CVE-2023-31124 – AutoTools does not set CARES_RANDOM_FILE during cross compilation
https://notcve.org/view.php?id=CVE-2023-31124
c-ares is an asynchronous resolver library. When cross-compiling c-ares and using the autotools build system, CARES_RANDOM_FILE will not be set, as seen when cross compiling aarch64 android. This will downgrade to using rand() as a fallback which could allow an attacker to take advantage of the lack of entropy by not using a CSPRNG. This issue was patched in version 1.19.1. A flaw was found in c-ares. • https://github.com/c-ares/c-ares/releases/tag/cares-1_19_1 https://github.com/c-ares/c-ares/security/advisories/GHSA-54xr-f67r-4pc4 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B5Z5XFNXTNPTCBBVXFDNZQVLLIE6VRBY https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UBFWILTA33LOSV23P44FGTQQIDRJHIY7 https://security.gentoo.org/glsa/202310-09 https://access.redhat.com/security/cve/CVE-2023-31124 https://bugzilla.redhat.com/sho • CWE-330: Use of Insufficiently Random Values •
CVE-2022-4904 – c-ares: buffer overflow in config_sortlist() due to missing string length check
https://notcve.org/view.php?id=CVE-2022-4904
A flaw was found in the c-ares package. The ares_set_sortlist is missing checks about the validity of the input string, which allows a possible arbitrary length stack overflow. This issue may cause a denial of service or a limited impact on confidentiality and integrity. • https://bugzilla.redhat.com/show_bug.cgi?id=2168631 https://github.com/c-ares/c-ares/issues/496 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/33LDNS6RPOPP36Z4MPWXALUQZXJCWJS2 https://security.gentoo.org/glsa/202401-02 https://access.redhat.com/security/cve/CVE-2022-4904 • CWE-20: Improper Input Validation CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-1284: Improper Validation of Specified Quantity in Input •
CVE-2021-3672 – c-ares: Missing input validation of host names may lead to domain hijacking
https://notcve.org/view.php?id=CVE-2021-3672
A flaw was found in c-ares library, where a missing input validation check of host names returned by DNS (Domain Name Servers) can lead to output of wrong hostnames which might potentially lead to Domain Hijacking. The highest threat from this vulnerability is to confidentiality and integrity as well as system availability. Se ha encontrado un fallo en la biblioteca c-ares, en la que una falta de comprobación de la comprobación de entrada de los nombres de host devueltos por los DNS (Servidores de Nombres de Dominio) puede conllevar a una salida de nombres de host erróneos, que podría conllevar potencialmente a un Secuestro de Dominios. La mayor amenaza de esta vulnerabilidad es para la confidencialidad e integridad, así como para la disponibilidad del sistema • https://bugzilla.redhat.com/show_bug.cgi?id=1988342 https://c-ares.haxx.se/adv_20210810.html https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf https://security.gentoo.org/glsa/202401-02 https://www.oracle.com/security-alerts/cpujul2022.html https://access.redhat.com/security/cve/CVE-2021-3672 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •