CVE-2017-1000381

Priority
Description
The c-ares function `ares_parse_naptr_reply()`, which is used for parsing
NAPTR responses, could be triggered to read memory outside of the given
input buffer if the passed in DNS response packet was crafted in a
particular way.
Assigned-to
mdeslaur (c-ares), mikesalvatore (nodejs)
Package
Upstream:released (1.13.0,1.12.0-4)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE (trusty was released [1.10.0-2ubuntu0.2])
Ubuntu 16.04 LTS (Xenial Xerus):released (1.10.0-3ubuntu0.2)
Ubuntu 18.04 LTS (Bionic Beaver):not-affected (1.12.0-4)
Ubuntu 18.10 (Cosmic Cuttlefish):not-affected (1.12.0-4)
Ubuntu 19.04 (Disco Dingo):not-affected (1.12.0-4)
Ubuntu 19.10 (Eoan):not-affected (1.12.0-4)
Patches:
Upstream:https://c-ares.haxx.se/CVE-2017-1000381.patch
Package
Upstream:released (4.8.4, 6.11.1, 8.1.4)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):not-affected ([uses system ares])
Ubuntu 16.04 LTS (Xenial Xerus):needed
Ubuntu 18.04 LTS (Bionic Beaver):not-affected (8.1.4)
Ubuntu 18.10 (Cosmic Cuttlefish):not-affected (8.1.4)
Ubuntu 19.04 (Disco Dingo):not-affected (8.1.4)
Ubuntu 19.10 (Eoan):not-affected (8.1.4)
Patches:
Upstream:https://github.com/nodejs/node/commit/80fe2662e4
More Information

Updated: 2019-05-15 17:15:45 UTC (commit 2d71aefac924bf16479c12958688c37878e881eb)