group.of.nepali.translators team mailing list archive
-
group.of.nepali.translators team
-
Mailing list archive
-
Message #09308
[Bug 1629085] Re: CVE-2016-5180: out-of-bounds write in ares_create_query and ares_mkquery
This bug was fixed in the package c-ares - 1.7.5-1ubuntu0.1
---------------
c-ares (1.7.5-1ubuntu0.1) precise-security; urgency=medium
* SECURITY UPDATE: denial of service and possible execution via hostname
with an escaped trailing dot (LP: #1629085)
- debian/patches/CVE-2016-5180.patch: properly handle escaped dot in
ares_mkquery.c.
- CVE-2016-5180
-- Marc Deslauriers <marc.deslauriers@xxxxxxxxxx> Thu, 06 Oct 2016
10:23:45 -0400
** Changed in: c-ares (Ubuntu Precise)
Status: Confirmed => Fix Released
** Changed in: c-ares (Ubuntu Trusty)
Status: Confirmed => Fix Released
--
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1629085
Title:
CVE-2016-5180: out-of-bounds write in ares_create_query and
ares_mkquery
Status in c-ares package in Ubuntu:
Confirmed
Status in c-ares source package in Precise:
Fix Released
Status in c-ares source package in Trusty:
Fix Released
Status in c-ares source package in Xenial:
Fix Released
Status in c-ares source package in Yakkety:
Fix Released
Status in c-ares package in Debian:
Fix Released
Bug description:
A new upstream version of c-ares has been released which addresses a
security vulnerability.
From: Daniel Stenberg <daniel@xxxxxxx>
Date: Thu, 29 Sep 2016 16:02:10 +0200 (CEST)
`ares_create_query` single byte out of buffer write
=================================================
Project c-ares Security Advisory, September 29, 2016 -
[Permalink](https://c-ares.haxx.se/adv_20160929.html)
VULNERABILITY
-------------
When a string is passed in to `ares_create_query` or `ares_mkquery` and uses
an escaped trailing dot, like "hello\.", c-ares calculates the string length
wrong and subsequently writes outside of the the allocated buffer with one
byte. The wrongly written byte is the least significant byte of the 'dnsclass'
argument; most commonly 1.
We have been seen proof of concept code showing how this can be exploited in a
real-world system, but we are not aware of any such instances having actually
happened in the wild.
INFO
----
The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2016-5180 to this issue.
AFFECTED VERSIONS
-----------------
This flaw exists in the following c-ares versions.
- Affected versions: libcurl 1.0.0 to and including 1.11.0
- Not affected versions: c-ares >= 1.12.0
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/c-ares/+bug/1629085/+subscriptions