c-ares (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.