CVE-2017-1000381

Priority
Description
The c-ares function `ares_parse_naptr_reply()`, which is used for parsing
NAPTR responses, could be triggered to read memory outside of the given
input buffer if the passed in DNS response packet was crafted in a
particular way.
Ubuntu-Description
It was discovered that c-ares incorrectly handled certain NAPTR responses. A
remote attacker could possibly use this issue to cause applications using
c-ares to crash, resulting in a denial of service.
Assigned-to
mdeslaur (c-ares), mikesalvatore (nodejs)
Notes
Package
Upstream:released (1.13.0,1.12.0-4)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE (trusty was released [1.10.0-2ubuntu0.2])
Ubuntu 16.04 LTS (Xenial Xerus):released (1.10.0-3ubuntu0.2)
Ubuntu 18.04 LTS (Bionic Beaver):not-affected (1.12.0-4)
Ubuntu 19.10 (Eoan Ermine):not-affected (1.12.0-4)
Ubuntu 20.04 (Focal Fossa):not-affected (1.12.0-4)
Patches:
Upstream:https://c-ares.haxx.se/CVE-2017-1000381.patch
Package
Upstream:released (4.8.4, 6.11.1, 8.1.4)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):not-affected (uses system ares)
Ubuntu 16.04 LTS (Xenial Xerus):needed
Ubuntu 18.04 LTS (Bionic Beaver):not-affected (8.1.4)
Ubuntu 19.10 (Eoan Ermine):not-affected (8.1.4)
Ubuntu 20.04 (Focal Fossa):not-affected (8.1.4)
Patches:
Upstream:https://github.com/nodejs/node/commit/80fe2662e4
More Information

Updated: 2020-04-24 03:35:09 UTC (commit d3f8a6ed481830fb100109a132bef581fc4176fe)