c-ares is an asynchronous resolver library. ares_inet_net_pton() is vulnerable to a buffer underflow for certain ipv6 addresses, in particular 0::00:00:00/2 was found to cause an issue. C-ares only uses this function internally for configuration purposes which would require an administrator to configure such an address via ares_set_sortlist(). However, users may externally use ares_inet_net_pton() for other purposes and thus be vulnerable to more severe issues. This issue has been fixed in 1.19.1.
Weakness
The product writes to a buffer using an index or pointer that references a memory location prior to the beginning of the buffer.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| C-ares | C-ares_project | * | 1.19.1 (excluding) |
| Red Hat Enterprise Linux 8 | RedHat | nodejs:16-8080020230608150024.63b34585 | * |
| Red Hat Enterprise Linux 8 | RedHat | nodejs:18-8080020230607122508.63b34585 | * |
| Red Hat Enterprise Linux 8 | RedHat | c-ares-0:1.13.0-9.el8_9.1 | * |
| Red Hat Enterprise Linux 8.6 Extended Update Support | RedHat | nodejs:16-8060020230620060944.ad008a3a | * |
| Red Hat Enterprise Linux 8.6 Extended Update Support | RedHat | c-ares-0:1.13.0-6.el8_6.2 | * |
| Red Hat Enterprise Linux 8.8 Extended Update Support | RedHat | c-ares-0:1.13.0-6.el8_8.3 | * |
| Red Hat Enterprise Linux 9 | RedHat | nodejs:18-9020020230531092345.rhel9 | * |
| Red Hat Enterprise Linux 9 | RedHat | nodejs-1:16.19.1-2.el9_2 | * |
| Red Hat Enterprise Linux 9 | RedHat | c-ares-0:1.19.1-1.el9 | * |
| Red Hat Enterprise Linux 9 | RedHat | c-ares-0:1.19.1-1.el9 | * |
| Red Hat Enterprise Linux 9.0 Extended Update Support | RedHat | nodejs-1:16.18.1-4.el9_0 | * |
| Red Hat Software Collections for Red Hat Enterprise Linux 7 | RedHat | rh-nodejs14-nodejs-0:14.21.3-4.el7 | * |
| C-ares | Ubuntu | bionic | * |
| C-ares | Ubuntu | esm-infra/bionic | * |
| C-ares | Ubuntu | esm-infra/focal | * |
| C-ares | Ubuntu | esm-infra/xenial | * |
| C-ares | Ubuntu | focal | * |
| C-ares | Ubuntu | jammy | * |
| C-ares | Ubuntu | kinetic | * |
| C-ares | Ubuntu | lunar | * |
| C-ares | Ubuntu | trusty | * |
| C-ares | Ubuntu | upstream | * |
| C-ares | Ubuntu | xenial | * |
Potential Mitigations
References
- https://github.com/c-ares/c-ares/releases/tag/cares-1_19_1
- https://github.com/c-ares/c-ares/security/advisories/GHSA-x6mf-cxr9-8q6v
- https://lists.debian.org/debian-lts-announce/2023/06/msg00034.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B5Z5XFNXTNPTCBBVXFDNZQVLLIE6VRBY/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UBFWILTA33LOSV23P44FGTQQIDRJHIY7/
- https://security.gentoo.org/glsa/202310-09
- https://security.netapp.com/advisory/ntap-20240605-0005/
- https://www.debian.org/security/2023/dsa-5419
- https://github.com/c-ares/c-ares/releases/tag/cares-1_19_1
- https://github.com/c-ares/c-ares/security/advisories/GHSA-x6mf-cxr9-8q6v
- https://lists.debian.org/debian-lts-announce/2023/06/msg00034.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B5Z5XFNXTNPTCBBVXFDNZQVLLIE6VRBY/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UBFWILTA33LOSV23P44FGTQQIDRJHIY7/
- https://security.gentoo.org/glsa/202310-09
- https://security.netapp.com/advisory/ntap-20240605-0005/
- https://www.debian.org/security/2023/dsa-5419