#21403 closed enhancement (fixed)
c-ares-1.34.5
| Reported by: | Douglas R. Reno | Owned by: | Douglas R. Reno |
|---|---|---|---|
| Priority: | high | Milestone: | 12.4 |
| Component: | BOOK | Version: | git |
| Severity: | normal | Keywords: | |
| Cc: |
Description
New point version containing a security fix.
Change History (5)
comment:1 by , 10 months ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
comment:2 by , 10 months ago
comment:3 by , 10 months ago
| Priority: | elevated → high |
|---|
Security advisory:
CVE-2025-31498 Impact Use after free() in read_answers() when process_answer() may re-enqueue a query either due to a DNS Cookie Failure or when the upstream server does not properly support EDNS, or possibly on TCP queries if the remote closed the connection immediately after a response. If there was an issue trying to put that new transaction on the wire, it would close the connection handle, but read_answers() was still expecting the connection handle to be available to possibly dequeue other responses. In theory a remote attacker might be able to trigger this by flooding the target with ICMP UNREACHABLE packets if they also control the upstream nameserver and can return a result with one of those conditions, this has been untested. Otherwise only a local attacker might be able to change system behavior to make send()/write() return a failure condition. Patches Versions 1.32.3 - 1.34.4 are affected. Patch in 1.34.5. Workarounds None References c-ares started handling UDP write failures in 1.32.3 in PR #821 whereas they were previously ignored, thus uncovering this particular issue.
GitHub has rated it as 8.3/10 High, but I don't really agree with the rating though. For consistency I will promote it to High though since we generally take the word of upstream for security vulnerabilities.
comment:4 by , 10 months ago
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
Note:
See TracTickets
for help on using tickets.
Release notes:
This is a security release. Security: CVE-2025-31498. A use-after-free bug has been uncovered in read_answers() that was introduced in v1.32.3. Please see GHSA-6hxc-62jh-p29v Changes: Restore Windows XP support. PR #958 Bugfixes: A missing mutex initialization would make busy polling for configuration changes (platforms other than Windows, Linux, MacOS) eat too much CPU PR #974 Pkgconfig may be generated wrong for static builds in relation to -pthread PR #965 Localhost resolution can fail if only one address family is in /etc/hosts PR #947