Bug 1007728 - (CVE-2016-5180) VUL-0: CVE-2016-5180: libcares2,nodejs,nodejs4,nodejs6: ares_create_query single byte out of buffer write
(CVE-2016-5180)
VUL-0: CVE-2016-5180: libcares2,nodejs,nodejs4,nodejs6: ares_create_query sin...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/173044/
CVSSv2:RedHat:CVE-2016-5180:5.0:(AV:N...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-10-31 09:12 UTC by Andreas Stieger
Modified: 2017-03-02 05:26 UTC (History)
6 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2016-10-31 09:12:21 UTC
https://c-ares.haxx.se/adv_20160929.html

When a string is passed in to ares_create_query or ares_mkquery and uses an escaped trailing dot, like "hello\.", c-ares calculates the string length wrong and subsequently writes outside of the allocated buffer with one byte. The wrongly written byte is the least significant byte of the 'dnsclass' argument; most commonly 1.

Proof of concept code have showed how this can be exploited in a real-world system, but we are not aware of any exploits having actually happened in the wild.

This flaw exists in the following c-ares versions.

    Affected versions: c-ares 1.0.0 to and including 1.11.0
    Not affected versions: c-ares >= 1.12.0


References:
https://bugzilla.redhat.com/show_bug.cgi?id=1380463
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5180
http://seclists.org/oss-sec/2016/q3/659
http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-5180.html
http://www.debian.org/security/2016/dsa-3682
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=839151
https://c-ares.haxx.se/CVE-2016-5180.patch
Comment 1 Andreas Stieger 2016-10-31 09:14:11 UTC
A community user pointed out that this vulnerability also affects the library bundled in nodejs:

> I also noticed that nodejs is currently using a forked, statically
> linked version of c-ares in 4.x (6.x and above use upstream c-ares).
> As a temporary measure, I have already submitted updates for 13.2,
> Leap 42.1 and Tumbleweed, however as nodejs4 comes from SLE in Leap
> 42.2, that will need to be updated by SLE maintainers.
> 
> As a result of this, I have done some checks for which static
> libraries are currently used by Node.js, and have written up my
> findings here:
> https://gist.github.com/Qantas94Heavy/e2c7d7922c6ab75e4d34b8a6cc952b17
> 
> Having said that, the risk of security issues in static libraries is
> somewhat mitigated by upstream's timely release of security updates.
> 
> I have done some work in using system libraries where possible in
> home:qantas94heavy:branches:devel:languages:nodejs/nodejs, but I have
> not been able to fully test this out yet.
Comment 2 Bernhard Wiedemann 2016-10-31 13:00:31 UTC
This is an autogenerated message for OBS integration:
This bug (1007728) was mentioned in
https://build.opensuse.org/request/show/438021 Factory / libcares2
Comment 4 Swamp Workflow Management 2016-10-31 23:00:27 UTC
bugbot adjusting priority
Comment 5 Jordi Massaguer 2016-11-02 17:26:00 UTC
Hi,

the version in Leap 42.2 comes from Leap 42.1, thus we should be able to use the same package.

Do we know which are the submit requests that community user did?
Comment 6 Andreas Stieger 2016-11-02 18:52:29 UTC
The community user submitted nodejs for 13.2 and 42.1:
https://build.opensuse.org/request/show/437694
https://build.opensuse.org/project/show/openSUSE:Maintenance:5779
Comment 7 Jordi Massaguer 2016-11-03 12:57:42 UTC
will the submission to 42.1 be forwarded to 42.2? Or do we need another mr for that?
Comment 8 Andreas Stieger 2016-11-03 13:01:02 UTC
(In reply to Jordi Massaguer from comment #7)
> will the submission to 42.1 be forwarded to 42.2? Or do we need another mr
> for that?

At this point there is no automatic forwarding.

Also 42.2 does not have nodejs but nodejs4.
Comment 9 Bernhard Wiedemann 2016-11-21 09:00:18 UTC
This is an autogenerated message for OBS integration:
This bug (1007728) was mentioned in
https://build.opensuse.org/request/show/441157 13.2 / libcares2
Comment 10 Tomáš Chvátal 2016-11-21 09:11:35 UTC
All c-ares submissions done.
Comment 12 Swamp Workflow Management 2016-11-24 17:07:44 UTC
SUSE-SU-2016:2898-1: An update that solves one vulnerability and has one errata is now available.

Category: security (moderate)
Bug References: 1007728,1009011
CVE References: CVE-2016-5180
Sources used:
SUSE Linux Enterprise Module for Web Scripting 12 (src):    nodejs4-4.6.1-11.1
Comment 13 Marcus Meissner 2016-12-01 10:41:32 UTC
Nodejs6 needs fixes too.
Comment 14 Adam Majer 2016-12-01 11:06:41 UTC
nodejs6 is fixed. It was fixed in v6.8.0, which at the time was still development branch so it didn't receive security notifications.
Comment 15 Swamp Workflow Management 2016-12-01 14:07:04 UTC
openSUSE-SU-2016:2960-1: An update that fixes one vulnerability is now available.

Category: security (low)
Bug References: 1007728
CVE References: CVE-2016-5180
Sources used:
openSUSE 13.2 (src):    libcares2-1.10.0-2.3.1
Comment 16 Swamp Workflow Management 2016-12-05 12:11:39 UTC
openSUSE-SU-2016:3006-1: An update that solves one vulnerability and has one errata is now available.

Category: security (moderate)
Bug References: 1007728,1009011
CVE References: CVE-2016-5180
Sources used:
openSUSE Leap 42.2 (src):    nodejs4-4.6.1-3.1
Comment 17 Swamp Workflow Management 2016-12-29 12:07:53 UTC
SUSE-SU-2016:3286-1: An update that fixes one vulnerability is now available.

Category: security (low)
Bug References: 1007728
CVE References: CVE-2016-5180
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP2 (src):    libcares2-1.9.1-5.1
SUSE Linux Enterprise Workstation Extension 12-SP1 (src):    libcares2-1.9.1-5.1
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    libcares2-1.9.1-5.1
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    libcares2-1.9.1-5.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    libcares2-1.9.1-5.1
SUSE Linux Enterprise Server 12-SP2 (src):    libcares2-1.9.1-5.1
SUSE Linux Enterprise Server 12-SP1 (src):    libcares2-1.9.1-5.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    libcares2-1.9.1-5.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    libcares2-1.9.1-5.1
Comment 18 Swamp Workflow Management 2016-12-29 12:08:27 UTC
SUSE-SU-2016:3287-1: An update that fixes one vulnerability is now available.

Category: security (low)
Bug References: 1007728
CVE References: CVE-2016-5180
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    libcares2-1.7.4-7.9.1
SUSE Linux Enterprise Server 11-SP4 (src):    libcares2-1.7.4-7.9.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    libcares2-1.7.4-7.9.1
Comment 19 Swamp Workflow Management 2017-01-08 00:22:30 UTC
openSUSE-SU-2017:0082-1: An update that fixes one vulnerability is now available.

Category: security (low)
Bug References: 1007728
CVE References: CVE-2016-5180
Sources used:
openSUSE Leap 42.2 (src):    libcares2-1.9.1-6.1
openSUSE Leap 42.1 (src):    libcares2-1.9.1-5.1
Comment 20 Victor Pereira 2017-03-01 08:10:50 UTC
fixed and released