c-ares CVE-2024-25629

[Brad House <brad () brad-house com>]

There is a single security vulnerability in c-ares that has been 
released with c-ares 1.27.0.

*CVE-2024-25629 *


     Impact

|ares__read_line()|is used to parse local configuration files such 
as|/etc/resolv.conf|,|/etc/nsswitch.conf|, the|HOSTALIASES|file, and if 
using a c-ares version prior to 1.22.0, the|/etc/hosts|file. If any of 
these configuration files has an embedded|NULL|character as the first 
character in a new line, it can lead to attempting to read memory prior 
to the start of the given buffer which may result in a crash.


     Patches

Fixed in c-ares 1.27.0


     Workarounds

No workarounds exist.


     Credit

Vojtěch Vobr