[3.4] c-ares: Single byte out of buffer write (CVE-2016-5180)ID: oval:org.secpod.oval:def:1800793 | Date: (C)2018-03-29 (M)2023-11-10 |
Class: PATCH | Family: unix |
When a string is passed in to ares_create_query or ares_mkquery and uses an escaped trailing dot, like "hello\.", c-ares calculates the string length wrong and subsequently writes outside of the allocated buffer with one byte. The wrongly written byte is the least significant byte of the "dnsclass" argument; most commonly 1.Proof of concept code have showed how this can be exploited in a real-world system, but we are not aware of any exploits having actually happened in the wild. Affected versions: c-ares 1.0.0 to and including 1.11.0 Fixed In Version: c-ares 1.12.0.
Platform: |
Alpine Linux 3.4 |