packages/c-ares
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!51 fix CVE-2023-32067 CVE-2023-31130

Browse Source 
From: @xinghe_1 
Reviewed-by: @seuzw 
Signed-off-by: @seuzw
This commit is contained in:
openeuler-ci-bot 2023-05-29 07:29:42 +00:00 committed by Gitee
commit 86188577d5
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
5 changed files with 555 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

324
backport-001-CVE-2023-31130.patch Normal file
View File

@ -0,0 +1,324 @@
From f22cc01039b6473b736d3bf438f56a2654cdf2b2 Mon Sep 17 00:00:00 2001
From: Brad House <brad@brad-house.com>
Date: Mon, 22 May 2023 06:51:34 -0400
Subject: [PATCH] Merge pull request from GHSA-x6mf-cxr9-8q6v
* Merged latest OpenBSD changes for inet_net_pton_ipv6() into c-ares.
* Always use our own IP conversion functions now, do not delegate to OS
so we can have consistency in testing and fuzzing.
* Removed bogus test cases that never should have passed.
* Add new test case for crash bug found.
Fix By: Brad House (@bradh352)
---
src/lib/inet_net_pton.c | 155 ++++++++++++++++++++-----------------
test/ares-test-internal.cc | 7 +-
2 files changed, 86 insertions(+), 76 deletions(-)
diff --git a/src/lib/inet_net_pton.c b/src/lib/inet_net_pton.c
index 840de50..fc50425 100644
--- a/src/lib/inet_net_pton.c
+++ b/src/lib/inet_net_pton.c
@@ -1,19 +1,20 @@
/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 2012 by Gilles Chehade <gilles@openbsd.org>
* Copyright (c) 1996,1999 by Internet Software Consortium.
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+ * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
*/
#include "ares_setup.h"
@@ -35,9 +36,6 @@
const struct ares_in6_addr ares_in6addr_any = { { { 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 } } };
-
-#ifndef HAVE_INET_NET_PTON
-
/*
* static int
* inet_net_pton_ipv4(src, dst, size)
@@ -60,7 +58,7 @@ const struct ares_in6_addr ares_in6addr_any = { { { 0,0,0,0,0,0,0,0,0,0,0,0,0,0,
* Paul Vixie (ISC), June 1996
*/
static int
-inet_net_pton_ipv4(const char *src, unsigned char *dst, size_t size)
+ares_inet_net_pton_ipv4(const char *src, unsigned char *dst, size_t size)
{
static const char xdigits[] = "0123456789abcdef";
static const char digits[] = "0123456789";
@@ -261,19 +259,14 @@ getv4(const char *src, unsigned char *dst, int *bitsp)
}
static int
-inet_net_pton_ipv6(const char *src, unsigned char *dst, size_t size)
+ares_inet_pton6(const char *src, unsigned char *dst)
{
static const char xdigits_l[] = "0123456789abcdef",
- xdigits_u[] = "0123456789ABCDEF";
+ xdigits_u[] = "0123456789ABCDEF";
unsigned char tmp[NS_IN6ADDRSZ], *tp, *endp, *colonp;
const char *xdigits, *curtok;
- int ch, saw_xdigit;
+ int ch, saw_xdigit, count_xdigit;
unsigned int val;
- int digits;
- int bits;
- size_t bytes;
- int words;
- int ipv4;
memset((tp = tmp), '\0', NS_IN6ADDRSZ);
endp = tp + NS_IN6ADDRSZ;
@@ -283,22 +276,22 @@ inet_net_pton_ipv6(const char *src, unsigned char *dst, size_t size)
if (*++src != ':')
goto enoent;
curtok = src;
- saw_xdigit = 0;
+ saw_xdigit = count_xdigit = 0;
val = 0;
- digits = 0;
- bits = -1;
- ipv4 = 0;
while ((ch = *src++) != '\0') {
const char *pch;
if ((pch = strchr((xdigits = xdigits_l), ch)) == NULL)
pch = strchr((xdigits = xdigits_u), ch);
if (pch != NULL) {
+ if (count_xdigit >= 4)
+ goto enoent;
val <<= 4;
- val |= aresx_sztoui(pch - xdigits);
- if (++digits > 4)
+ val |= (pch - xdigits);
+ if (val > 0xffff)
goto enoent;
saw_xdigit = 1;
+ count_xdigit++;
continue;
}
if (ch == ':') {
@@ -308,78 +301,107 @@ inet_net_pton_ipv6(const char *src, unsigned char *dst, size_t size)
goto enoent;
colonp = tp;
continue;
- } else if (*src == '\0')
+ } else if (*src == '\0') {
goto enoent;
+ }
if (tp + NS_INT16SZ > endp)
- return (0);
- *tp++ = (unsigned char)((val >> 8) & 0xff);
- *tp++ = (unsigned char)(val & 0xff);
+ goto enoent;
+ *tp++ = (unsigned char) (val >> 8) & 0xff;
+ *tp++ = (unsigned char) val & 0xff;
saw_xdigit = 0;
- digits = 0;
+ count_xdigit = 0;
val = 0;
continue;
}
if (ch == '.' && ((tp + NS_INADDRSZ) <= endp) &&
- getv4(curtok, tp, &bits) > 0) {
- tp += NS_INADDRSZ;
+ ares_inet_net_pton_ipv4(curtok, tp, INADDRSZ) > 0) {
+ tp += INADDRSZ;
saw_xdigit = 0;
- ipv4 = 1;
+ count_xdigit = 0;
break; /* '\0' was seen by inet_pton4(). */
}
- if (ch == '/' && getbits(src, &bits) > 0)
- break;
goto enoent;
}
if (saw_xdigit) {
if (tp + NS_INT16SZ > endp)
goto enoent;
- *tp++ = (unsigned char)((val >> 8) & 0xff);
- *tp++ = (unsigned char)(val & 0xff);
+ *tp++ = (unsigned char) (val >> 8) & 0xff;
+ *tp++ = (unsigned char) val & 0xff;
}
- if (bits == -1)
- bits = 128;
-
- words = (bits + 15) / 16;
- if (words < 2)
- words = 2;
- if (ipv4)
- words = 8;
- endp = tmp + 2 * words;
-
if (colonp != NULL) {
/*
* Since some memmove()'s erroneously fail to handle
* overlapping regions, we'll do the shift by hand.
*/
- const ares_ssize_t n = tp - colonp;
- ares_ssize_t i;
+ const int n = tp - colonp;
+ int i;
if (tp == endp)
goto enoent;
for (i = 1; i <= n; i++) {
- *(endp - i) = *(colonp + n - i);
- *(colonp + n - i) = 0;
+ endp[- i] = colonp[n - i];
+ colonp[n - i] = 0;
}
tp = endp;
}
if (tp != endp)
goto enoent;
- bytes = (bits + 7) / 8;
- if (bytes > size)
- goto emsgsize;
- memcpy(dst, tmp, bytes);
- return (bits);
+ memcpy(dst, tmp, NS_IN6ADDRSZ);
+ return (1);
- enoent:
+enoent:
SET_ERRNO(ENOENT);
return (-1);
- emsgsize:
+emsgsize:
SET_ERRNO(EMSGSIZE);
return (-1);
}
+static int
+ares_inet_net_pton_ipv6(const char *src, unsigned char *dst, size_t size)
+{
+ struct ares_in6_addr in6;
+ int ret;
+ int bits;
+ size_t bytes;
+ char buf[INET6_ADDRSTRLEN + sizeof("/128")];
+ char *sep;
+ const char *errstr;
+
+ if (strlen(src) >= sizeof buf) {
+ SET_ERRNO(EMSGSIZE);
+ return (-1);
+ }
+ strncpy(buf, src, sizeof buf);
+
+ sep = strchr(buf, '/');
+ if (sep != NULL)
+ *sep++ = '\0';
+
+ ret = ares_inet_pton6(buf, (unsigned char *)&in6);
+ if (ret != 1)
+ return (-1);
+
+ if (sep == NULL)
+ bits = 128;
+ else {
+ if (!getbits(sep, &bits)) {
+ SET_ERRNO(ENOENT);
+ return (-1);
+ }
+ }
+
+ bytes = (bits + 7) / 8;
+ if (bytes > size) {
+ SET_ERRNO(EMSGSIZE);
+ return (-1);
+ }
+ memcpy(dst, &in6, bytes);
+ return (bits);
+}
+
/*
* int
* inet_net_pton(af, src, dst, size)
@@ -403,18 +425,15 @@ ares_inet_net_pton(int af, const char *src, void *dst, size_t size)
{
switch (af) {
case AF_INET:
- return (inet_net_pton_ipv4(src, dst, size));
+ return (ares_inet_net_pton_ipv4(src, dst, size));
case AF_INET6:
- return (inet_net_pton_ipv6(src, dst, size));
+ return (ares_inet_net_pton_ipv6(src, dst, size));
default:
SET_ERRNO(EAFNOSUPPORT);
return (-1);
}
}
-#endif /* HAVE_INET_NET_PTON */
-
-#ifndef HAVE_INET_PTON
int ares_inet_pton(int af, const char *src, void *dst)
{
int result;
@@ -434,11 +453,3 @@ int ares_inet_pton(int af, const char *src, void *dst)
return 0;
return (result > -1 ? 1 : -1);
}
-#else /* HAVE_INET_PTON */
-int ares_inet_pton(int af, const char *src, void *dst)
-{
- /* just relay this to the underlying function */
- return inet_pton(af, src, dst);
-}
-
-#endif
diff --git a/test/ares-test-internal.cc b/test/ares-test-internal.cc
index 1cb7e42..40cc82b 100644
--- a/test/ares-test-internal.cc
+++ b/test/ares-test-internal.cc
@@ -123,6 +123,7 @@ TEST_F(LibraryTest, InetPtoN) {
EXPECT_EQ(0, ares_inet_net_pton(AF_INET6, "12:34::ff/0", &a6, sizeof(a6)));
EXPECT_EQ(16 * 8, ares_inet_net_pton(AF_INET6, "12:34::ffff:0.2", &a6, sizeof(a6)));
EXPECT_EQ(16 * 8, ares_inet_net_pton(AF_INET6, "1234:1234:1234:1234:1234:1234:1234:1234", &a6, sizeof(a6)));
+ EXPECT_EQ(2, ares_inet_net_pton(AF_INET6, "0::00:00:00/2", &a6, sizeof(a6)));
// Various malformed versions
EXPECT_EQ(-1, ares_inet_net_pton(AF_INET, "", &a4, sizeof(a4)));
@@ -160,11 +161,9 @@ TEST_F(LibraryTest, InetPtoN) {
EXPECT_EQ(-1, ares_inet_net_pton(AF_INET6, ":1234:1234:1234:1234:1234:1234:1234:1234", &a6, sizeof(a6)));
EXPECT_EQ(-1, ares_inet_net_pton(AF_INET6, ":1234:1234:1234:1234:1234:1234:1234:1234:", &a6, sizeof(a6)));
EXPECT_EQ(-1, ares_inet_net_pton(AF_INET6, "1234:1234:1234:1234:1234:1234:1234:1234:5678", &a6, sizeof(a6)));
- // TODO(drysdale): check whether the next two tests should give -1.
- EXPECT_EQ(0, ares_inet_net_pton(AF_INET6, "1234:1234:1234:1234:1234:1234:1234:1234:5678:5678", &a6, sizeof(a6)));
- EXPECT_EQ(0, ares_inet_net_pton(AF_INET6, "1234:1234:1234:1234:1234:1234:1234:1234:5678:5678:5678", &a6, sizeof(a6)));
+ EXPECT_EQ(-1, ares_inet_net_pton(AF_INET6, "1234:1234:1234:1234:1234:1234:1234:1234:5678:5678", &a6, sizeof(a6)));
+ EXPECT_EQ(-1, ares_inet_net_pton(AF_INET6, "1234:1234:1234:1234:1234:1234:1234:1234:5678:5678:5678", &a6, sizeof(a6)));
EXPECT_EQ(-1, ares_inet_net_pton(AF_INET6, "12:34::ffff:257.2.3.4", &a6, sizeof(a6)));
- EXPECT_EQ(-1, ares_inet_net_pton(AF_INET6, "12:34::ffff:002.2.3.4", &a6, sizeof(a6)));
EXPECT_EQ(-1, ares_inet_net_pton(AF_INET6, "12:34::ffff:1.2.3.4.5.6", &a6, sizeof(a6)));
EXPECT_EQ(-1, ares_inet_net_pton(AF_INET6, "12:34::ffff:1.2.3.4.5", &a6, sizeof(a6)));
EXPECT_EQ(-1, ares_inet_net_pton(AF_INET6, "12:34::ffff:1.2.3.z", &a6, sizeof(a6)));
--
2.27.0

27
backport-002-CVE-2023-31130.patch Normal file
View File

@ -0,0 +1,27 @@
From 424012216c40c8498015b942353e9bb7267e929b Mon Sep 17 00:00:00 2001
From: bradh352 <brad@brad-house.com>
Date: Mon, 22 May 2023 06:57:23 -0400
Subject: [PATCH] windows build fix
---
src/lib/inet_net_pton.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/lib/inet_net_pton.c b/src/lib/inet_net_pton.c
index fc50425..d94a5f4 100644
--- a/src/lib/inet_net_pton.c
+++ b/src/lib/inet_net_pton.c
@@ -314,8 +314,8 @@ ares_inet_pton6(const char *src, unsigned char *dst)
continue;
}
if (ch == '.' && ((tp + NS_INADDRSZ) <= endp) &&
- ares_inet_net_pton_ipv4(curtok, tp, INADDRSZ) > 0) {
- tp += INADDRSZ;
+ ares_inet_net_pton_ipv4(curtok, tp, NS_INADDRSZ) > 0) {
+ tp += NS_INADDRSZ;
saw_xdigit = 0;
count_xdigit = 0;
break; /* '\0' was seen by inet_pton4(). */
--
2.27.0

111
backport-003-CVE-2023-31130.patch Normal file
View File

@ -0,0 +1,111 @@
From fb79ae7bede940f0fef538472ff8a726df780f8f Mon Sep 17 00:00:00 2001
From: bradh352 <brad@brad-house.com>
Date: Mon, 22 May 2023 07:09:40 -0400
Subject: [PATCH] minor CI issues fixes for imported inet_net_pton
---
src/lib/inet_net_pton.c | 53 ++---------------------------------------
1 file changed, 2 insertions(+), 51 deletions(-)
diff --git a/src/lib/inet_net_pton.c b/src/lib/inet_net_pton.c
index d94a5f4..7130f0f 100644
--- a/src/lib/inet_net_pton.c
+++ b/src/lib/inet_net_pton.c
@@ -214,49 +214,6 @@ getbits(const char *src, int *bitsp)
return (1);
}
-static int
-getv4(const char *src, unsigned char *dst, int *bitsp)
-{
- static const char digits[] = "0123456789";
- unsigned char *odst = dst;
- int n;
- unsigned int val;
- char ch;
-
- val = 0;
- n = 0;
- while ((ch = *src++) != '\0') {
- const char *pch;
-
- pch = strchr(digits, ch);
- if (pch != NULL) {
- if (n++ != 0 && val == 0) /* no leading zeros */
- return (0);
- val *= 10;
- val += aresx_sztoui(pch - digits);
- if (val > 255) /* range */
- return (0);
- continue;
- }
- if (ch == '.' || ch == '/') {
- if (dst - odst > 3) /* too many octets? */
- return (0);
- *dst++ = (unsigned char)val;
- if (ch == '/')
- return (getbits(src, bitsp));
- val = 0;
- n = 0;
- continue;
- }
- return (0);
- }
- if (n == 0)
- return (0);
- if (dst - odst > 3) /* too many octets? */
- return (0);
- *dst = (unsigned char)val;
- return 1;
-}
static int
ares_inet_pton6(const char *src, unsigned char *dst)
@@ -287,7 +244,7 @@ ares_inet_pton6(const char *src, unsigned char *dst)
if (count_xdigit >= 4)
goto enoent;
val <<= 4;
- val |= (pch - xdigits);
+ val |= (unsigned int)(pch - xdigits);
if (val > 0xffff)
goto enoent;
saw_xdigit = 1;
@@ -317,7 +274,6 @@ ares_inet_pton6(const char *src, unsigned char *dst)
ares_inet_net_pton_ipv4(curtok, tp, NS_INADDRSZ) > 0) {
tp += NS_INADDRSZ;
saw_xdigit = 0;
- count_xdigit = 0;
break; /* '\0' was seen by inet_pton4(). */
}
goto enoent;
@@ -333,7 +289,7 @@ ares_inet_pton6(const char *src, unsigned char *dst)
* Since some memmove()'s erroneously fail to handle
* overlapping regions, we'll do the shift by hand.
*/
- const int n = tp - colonp;
+ const int n = (int)(tp - colonp);
int i;
if (tp == endp)
@@ -353,10 +309,6 @@ ares_inet_pton6(const char *src, unsigned char *dst)
enoent:
SET_ERRNO(ENOENT);
return (-1);
-
-emsgsize:
- SET_ERRNO(EMSGSIZE);
- return (-1);
}
static int
@@ -368,7 +320,6 @@ ares_inet_net_pton_ipv6(const char *src, unsigned char *dst, size_t size)
size_t bytes;
char buf[INET6_ADDRSTRLEN + sizeof("/128")];
char *sep;
- const char *errstr;
if (strlen(src) >= sizeof buf) {
SET_ERRNO(EMSGSIZE);
--
2.27.0

82
backport-CVE-2023-32067.patch Normal file
View File

@ -0,0 +1,82 @@
From b9b8413cfdb70a3f99e1573333b23052d57ec1ae Mon Sep 17 00:00:00 2001
From: Brad House <brad@brad-house.com>
Date: Mon, 22 May 2023 06:51:49 -0400
Subject: [PATCH] Merge pull request from GHSA-9g78-jv2r-p7vc
---
src/lib/ares_process.c | 41 +++++++++++++++++++++++++----------------
1 file changed, 25 insertions(+), 16 deletions(-)
diff --git a/src/lib/ares_process.c b/src/lib/ares_process.c
index bf0cde4..6cac0a9 100644
--- a/src/lib/ares_process.c
+++ b/src/lib/ares_process.c
@@ -470,7 +470,7 @@ static void read_udp_packets(ares_channel channel, fd_set *read_fds,
{
struct server_state *server;
int i;
- ares_ssize_t count;
+ ares_ssize_t read_len;
unsigned char buf[MAXENDSSZ + 1];
#ifdef HAVE_RECVFROM
ares_socklen_t fromlen;
@@ -513,32 +513,41 @@ static void read_udp_packets(ares_channel channel, fd_set *read_fds,
/* To reduce event loop overhead, read and process as many
* packets as we can. */
do {
- if (server->udp_socket == ARES_SOCKET_BAD)
- count = 0;
-
- else {
- if (server->addr.family == AF_INET)
+ if (server->udp_socket == ARES_SOCKET_BAD) {
+ read_len = -1;
+ } else {
+ if (server->addr.family == AF_INET) {
fromlen = sizeof(from.sa4);
- else
+ } else {
fromlen = sizeof(from.sa6);
- count = socket_recvfrom(channel, server->udp_socket, (void *)buf,
- sizeof(buf), 0, &from.sa, &fromlen);
+ }
+ read_len = socket_recvfrom(channel, server->udp_socket, (void *)buf,
+ sizeof(buf), 0, &from.sa, &fromlen);
}
- if (count == -1 && try_again(SOCKERRNO))
+ if (read_len == 0) {
+ /* UDP is connectionless, so result code of 0 is a 0-length UDP
+ * packet, and not an indication the connection is closed like on
+ * tcp */
continue;
- else if (count <= 0)
+ } else if (read_len < 0) {
+ if (try_again(SOCKERRNO))
+ continue;
+
handle_error(channel, i, now);
+
#ifdef HAVE_RECVFROM
- else if (!same_address(&from.sa, &server->addr))
+ } else if (!same_address(&from.sa, &server->addr)) {
/* The address the response comes from does not match the address we
* sent the request to. Someone may be attempting to perform a cache
* poisoning attack. */
- break;
+ continue;
#endif
- else
- process_answer(channel, buf, (int)count, i, 0, now);
- } while (count > 0);
+
+ } else {
+ process_answer(channel, buf, (int)read_len, i, 0, now);
+ }
+ } while (read_len >= 0);
}
}
--
2.27.0

12
c-ares.spec
View File

@ -1,6 +1,6 @@
Name: c-ares Name: c-ares
Version: 1.18.1 Version: 1.18.1
Release: 4 Release: 5
Summary: A C library for asynchronous DNS requests Summary: A C library for asynchronous DNS requests
License: MIT License: MIT
@ -12,6 +12,10 @@ BuildRequires: gcc autoconf automake libtool g++
Patch0: 0000-Use-RPM-compiler-options.patch Patch0: 0000-Use-RPM-compiler-options.patch
Patch1: backport-disable-live-tests.patch Patch1: backport-disable-live-tests.patch
Patch2: backport-add-str-len-check-in-config_sortlist-to-avoid-stack-overflow.patch Patch2: backport-add-str-len-check-in-config_sortlist-to-avoid-stack-overflow.patch
Patch3: backport-CVE-2023-32067.patch
Patch4: backport-001-CVE-2023-31130.patch
Patch5: backport-002-CVE-2023-31130.patch
Patch6: backport-003-CVE-2023-31130.patch
%description %description
This is c-ares, an asynchronous resolver library. It is intended for applications This is c-ares, an asynchronous resolver library. It is intended for applications
@ -61,6 +65,12 @@ cd ../
%{_mandir}/man3/* %{_mandir}/man3/*
%changelog %changelog
* Mon May 29 2023 xinghe <xinghe2@h-partners.com> - 1.18.1-5
- Type:CVE
- CVE:CVE-2023-32067 CVE-2023-31130
- SUG:restart
- DESC:fix CVE-2023-32067 CVE-2023-31130
* Fri Feb 10 2023 xignwei <xingwei14@h-partners.com> - 1.18.1-4 * Fri Feb 10 2023 xignwei <xingwei14@h-partners.com> - 1.18.1-4
- Type:cves - Type:cves
- CVE:CVE-2022-4904 - CVE:CVE-2022-4904