< Previous by Date	Date Index	Next by Date >
	Thread Index

[security] ares_parse_a_reply out-of-bounds read (CVE-2017-9454)

From: Gregor Jasny <gjasny@xxxxxxxxxxxxxx>
Date: Sun, 6 Aug 2017 16:37:09 +0200

reSIProcate Security Advisory, August 6th, 2017

VULNERABILITY

When using the embedded version of the ares library (a C library for
asynchronous DNS requests) a maliciously crafted DNS response could
cause an out-of-bounds read within the ares_parse_a_reply function.
This happens due to a missing input length check.

INFO

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2017-9454 to this issue.

ReSIProcate supports two different asynchronous name resolvers: An
embedded copy of the ares library or the externally provided c-ares
library.  The embedded copy will be used by default unless the user
explicitly selects the external c-ares library with the configure
argument --with-c-ares.

AFFECTED VERSIONS

This flaw exists in all reSIProcate release up and including to 1.10.2.

THE SOLUTION

In the upcoming release 1.12.0, the function will be corrected.

A patch for CVE-2017-9454 is available here:
https://github.com/resiprocate/resiprocate/commit/d67a9ca6fd06ca65d23e313bdbad1ef4dd3aa0df

TIME LINE

The issue was detected on July 6th, 2017 by Gregor Jasny using the LLVM
LibFuzzer implementation.

A patch was made available and merged to the master branch on July 26th,
2017.

Prev by Date: Re: [reSIProcate-users] DialogSet NULL pointer
Next by Date: [security] SDP Parser: out-of-memory condition (CVE-2017-11521)
Previous by thread: Re: [reSIProcate-users] DialogSet NULL pointer
Next by thread: [security] SDP Parser: out-of-memory condition (CVE-2017-11521)
Index(es):
- Date
- Thread