Opened 4 months ago

Closed 4 months ago

#15374 closed enhancement (fixed)

c-ares-1.17.2

Reported by: Douglas R. Reno Owned by: Bruce Dubbs
Priority: elevated Milestone: 11.0
Component: BOOK Version: git
Severity: normal Keywords:
Cc:

Description

New point version.

Security release

Change History (3)

comment:1 by Douglas R. Reno, 4 months ago

CVE-2021-3672

Missing input validation on hostnames returned by DNS servers
=============================================================

Project c-ares Security Advisory, August 10, 2021 -
[Permalink](https://c-ares.haxx.se/adv_20210810.html)

VULNERABILITY
-------------

Missing input validation of host names returned by Domain Name Servers in
the c-ares library can lead to output of wrong hostnames (leading to Domain
Hijacking).

The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2021-3672 to this issue.


STEPS TO REPRODUCE
------------------

An example domain which has a cname including a zero byte:

```
$ adig cnamezero.test2.xdi-attack.net

Answers:
     cnamezero.test2.xdi-attack.net. 0 CNAME victim.test2.xdi-attack.net\000.test2.xdi-attack.net.
     victim.test2.xdi-attack.net\000.test2.xdi-attack.net. 0 A 141.12.174.88
```

When resolved via a vulnerable implementation, the CNAME alias and name of the
A record will seem to be `victim.test2.xdi-attack.net` instead of
`victim.test2.xdi-attack.net\000.test2.xdi-attack.net`, a totally different
domain.

This is a clear error in zero-byte handling and can potentially lead to
DNS-cache injections in case an application implements a cache based on the
library.


AFFECTED VERSIONS
-----------------

This flaw exists in the following c-ares versions.

- Affected versions: c-ares 1.0.0 to and including 1.17.1
- Not affected versions: c-ares >= 1.17.2


THE SOLUTION
------------

In version 1.17.2, the function has been corrected and a test case have been
added to verify.

A [patch for
CVE-2021-3672](https://github.com/c-ares/c-ares/compare/809d5e8..44c009b.patch)
is available.


RECOMMENDATIONS
---------------

We suggest you take one of the following actions immediately, in order of
preference:

  A - Upgrade c-ares to version 1.17.2

  B - Apply the patch to your version and rebuild


TIME LINE
---------

It was reported to the c-ares project on June 11, 2021 by Philipp Jeitner and
Haya Shulman, Fraunhofer SIT.

c-ares 1.17.2 was released on August 10 2021, coordinated with the publication
of this advisory.


CREDITS
-------

Thanks to Philipp Jeitner and Haya Shulman, Fraunhofer SIT for the report.

-- 

 / daniel.haxx.se

comment:2 by Bruce Dubbs, 4 months ago

Owner: changed from blfs-book to Bruce Dubbs
Status: newassigned

comment:3 by Bruce Dubbs, 4 months ago

Resolution: fixed
Status: assignedclosed

Fixed at commit 6e1270bed03869c8f737801407127088000c2612

Package updates.
    Update to SDL2-2.0.16.
    Update to NetworkManager-1.32.8.
    Update to libjpeg-turbo-2.1.1.
    Update to c-ares-1.17.2.
Note: See TracTickets for help on using tickets.