c-ares NAPTR parser out of bounds access ========================================
Project c-ares Security Advisory, June 20, 2017 - [Permalink](https://c-ares.haxx.se/adv_20170620.html) VULNERABILITY ------------- The c-ares function `ares_parse_naptr_reply()`, which is used for parsing NAPTR responses, could be triggered to read memory outside of the given input buffer if the passed in DNS response packet was crafted in a particular way. We are not aware of any exploits of this flaw. INFO ---- The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2017-1000381 to this issue. AFFECTED VERSIONS ----------------- This flaw exists in the following c-ares versions. - Affected versions: c-ares 1.8.0 to and including 1.12.0 - Not affected versions: c-ares >= 1.13.0 THE SOLUTION ------------ In version 1.13.0, the `RR_len` value gets checked properly and the function is also added to the fuzz testing. It was previously accidentally left out from that. A [patch for CVE-2017-1000381](https://c-ares.haxx.se/CVE-2017-1000381.patch) is available. RECOMMENDATIONS --------------- We suggest you take one of the following actions immediately, in order of preference: A - Upgrade c-ares to version 1.13.0 B - Apply the patch to your version and rebuild C - Do not use `ares_parse_naptr_reply()`. TIME LINE --------- It was reported to the c-ares project on May 20. We contacted distros@openall on June 16. c-ares 1.13.0 was released on June 20 2017, coordinated with the publication of this advisory. CREDITS ------- Thanks to LCatro for the report and to David Drysdale for the fix. -- / daniel.haxx.se
