Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

c-ares: Heap-based buffer overflow — GLSA 201701-28

A heap-based buffer overflow in c-ares might allow remote attackers to cause a Denial of Service condition.

Affected packages

Package net-dns/c-ares on all architectures
Affected versions < 1.12.0
Unaffected versions >= 1.12.0

Background

c-ares is a C library for asynchronous DNS requests (including name resolves).

Description

A hostname with an escaped trailing dot (such as “hello\.”) would have its size calculated incorrectly leading to a single byte written beyond the end of a buffer on the heap.

Impact

A remote attacker, able to provide a specially crafted hostname to an application using c-ares, could potentially cause a Denial of Service condition.

Workaround

There is no known workaround at this time.

Resolution

All c-ares users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=net-dns/c-ares-1.12.0"

References

Release date
January 11, 2017

Latest revision
January 11, 2017: 1

Severity
normal

Exploitable
remote

Bugzilla entries