From 0cd11bc174a2e3a7d385746687ca12bbe8a72e215343453e3488037217490722 Mon Sep 17 00:00:00 2001 From: Adam Majer Date: Wed, 8 Sep 2021 14:10:21 +0000 Subject: [PATCH] - 5c995d5.patch: augment input validation on hostnames to allow _ as part of DNS response (bsc#1190225) OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/c-ares?expand=0&rev=41 --- 5c995d5.patch | 51 ++++++++++++++++++++++++++++++++++++++++++++++++++ c-ares.changes | 6 ++++++ c-ares.spec | 1 + 3 files changed, 58 insertions(+) create mode 100644 5c995d5.patch diff --git a/5c995d5.patch b/5c995d5.patch new file mode 100644 index 0000000..32fc2bb --- /dev/null +++ b/5c995d5.patch @@ -0,0 +1,51 @@ +From 5c995d50b05a2c374ae021012afa6f8f4cf2957e Mon Sep 17 00:00:00 2001 +From: bradh352 +Date: Wed, 8 Sep 2021 07:38:44 -0400 +Subject: [PATCH] ares_expand_name should allow underscores (_) as SRV records + legitimately use them + +c-ares 1.17.2 introduced response validation to prevent a security issue, however +it did not have (_) listed as a valid character for domain name responses which +caused issues when a CNAME referenced a SRV record which contained underscores. + +While RFC2181 section 11 does explicitly state not to do validation, that applies +to servers not clients. + +Fixes: #424 +Fix By: Brad House (@bradh352) +--- + src/lib/ares_expand_name.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/src/lib/ares_expand_name.c b/src/lib/ares_expand_name.c +index a62c982e..db262ab4 100644 +--- a/src/lib/ares_expand_name.c ++++ b/src/lib/ares_expand_name.c +@@ -59,10 +59,16 @@ static int ares__isprint(int ch) + return 0; + } + +-/* Character set allowed by hostnames */ ++/* Character set allowed by hostnames. This is to include the normal ++ * domain name character set plus underscores which are used in SRV ++ * records. While RFC 2181 section 11 does state not to do validation, ++ * that applies to servers, not clients. Vulnerabilities have been ++ * reported when this validation is not performed. Security is more ++ * important than edge-case compatibility (which is probably invalid ++ * anyhow). */ + static int is_hostnamech(int ch) + { +- /* [A-Za-z0-9-.] ++ /* [A-Za-z0-9-._] + * Don't use isalnum() as it is locale-specific + */ + if (ch >= 'A' && ch <= 'Z') +@@ -71,7 +77,7 @@ static int is_hostnamech(int ch) + return 1; + if (ch >= '0' && ch <= '9') + return 1; +- if (ch == '-' || ch == '.') ++ if (ch == '-' || ch == '.' || ch == '_') + return 1; + + return 0; diff --git a/c-ares.changes b/c-ares.changes index 2cd86bf..061c038 100644 --- a/c-ares.changes +++ b/c-ares.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Wed Sep 8 14:07:34 UTC 2021 - Adam Majer + +- 5c995d5.patch: augment input validation on hostnames to allow _ + as part of DNS response (bsc#1190225) + ------------------------------------------------------------------- Thu Aug 12 13:59:07 UTC 2021 - Adam Majer diff --git a/c-ares.spec b/c-ares.spec index 0ad16f1..9811887 100644 --- a/c-ares.spec +++ b/c-ares.spec @@ -56,6 +56,7 @@ Source6: c-ares-config.cmake.in Source7: ares_dns.h Patch0: 0001-Use-RPM-compiler-options.patch Patch1: disable-live-tests.patch +Patch2: https://github.com/c-ares/c-ares/commit/5c995d5.patch BuildRequires: cmake BuildRequires: gcc-c++ %if %{with tests}