CVE-2016-5180: out-of-bounds write in ares_create_query and ares_mkquery
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
c-ares (Debian) |
Fix Released
|
Unknown
|
|||
c-ares (Ubuntu) |
Fix Released
|
Medium
|
Unassigned | ||
Precise |
Fix Released
|
Medium
|
Unassigned | ||
Trusty |
Fix Released
|
Medium
|
Unassigned | ||
Xenial |
Fix Released
|
Medium
|
Unassigned | ||
Yakkety |
Fix Released
|
Medium
|
Unassigned |
Bug Description
A new upstream version of c-ares has been released which addresses a
security vulnerability.
From: Daniel Stenberg <email address hidden>
Date: Thu, 29 Sep 2016 16:02:10 +0200 (CEST)
`ares_create_query` single byte out of buffer write
=======
Project c-ares Security Advisory, September 29, 2016 -
[Permalink](https:/
VULNERABILITY
-------------
When a string is passed in to `ares_create_query` or `ares_mkquery` and uses
an escaped trailing dot, like "hello\.", c-ares calculates the string length
wrong and subsequently writes outside of the the allocated buffer with one
byte. The wrongly written byte is the least significant byte of the 'dnsclass'
argument; most commonly 1.
We have been seen proof of concept code showing how this can be exploited in a
real-world system, but we are not aware of any such instances having actually
happened in the wild.
INFO
----
The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2016-5180 to this issue.
AFFECTED VERSIONS
-----------------
This flaw exists in the following c-ares versions.
- Affected versions: libcurl 1.0.0 to and including 1.11.0
- Not affected versions: c-ares >= 1.12.0
CVE References
Changed in c-ares (Debian): | |
status: | Unknown → Fix Released |
Changed in c-ares (Ubuntu Precise): | |
status: | New → Confirmed |
Changed in c-ares (Ubuntu Trusty): | |
status: | New → Confirmed |
Changed in c-ares (Ubuntu Xenial): | |
status: | New → Confirmed |
Changed in c-ares (Ubuntu Yakkety): | |
status: | New → Confirmed |
Changed in c-ares (Ubuntu Precise): | |
importance: | Undecided → Medium |
Changed in c-ares (Ubuntu Trusty): | |
importance: | Undecided → Medium |
Changed in c-ares (Ubuntu Xenial): | |
importance: | Undecided → Medium |
Changed in c-ares (Ubuntu Yakkety): | |
importance: | Undecided → Medium |
Changed in c-ares (Ubuntu): | |
status: | Confirmed → Fix Released |
For Debian I provided the following updates: /bugs.debian. org/cgi- bin/bugreport. cgi?bug= 839151# 23
https:/