rpm/c-ares
SHA256
1
0
Fork 0
forked from pool/c-ares
Code Pull Requests Activity

- 5c995d5.patch: augment input validation on hostnames to allow _

Browse Source 
as part of DNS response (bsc#1190225)

OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/c-ares?expand=0&rev=41
This commit is contained in:
Adam Majer 2021-09-08 14:10:21 +00:00 committed by Git OBS Bridge
parent 71c6809b66
commit 0cd11bc174
3 changed files with 58 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

51
5c995d5.patch Normal file
View File

@ -0,0 +1,51 @@
From 5c995d50b05a2c374ae021012afa6f8f4cf2957e Mon Sep 17 00:00:00 2001
From: bradh352 <brad@brad-house.com>
Date: Wed, 8 Sep 2021 07:38:44 -0400
Subject: [PATCH] ares_expand_name should allow underscores (_) as SRV records
legitimately use them
c-ares 1.17.2 introduced response validation to prevent a security issue, however
it did not have (_) listed as a valid character for domain name responses which
caused issues when a CNAME referenced a SRV record which contained underscores.
While RFC2181 section 11 does explicitly state not to do validation, that applies
to servers not clients.
Fixes: #424
Fix By: Brad House (@bradh352)
---
src/lib/ares_expand_name.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
diff --git a/src/lib/ares_expand_name.c b/src/lib/ares_expand_name.c
index a62c982e..db262ab4 100644
--- a/src/lib/ares_expand_name.c
+++ b/src/lib/ares_expand_name.c
@@ -59,10 +59,16 @@ static int ares__isprint(int ch)
return 0;
}
-/* Character set allowed by hostnames */
+/* Character set allowed by hostnames. This is to include the normal
+ * domain name character set plus underscores which are used in SRV
+ * records. While RFC 2181 section 11 does state not to do validation,
+ * that applies to servers, not clients. Vulnerabilities have been
+ * reported when this validation is not performed. Security is more
+ * important than edge-case compatibility (which is probably invalid
+ * anyhow). */
static int is_hostnamech(int ch)
{
- /* [A-Za-z0-9-.]
+ /* [A-Za-z0-9-._]
* Don't use isalnum() as it is locale-specific
*/
if (ch >= 'A' && ch <= 'Z')
@@ -71,7 +77,7 @@ static int is_hostnamech(int ch)
return 1;
if (ch >= '0' && ch <= '9')
return 1;
- if (ch == '-' || ch == '.')
+ if (ch == '-' || ch == '.' || ch == '_')
return 1;
return 0;

6
c-ares.changes
View File

@ -1,3 +1,9 @@
-------------------------------------------------------------------
Wed Sep 8 14:07:34 UTC 2021 - Adam Majer <adam.majer@suse.de>
- 5c995d5.patch: augment input validation on hostnames to allow _
as part of DNS response (bsc#1190225)
------------------------------------------------------------------- -------------------------------------------------------------------
Thu Aug 12 13:59:07 UTC 2021 - Adam Majer <adam.majer@suse.de> Thu Aug 12 13:59:07 UTC 2021 - Adam Majer <adam.majer@suse.de>

1
c-ares.spec
View File

@ -56,6 +56,7 @@ Source6: c-ares-config.cmake.in
Source7: ares_dns.h Source7: ares_dns.h
Patch0: 0001-Use-RPM-compiler-options.patch Patch0: 0001-Use-RPM-compiler-options.patch
Patch1: disable-live-tests.patch Patch1: disable-live-tests.patch
Patch2: https://github.com/c-ares/c-ares/commit/5c995d5.patch
BuildRequires: cmake BuildRequires: cmake
BuildRequires: gcc-c++ BuildRequires: gcc-c++
%if %{with tests} %if %{with tests}