ALT-PU-2024-18019-1

Package update c-ares in branch c10f2

Version1.34.1-alt1

Published2024-10-21

Max severityMEDIUM

Severity:

Closed issues (2)

MEDIUM4.4

Уязвимость функции ares__read_line библиотеки асинхронных DNS-запросов C-ares, позволяющая нарушителю вызвать отказ в обслуживании

Published: 2024-03-04Modified: 2026-05-06

CVSS 3.xMEDIUM 4.4

CVSS:3.x/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

CVSS 2.0MEDIUM 4.3

CVSS:2.0/AV:L/AC:L/Au:M/C:N/I:N/A:C

References

CVE-2024-25629

MEDIUM5.5

c-ares is a C library for asynchronous DNS requests. `ares__read_line()` is used to parse local configuration files such as `/etc/resolv.conf`, `/etc/nsswitch.conf`, the `HOSTALIASES` file, and if using a c-ares version prior to 1.27.0, the `/etc/hosts` file. If any of these configuration files has an embedded `NULL` character as the first character in a new line, it can lead to attempting to read memory prior to the start of the given buffer which may result in a crash. This issue is fixed in c-ares 1.27.0. No known workarounds exist.

Published: 2024-02-23Modified: 2025-02-05

CVSS 3.xMEDIUM 5.5

CVSS:3.x/CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References