fix CVE-2024-25629

Signed-off-by: lwg <liweiganga@uniontech.com>

backport-CVE-2024-25629.patch

@@ -0,0 +1,30 @@
+From a804c04ddc8245fc8adf0e92368709639125e183 Mon Sep 17 00:00:00 2001
+From: Brad House <brad@brad-house.com>
+Date: Thu, 22 Feb 2024 16:23:33 -0500
+Subject: [PATCH] Merge pull request from GHSA-mg26-v6qh-x48q
+
+---
+ src/lib/ares__read_line.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/src/lib/ares__read_line.c b/src/lib/ares__read_line.c
+index d65ac1fcf..018f55e8b 100644
+--- a/src/lib/ares__read_line.c
++++ b/src/lib/ares__read_line.c
+@@ -49,6 +49,14 @@ int ares__read_line(FILE *fp, char **buf, size_t *bufsize)
+       if (!fgets(*buf + offset, bytestoread, fp))
+         return (offset != 0) ? 0 : (ferror(fp)) ? ARES_EFILE : ARES_EOF;
+       len = offset + strlen(*buf + offset);
++
++      /* Probably means there was an embedded NULL as the first character in
++       * the line, throw away line */
++      if (len == 0) {
++        offset = 0;
++        continue;
++      }
++
+       if ((*buf)[len - 1] == '\n')
+         {
+           (*buf)[len - 1] = 0;
+-- 
+2.20.1

c-ares.spec

@@ -1,6 +1,6 @@
 Name:           c-ares
 Version:        1.19.1
-Release:        1
+Release:        2
 Summary:        A C library for asynchronous DNS requests
 
 License:        MIT
@@ -11,6 +11,7 @@ BuildRequires:  gcc autoconf automake libtool g++
 # Patch0 from Redhat is applied for stopping overriding AC_CONFIG_MACRO_DIR
 Patch0:         0000-Use-RPM-compiler-options.patch
 Patch1:         backport-disable-live-tests.patch
+Patch2:         backport-CVE-2024-25629.patch
 
 %description
 This is c-ares, an asynchronous resolver library. It is intended for applications
@@ -60,6 +61,12 @@ cd ../
 %{_mandir}/man3/*
 
 %changelog
+* Tue Feb 27 2024 liweigang <izmirvii@gmail.com> - 1.19.1-2
+- Type: CVE
+- CVE: CVE-2024-25629
+- SUG: NA
+- DESC: fix CVE-2024-25629
+
 * Tue Jul 25 2023 xinghe <xinghe2@h-partners.com> - 1.19.1-1
 - Type:requirements
 - ID:NA