Subject: [SECURITY ADVISORY] c-ares NAPTR parser out of bounds access

[SECURITY ADVISORY] c-ares NAPTR parser out of bounds access

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Tue, 20 Jun 2017 08:09:39 +0200 (CEST)

c-ares NAPTR parser out of bounds access
========================================

Project c-ares Security Advisory, June 20, 2017 -
[Permalink](https://c-ares.haxx.se/adv_20170620.html)

VULNERABILITY
-------------

The c-ares function `ares_parse_naptr_reply()`, which is used for parsing
NAPTR responses, could be triggered to read memory outside of the given input
buffer if the passed in DNS response packet was crafted in a particular way.

We are not aware of any exploits of this flaw.

INFO

----
The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2017-1000381 to this issue.
AFFECTED VERSIONS
-----------------
This flaw exists in the following c-ares versions.
- Affected versions: c-ares 1.8.0 to and including 1.12.0
- Not affected versions: c-ares >= 1.13.0
THE SOLUTION
------------
In version 1.13.0, the `RR_len` value gets checked properly and the function
is also added to the fuzz testing. It was previously accidentally left out
from that.
A [patch for CVE-2017-1000381](https://c-ares.haxx.se/CVE-2017-1000381.patch)
is available.
RECOMMENDATIONS
---------------
We suggest you take one of the following actions immediately, in order of
preference:
  A - Upgrade c-ares to version 1.13.0
  B - Apply the patch to your version and rebuild
  C - Do not use `ares_parse_naptr_reply()`.
TIME LINE
---------
It was reported to the c-ares project on May 20. We contacted distros_at_openall
on June 16.
c-ares 1.13.0 was released on June 20 2017, coordinated with the publication
of this advisory.
CREDITS
-------
Thanks to LCatro for the report and to David Drysdale for the fix.
-- 
  / daniel.haxx.se
Received on 2017-06-20