[CVE-2016-5180] ares_create_query: avoid single-byte buffer overwrite by sgallagher · Pull Request #8849 · nodejs/node

sgallagher · 2016-09-29T18:19:35Z

Checklist

make -j8 test (UNIX), or vcbuild test nosign (Windows) passes
commit message follows commit guidelines

Affected core subsystem(s)

bundled c-ares

Description of change

Avoid single-byte buffer overwrite when the name ends with an escaped dot.

CVE-2016-5180

Bug: https://c-ares.haxx.se/adv_20160929.html

MylesBorins · 2016-09-29T18:28:15Z

I can confirm the e8dd387 is identical to the patch found at https://c-ares.haxx.se/CVE-2016-5180.patch

LGTM

jasnell

LGTM

jbergstroem

LGTM

jbergstroem · 2016-09-29T19:04:36Z

CI: https://ci.nodejs.org/job/node-test-commit/5365/

indutny

LGTM

MylesBorins · 2016-09-29T21:18:20Z

windows failure is infra related https://ci.nodejs.org/job/node-test-binary-windows/4102/RUN_SUBSET=3,VS_VERSION=vcbt2015,label=win10/tapTestReport/test.tap-238/

/cc @nodejs/platform-windows re: flaky test

Trott · 2016-09-30T04:13:06Z

Aside: I think @geek has a PR in to fix that test. #8848

jbergstroem · 2016-09-30T05:52:11Z

I'll land this in 24h unless anyone has any objections.

MylesBorins · 2016-09-30T05:53:08Z

once it lands I'll deal with backporting

On Fri, Sep 30, 2016, 1:52 AM Johan Bergström notifications@github.com
wrote:

I'll land this in 24h unless anyone has any objections.

—
You are receiving this because you commented.

Reply to this email directly, view it on GitHub
#8849 (comment), or mute
the thread
https://github.com/notifications/unsubscribe-auth/AAecV9Jgf-c-FaTgZYMHzDycGyTb9ZC8ks5qvKOSgaJpZM4KKT9Z
.

MylesBorins · 2016-09-30T15:25:03Z

Another run of CI: https://ci.nodejs.org/job/node-test-pull-request/4332/

jbergstroem · 2016-10-02T23:38:07Z

Test failures look unrelated.

jbergstroem · 2016-10-02T23:49:15Z

wtf -- PR got closed when I pushed to the remote branch. Merged in 68c4c71.

Incorrect string length calculation when passing escaped dot. - CVE: CVE-2016-5180 - Upstream bug: https://c-ares.haxx.se/adv_20160929.html PR-URL: #8849 Reviewed-By: Myles Borins <myles.borins@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Johan Bergström <bugs@bergstroem.nu> Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>

mscdex · 2016-10-03T04:05:44Z

This should have had a better subsystem name, like cares: instead of ares_create_query:.

jbergstroem · 2016-10-03T12:31:40Z

@mscdex true, apologies.

Incorrect string length calculation when passing escaped dot. - CVE: CVE-2016-5180 - Upstream bug: https://c-ares.haxx.se/adv_20160929.html PR-URL: #8849 Reviewed-By: Myles Borins <myles.borins@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Johan Bergström <bugs@bergstroem.nu> Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>

MylesBorins · 2016-10-06T23:50:29Z

So it looks like v4.x is using care v1.10.1 and as such is affected, this patch is not landing cleanly though. I'll manually backport

Incorrect string length calculation when passing escaped dot. - CVE: CVE-2016-5180 - Upstream bug: https://c-ares.haxx.se/adv_20160929.html PR-URL: #8849 Reviewed-By: Myles Borins <myles.borins@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Johan Bergström <bugs@bergstroem.nu> Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>

Incorrect string length calculation when passing escaped dot. - CVE: CVE-2016-5180 - Upstream bug: https://c-ares.haxx.se/adv_20160929.html Ref: nodejs#9037 PR-URL: nodejs#8849 Reviewed-By: Myles Borins <myles.borins@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Johan Bergström <bugs@bergstroem.nu> Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>

Incorrect string length calculation when passing escaped dot. - CVE: CVE-2016-5180 - Upstream bug: https://c-ares.haxx.se/adv_20160929.html Ref: #9037 PR-URL: #8849 Reviewed-By: Myles Borins <myles.borins@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Johan Bergström <bugs@bergstroem.nu> Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>

Backport of nodejs#8849 for c-ares 1.9.0. Incorrect string length calculation when passing escaped dot. - CVE: CVE-2016-5180 - Upstream bug: https://c-ares.haxx.se/adv_20160929.html

Incorrect string length calculation when passing escaped dot. - CVE: CVE-2016-5180 - Upstream bug: https://c-ares.haxx.se/adv_20160929.html Ref: nodejs#9037 PR-URL: nodejs#8849 Reviewed-By: Myles Borins <myles.borins@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Johan Bergström <bugs@bergstroem.nu> Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>

Backport of nodejs#8849 for c-ares 1.9.0. Incorrect string length calculation when passing escaped dot. - CVE: CVE-2016-5180 - Upstream bug: https://c-ares.haxx.se/adv_20160929.html PR-URL: nodejs#9108 Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>

nodejs-github-bot added the cares Issues and PRs related to the c-ares dependency or the cares_wrap binding. label Sep 29, 2016

MylesBorins approved these changes Sep 29, 2016

View reviewed changes

MylesBorins added the security Issues and PRs related to security. label Sep 29, 2016

cjihrig approved these changes Sep 29, 2016

View reviewed changes

jasnell approved these changes Sep 29, 2016

View reviewed changes

jbergstroem approved these changes Sep 29, 2016

View reviewed changes

indutny approved these changes Sep 29, 2016

View reviewed changes

jbergstroem closed this Oct 2, 2016

jbergstroem force-pushed the master branch from e8dd387 to 3c5cf12 Compare October 2, 2016 23:47

MylesBorins added the lts-watch-v4.x label Oct 6, 2016

MylesBorins self-assigned this Oct 6, 2016

MylesBorins added dont-land-on-v4.x and removed lts-watch-v4.x labels Oct 11, 2016

This was referenced Oct 15, 2016

deps: c-ares, avoid single-byte buffer overwrite #9108

Closed

Release proposal: v0.12.17 #9147

Merged

rvagg mentioned this pull request Oct 18, 2016

Release proposal: v4.6.1 #9153

Closed

addaleax mentioned this pull request Mar 7, 2017

C-Ares version update for buffer overflow vulnerability fix? #11728

Closed

yosifkit mentioned this pull request Mar 13, 2017

Node official images vulnerabilities docker-library/official-images#2740

Closed

chorrell mentioned this pull request Apr 4, 2017

25 of 134 components are vulnerable?! nodejs/docker-node#374

Closed

bnoordhuis mentioned this pull request Apr 20, 2017

Deps: Upgrade c-ares to >= 1.12.0 (CVE-2016-5180) #12532

Closed

snyk-bot mentioned this pull request Apr 24, 2023

[Snyk] Security upgrade jest from 24.9.0 to 25.0.0 aliscco/alisco-node#95

Open

aliscco mentioned this pull request Apr 28, 2023

[Snyk] Fix for 5 vulnerabilities aliscco/alisco-node#348

Open

aliscco mentioned this pull request Jun 23, 2023

[Snyk] Security upgrade jest from 24.9.0 to 25.0.0 aliscco/alisco-node#565

Open

Uh oh!

Conversation

sgallagher commented Sep 29, 2016

Checklist

Affected core subsystem(s)

Description of change

Uh oh!

MylesBorins commented Sep 29, 2016 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

jasnell left a comment

Choose a reason for hiding this comment

Uh oh!

jbergstroem left a comment

Choose a reason for hiding this comment

Uh oh!

jbergstroem commented Sep 29, 2016

Uh oh!

indutny left a comment

Choose a reason for hiding this comment

Uh oh!

MylesBorins commented Sep 29, 2016 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Trott commented Sep 30, 2016

Uh oh!

jbergstroem commented Sep 30, 2016

Uh oh!

MylesBorins commented Sep 30, 2016

Uh oh!

MylesBorins commented Sep 30, 2016

Uh oh!

jbergstroem commented Oct 2, 2016

Uh oh!

jbergstroem commented Oct 2, 2016

Uh oh!

mscdex commented Oct 3, 2016

Uh oh!

jbergstroem commented Oct 3, 2016

Uh oh!

MylesBorins commented Oct 6, 2016

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

9 participants

MylesBorins commented Sep 29, 2016 •

edited

Loading

MylesBorins commented Sep 29, 2016 •

edited

Loading