Control: tags 992053 + patch
Control: tags 992053 + pending
Dear maintainer,
I've prepared an NMU for c-ares (versioned as 1.17.1-1.1) and
uploaded it to DELAYED/2. Please feel free to tell me if I
should delay it longer.
Regards,
Salvatore
diff -Nru c-ares-1.17.1/debian/changelog c-ares-1.17.1/debian/changelog
--- c-ares-1.17.1/debian/changelog 2020-11-19 18:57:27.0 +0100
+++ c-ares-1.17.1/debian/changelog 2021-08-07 11:43:50.0 +0200
@@ -1,3 +1,13 @@
+c-ares (1.17.1-1.1) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * Missing input validation on hostnames returned by DNS servers
+(CVE-2021-3672) (Closes: #992053)
+- ares_expand_name() should escape more characters
+- ares_expand_name(): fix formatting and handling of root name response
+
+ -- Salvatore Bonaccorso Sat, 07 Aug 2021 11:43:50 +0200
+
c-ares (1.17.1-1) unstable; urgency=medium
* Imported Upstream version 1.17.1 (fixes CVE-2020-8277)
diff -Nru c-ares-1.17.1/debian/patches/ares_expand_name-fix-formatting-and-handling-of-root.patch c-ares-1.17.1/debian/patches/ares_expand_name-fix-formatting-and-handling-of-root.patch
--- c-ares-1.17.1/debian/patches/ares_expand_name-fix-formatting-and-handling-of-root.patch 1970-01-01 01:00:00.0 +0100
+++ c-ares-1.17.1/debian/patches/ares_expand_name-fix-formatting-and-handling-of-root.patch 2021-08-07 11:43:50.0 +0200
@@ -0,0 +1,112 @@
+From: bradh352
+Date: Fri, 11 Jun 2021 12:39:24 -0400
+Subject: [2/2] ares_expand_name(): fix formatting and handling of root name
+ response
+Origin: https://github.com/c-ares/c-ares/commit/44c009b8e62ea1929de68e3f438181bea469ec14
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-3672
+
+Fixes issue introduced in prior commit with formatting and handling
+of parsing a root name response which should not be escaped.
+
+Fix By: Brad House
+---
+ src/lib/ares_expand_name.c | 62 --
+ 1 file changed, 40 insertions(+), 22 deletions(-)
+
+diff --git a/src/lib/ares_expand_name.c b/src/lib/ares_expand_name.c
+index f1c874a97cfc..eb9268c1ff0a 100644
+--- a/src/lib/ares_expand_name.c
b/src/lib/ares_expand_name.c
+@@ -127,27 +127,37 @@ int ares_expand_name(const unsigned char *encoded, const unsigned char *abuf,
+ }
+ else
+ {
+- len = *p;
++ int name_len = *p;
++ len = name_len;
+ p++;
++
+ while (len--)
+ {
+- if (!isprint(*p)) {
+-/* Output as \DDD for consistency with RFC1035 5.1 */
+-*q++ = '\\';
+-*q++ = '0' + *p / 100;
+-*q++ = '0' + (*p % 100) / 10;
+-*q++ = '0' + (*p % 10);
+- } else if (is_reservedch(*p)) {
+-*q++ = '\\';
+-*q++ = *p;
+- } else {
+-*q++ = *p;
+- }
++ /* Output as \DDD for consistency with RFC1035 5.1, except
++ * for the special case of a root name response */
++ if (!isprint(*p) && !(name_len == 1 && *p == 0))
++{
++
++ *q++ = '\\';
++ *q++ = '0' + *p / 100;
++ *q++ = '0' + (*p % 100) / 10;
++ *q++ = '0' + (*p % 10);
++}
++ else if (is_reservedch(*p))
++{
++ *q++ = '\\';
++ *q++ = *p;
++}
++ else
++{
++ *q++ = *p;
++}
+ p++;
+ }
+ *q++ = '.';
+ }
+-}
++ }
++
+ if (!indir)
+ *enclen = aresx_uztosl(p + 1U - encoded);
+
+@@ -194,21 +204,29 @@ static int name_length(const unsigned char *encoded, const unsigned char *abuf,
+ }
+ else if (top == 0x00)
+ {
+- offset = *encoded;
++ int name_len = *encoded;
++ offset = name_len;
+ if (encoded + offset + 1 >= abuf + alen)
+ return -1;
+ encoded++;
++
+ while (offset--)
+ {
+- if (!isprint(*encoded)) {
+-n += 4;
+- } else if (is_reservedch(*encoded)) {
+-n += 2;
+- } else {
+-n += 1;
+- }
++ if (!isprint(*encoded) && !(name_len == 1 && *encoded == 0))
++{
++ n += 4;
++}
++ else if (is_reservedch(*encoded))
++{
++ n += 2;
++}
++ else
++{
++ n += 1;
++}
+ encoded++;
+ }
++
+ n++;
+ }
+ else
+--
+2.32.0
+
diff -Nru c-ares-1.17.1/debian/patches/ares_expand_name-should-escape-more-characters.patch