Описание
c-ares is a C library for asynchronous DNS requests. ares__read_line() is used to parse local configuration files such as /etc/resolv.conf, /etc/nsswitch.conf, the HOSTALIASES file, and if using a c-ares version prior to 1.27.0, the /etc/hosts file. If any of these configuration files has an embedded NULL character as the first character in a new line, it can lead to attempting to read memory prior to the start of the given buffer which may result in a crash. This issue is fixed in c-ares 1.27.0. No known workarounds exist.
A vulnerability was found in c-ares where the ares__read_line() is used to parse local configuration files such as /etc/resolv.conf, /etc/nsswitch.conf, the HOSTALIASES file, and if using a c-ares version prior to 1.22.0, the /etc/hosts file. If the configuration files have an embedded NULL character as the first character in a new line, it can attempt to read memory before the start of the given buffer, which may result in a crash.
Отчет
Red Hat considers this a Low impact since this issue requires a specific configuration file to be configured incorrectly, meaning an attacker would need access to this configuration file to impact the server. This would normally correspond to an already compromised environment.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 10 | c-ares | Affected | ||
| Red Hat Enterprise Linux 10 | nodejs20 | Not affected | ||
| Red Hat Enterprise Linux 6 | c-ares | Out of support scope | ||
| Red Hat Enterprise Linux 7 | c-ares | Out of support scope | ||
| Red Hat Enterprise Linux 8 | nodejs:16/nodejs | Fix deferred | ||
| Red Hat Software Collections | rh-nodejs14-nodejs | Fix deferred | ||
| Red Hat Enterprise Linux 8 | nodejs | Fixed | RHSA-2024:2778 | 09.05.2024 |
| Red Hat Enterprise Linux 8 | nodejs | Fixed | RHSA-2024:2780 | 09.05.2024 |
| Red Hat Enterprise Linux 8 | c-ares | Fixed | RHSA-2024:4249 | 02.07.2024 |
| Red Hat Enterprise Linux 9 | nodejs | Fixed | RHSA-2024:2779 | 09.05.2024 |
Показывать по
Дополнительная информация
Статус:
4.4 Medium
CVSS3
Связанные уязвимости
c-ares is a C library for asynchronous DNS requests. `ares__read_line()` is used to parse local configuration files such as `/etc/resolv.conf`, `/etc/nsswitch.conf`, the `HOSTALIASES` file, and if using a c-ares version prior to 1.27.0, the `/etc/hosts` file. If any of these configuration files has an embedded `NULL` character as the first character in a new line, it can lead to attempting to read memory prior to the start of the given buffer which may result in a crash. This issue is fixed in c-ares 1.27.0. No known workarounds exist.
c-ares is a C library for asynchronous DNS requests. `ares__read_line()` is used to parse local configuration files such as `/etc/resolv.conf`, `/etc/nsswitch.conf`, the `HOSTALIASES` file, and if using a c-ares version prior to 1.27.0, the `/etc/hosts` file. If any of these configuration files has an embedded `NULL` character as the first character in a new line, it can lead to attempting to read memory prior to the start of the given buffer which may result in a crash. This issue is fixed in c-ares 1.27.0. No known workarounds exist.
c-ares is a C library for asynchronous DNS requests. `ares__read_line( ...
4.4 Medium
CVSS3