!13 [sync] PR-12: fix CVE-2020-8277

From: @openeuler-sync-bot Reviewed-by: @zengwefeng Signed-off-by: @zengwefeng
2021-03-19 09:49:21 +08:00 · 2021-03-19 09:49:21 +08:00 · 7a2b18ab7a
commit 7a2b18ab7a
parent 6d6556ba04 4acf135080
2 changed files with 58 additions and 1 deletions
--- a/CVE-2020-8277.patch
+++ b/CVE-2020-8277.patch
@ -0,0 +1,53 @@
 From 0d252eb3b2147179296a3bdb4ef97883c97c54d3 Mon Sep 17 00:00:00 2001
 From: bradh352 <brad@brad-house.com>
 Date: Thu, 12 Nov 2020 10:24:40 -0500
 Subject: [PATCH] ares_parse_{a,aaaa}_reply could return larger *naddrttls than
 passed in
 If there are more ttls returned than the maximum provided by the requestor, then
 the *naddrttls response would be larger than the actual number of elements in
 the addrttls array.
 This bug could lead to invalid memory accesses in applications using c-ares.
 This behavior appeared to break with PR #257
 Fixes: #371
 Reported By: Momtchil Momtchev (@mmomtchev)
 Fix By: Brad House (@bradh352)
 ---
 ares_parse_a_reply.c    | 3 ++-
 ares_parse_aaaa_reply.c | 3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)
 diff --git a/ares_parse_a_reply.c b/ares_parse_a_reply.c
 index d8a9e9b..e71c993 100644
 --- a/ares_parse_a_reply.c
 +++ b/ares_parse_a_reply.c
@@ -197,7 +197,8 @@ int ares_parse_a_reply(const unsigned char *abuf, int alen,
   if (naddrttls)
     {
 -      *naddrttls = naddrs;
 +      /* Truncated to at most *naddrttls entries */
 +      *naddrttls = (naddrs > *naddrttls)?*naddrttls:naddrs;
     }
   ares__freeaddrinfo_cnames(ai.cnames);
 diff --git a/ares_parse_aaaa_reply.c b/ares_parse_aaaa_reply.c
 index 0d39bfa..346d430 100644
 --- a/ares_parse_aaaa_reply.c
 +++ b/ares_parse_aaaa_reply.c
@@ -200,7 +200,8 @@ int ares_parse_aaaa_reply(const unsigned char *abuf, int alen,
   if (naddrttls)
     {
 -      *naddrttls = naddrs;
 +      /* Truncated to at most *naddrttls entries */
 +      *naddrttls = (naddrs > *naddrttls)?*naddrttls:naddrs;
     }
   ares__freeaddrinfo_cnames(ai.cnames);
 -- 
 1.8.3.1
--- a/c-ares.spec
+++ b/c-ares.spec
@ -1,6 +1,6 @@
 Name:           c-ares
 Version:        1.16.1
-Release:        1
+Release:        2
 Summary:        A C library for asynchronous DNS requests
 License:        MIT
@ -13,6 +13,7 @@ Patch0:         0000-Use-RPM-compiler-options.patch
 Patch1:         0001-Fix-invalid-read-in-ares_parse_soa_reply.patch
 Patch2:         0002-Fix-sizeof-sizeof-addr.saX-sizeof-addr.saX-in-readad.patch
 Patch3:         0003-Avoid-buffer-overflow-in-RC4-loop-comparison-336.patch
 Patch4:         CVE-2020-8277.patch
 %description
 This is c-ares, an asynchronous resolver library. It is intended for applications
 which need to perform DNS queries without blocking, or need to perform multiple
@ -55,6 +56,9 @@ make %{?_smp_mflags}
 %{_mandir}/man3/*
 %changelog
 * Thu Mar 11 2021 openEuler Buildteam <buildteam@openeuler.org> - 1.16.1-2
 - fix CVE-2020-8277
 * Tue Aug 25 2020 gaihuiying <gaihuiying1@huawei.com> - 1.16.1-1
 - Type:requirement
 - ID:NA