fix CVE-2020-8277
(cherry picked from commit 011e521b3701c7b73ac02a7278e877c50eafbf39)
This commit is contained in:
guoxiaoqi
openeuler-sync-bot
parent
6d6556ba04
commit
79f5320e52
53
CVE-2020-8277.patch
Normal file
53
CVE-2020-8277.patch
Normal file
@ -0,0 +1,53 @@
|
||||
From 0d252eb3b2147179296a3bdb4ef97883c97c54d3 Mon Sep 17 00:00:00 2001
|
||||
From: bradh352 <brad@brad-house.com>
|
||||
Date: Thu, 12 Nov 2020 10:24:40 -0500
|
||||
Subject: [PATCH] ares_parse_{a,aaaa}_reply could return larger *naddrttls than
|
||||
passed in
|
||||
|
||||
If there are more ttls returned than the maximum provided by the requestor, then
|
||||
the *naddrttls response would be larger than the actual number of elements in
|
||||
the addrttls array.
|
||||
|
||||
This bug could lead to invalid memory accesses in applications using c-ares.
|
||||
|
||||
This behavior appeared to break with PR #257
|
||||
|
||||
Fixes: #371
|
||||
Reported By: Momtchil Momtchev (@mmomtchev)
|
||||
Fix By: Brad House (@bradh352)
|
||||
---
|
||||
ares_parse_a_reply.c | 3 ++-
|
||||
ares_parse_aaaa_reply.c | 3 ++-
|
||||
2 files changed, 4 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/ares_parse_a_reply.c b/ares_parse_a_reply.c
|
||||
index d8a9e9b..e71c993 100644
|
||||
--- a/ares_parse_a_reply.c
|
||||
+++ b/ares_parse_a_reply.c
|
||||
@@ -197,7 +197,8 @@ int ares_parse_a_reply(const unsigned char *abuf, int alen,
|
||||
|
||||
if (naddrttls)
|
||||
{
|
||||
- *naddrttls = naddrs;
|
||||
+ /* Truncated to at most *naddrttls entries */
|
||||
+ *naddrttls = (naddrs > *naddrttls)?*naddrttls:naddrs;
|
||||
}
|
||||
|
||||
ares__freeaddrinfo_cnames(ai.cnames);
|
||||
diff --git a/ares_parse_aaaa_reply.c b/ares_parse_aaaa_reply.c
|
||||
index 0d39bfa..346d430 100644
|
||||
--- a/ares_parse_aaaa_reply.c
|
||||
+++ b/ares_parse_aaaa_reply.c
|
||||
@@ -200,7 +200,8 @@ int ares_parse_aaaa_reply(const unsigned char *abuf, int alen,
|
||||
|
||||
if (naddrttls)
|
||||
{
|
||||
- *naddrttls = naddrs;
|
||||
+ /* Truncated to at most *naddrttls entries */
|
||||
+ *naddrttls = (naddrs > *naddrttls)?*naddrttls:naddrs;
|
||||
}
|
||||
|
||||
ares__freeaddrinfo_cnames(ai.cnames);
|
||||
--
|
||||
1.8.3.1
|
||||
|
||||
12
c-ares.spec
12
c-ares.spec
@ -1,6 +1,6 @@
|
||||
Name: c-ares
|
||||
Version: 1.16.1
|
||||
Release: 1
|
||||
Release: 3
|
||||
Summary: A C library for asynchronous DNS requests
|
||||
|
||||
License: MIT
|
||||
@ -13,6 +13,7 @@ Patch0: 0000-Use-RPM-compiler-options.patch
|
||||
Patch1: 0001-Fix-invalid-read-in-ares_parse_soa_reply.patch
|
||||
Patch2: 0002-Fix-sizeof-sizeof-addr.saX-sizeof-addr.saX-in-readad.patch
|
||||
Patch3: 0003-Avoid-buffer-overflow-in-RC4-loop-comparison-336.patch
|
||||
Patch4: CVE-2020-8277.patch
|
||||
%description
|
||||
This is c-ares, an asynchronous resolver library. It is intended for applications
|
||||
which need to perform DNS queries without blocking, or need to perform multiple
|
||||
@ -55,6 +56,15 @@ make %{?_smp_mflags}
|
||||
%{_mandir}/man3/*
|
||||
|
||||
%changelog
|
||||
* Thu Mar 11 2021 openEuler Buildteam <buildteam@openeuler.org> - 1.16.1-3
|
||||
- fix CVE-2020-8277
|
||||
|
||||
* Tue Sep 8 2020 lunankun <lunankun@huawei.com> - 1.16.1-2
|
||||
- Type:bugfix
|
||||
- ID:NA
|
||||
- SUG:NA
|
||||
- DESC:fix source0 url
|
||||
|
||||
* Tue Aug 25 2020 gaihuiying <gaihuiying1@huawei.com> - 1.16.1-1
|
||||
- Type:requirement
|
||||
- ID:NA
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user