diff --git a/SOURCES/0002-CVE-2023-32067.patch b/SOURCES/0002-CVE-2023-32067.patch new file mode 100644 index 0000000..7f08a12 --- /dev/null +++ b/SOURCES/0002-CVE-2023-32067.patch @@ -0,0 +1,86 @@ +From 7af6c0ef6354288f8a8240e5ca44a55ab4c6cf91 Mon Sep 17 00:00:00 2001 +From: Alexey Tikhonov +Date: Thu, 15 Jun 2023 18:04:50 +0200 +Subject: [PATCH] + https://github.com/c-ares/c-ares/commit/b9b8413cfdb70a3f99e1573333b23052d57ec1ae + +--- + ares_process.c | 41 ++++++++++++++++++++++++----------------- + 1 file changed, 24 insertions(+), 17 deletions(-) + +diff --git a/ares_process.c b/ares_process.c +index bbeca5e..ad7e862 100644 +--- a/ares_process.c ++++ b/ares_process.c +@@ -416,7 +416,7 @@ static void read_udp_packets(ares_channel channel, fd_set *read_fds, + { + struct server_state *server; + int i; +- ssize_t count; ++ ssize_t read_len; + unsigned char buf[MAXENDSSZ + 1]; + #ifdef HAVE_RECVFROM + ares_socklen_t fromlen; +@@ -459,36 +459,43 @@ static void read_udp_packets(ares_channel channel, fd_set *read_fds, + /* To reduce event loop overhead, read and process as many + * packets as we can. */ + do { +- if (server->udp_socket == ARES_SOCKET_BAD) +- count = 0; +- +- else { ++ if (server->udp_socket == ARES_SOCKET_BAD) { ++ read_len = -1; ++ } else { + #ifdef HAVE_RECVFROM +- if (server->addr.family == AF_INET) ++ if (server->addr.family == AF_INET) { + fromlen = sizeof(from.sa4); +- else ++ } else { + fromlen = sizeof(from.sa6); +- count = (ssize_t)recvfrom(server->udp_socket, (void *)buf, +- sizeof(buf), 0, &from.sa, &fromlen); ++ } ++ read_len = (ssize_t)recvfrom(server->udp_socket, (void *)buf, ++ sizeof(buf), 0, &from.sa, &fromlen); + #else +- count = sread(server->udp_socket, buf, sizeof(buf)); ++ read_len = sread(server->udp_socket, buf, sizeof(buf)); + #endif + } + +- if (count == -1 && try_again(SOCKERRNO)) ++ if (read_len == 0) { ++ /* UDP is connectionless, so result code of 0 is a 0-length UDP ++ * packet, and not an indication the connection is closed like on ++ * tcp */ + continue; +- else if (count <= 0) ++ } else if (read_len < 0) { ++ if (try_again(SOCKERRNO)) ++ continue; ++ + handle_error(channel, i, now); + #ifdef HAVE_RECVFROM +- else if (!same_address(&from.sa, &server->addr)) ++ } else if (!same_address(&from.sa, &server->addr)) { + /* The address the response comes from does not match the address we + * sent the request to. Someone may be attempting to perform a cache + * poisoning attack. */ +- break; ++ continue; + #endif +- else +- process_answer(channel, buf, (int)count, i, 0, now); +- } while (count > 0); ++ } else { ++ process_answer(channel, buf, (int)read_len, i, 0, now); ++ } ++ } while (read_len >= 0); + } + } + +-- +2.38.1 + diff --git a/SPECS/c-ares.spec b/SPECS/c-ares.spec index e149f4d..9429461 100644 --- a/SPECS/c-ares.spec +++ b/SPECS/c-ares.spec @@ -1,7 +1,7 @@ Summary: A library that performs asynchronous DNS operations Name: c-ares Version: 1.10.0 -Release: 3%{?dist} +Release: 3%{?dist}.1 License: MIT Group: System Environment/Libraries URL: http://c-ares.haxx.se/ @@ -10,6 +10,7 @@ Source0: http://c-ares.haxx.se/download/%{name}-%{version}.tar.gz Source1: LICENSE Patch0: 0001-Use-RPM-compiler-options.patch Patch1: c-ares-1.10.0-multilib.patch +Patch2: 0002-CVE-2023-32067.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -36,6 +37,7 @@ compile applications or shared objects that use c-ares. %setup -q %patch0 -p1 -b .optflags %patch1 -p1 -b .multilib +%patch2 -p1 -b .udp cp %{SOURCE1} . f=CHANGES ; iconv -f iso-8859-1 -t utf-8 $f -o $f.utf8 ; mv $f.utf8 $f @@ -74,6 +76,9 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man3/ares_* %changelog +* Thu Jun 15 2023 Alexey Tikhonov - 1.10.0-3.1 +- Resolves: rhbz#2209503 - CVE-2023-32067 c-ares: 0-byte UDP payload Denial of Service [rhel-7.9.z] + * Fri Jan 24 2014 Daniel Mach - 1.10.0-3 - Mass rebuild 2014-01-24