CVE-2017-1000381

Priority
Description
The c-ares function `ares_parse_naptr_reply()`, which is used for parsing
NAPTR responses, could be triggered to read memory outside of the given
input buffer if the passed in DNS response packet was crafted in a
particular way.
Assigned-to
mdeslaur (c-ares), mikesalvatore (nodejs)
Package
Upstream:released (1.13.0,1.12.0-4)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 LTS (Trusty Tahr):released (1.10.0-2ubuntu0.2)
Ubuntu 16.04 LTS (Xenial Xerus):released (1.10.0-3ubuntu0.2)
Ubuntu 18.04 LTS (Bionic Beaver):not-affected (1.12.0-4)
Ubuntu 18.10 (Cosmic Cuttlefish):not-affected (1.12.0-4)
Ubuntu 19.04 (Disco Dingo):not-affected (1.12.0-4)
Patches:
Upstream:https://c-ares.haxx.se/CVE-2017-1000381.patch
Package
Upstream:released (4.8.4, 6.11.1, 8.1.4)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 LTS (Trusty Tahr):not-affected (uses system ares)
Ubuntu 16.04 LTS (Xenial Xerus):needed
Ubuntu 18.04 LTS (Bionic Beaver):not-affected (8.1.4)
Ubuntu 18.10 (Cosmic Cuttlefish):not-affected (8.1.4)
Ubuntu 19.04 (Disco Dingo):not-affected (8.1.4)
Patches:
Upstream:https://github.com/nodejs/node/commit/80fe2662e4
More Information

Updated: 2018-11-09 14:14:25 UTC (commit bdaf1a22b1797f1314235a6037d2475197c1573c)