oss-sec mailing list archives
c-ares CVE-2024-25629
From: Brad House <brad () brad-house com>
Date: Fri, 23 Feb 2024 07:32:30 -0500
There is a single security vulnerability in c-ares that has been released with c-ares 1.27.0.
*CVE-2024-25629 * Impact|ares__read_line()|is used to parse local configuration files such as|/etc/resolv.conf|,|/etc/nsswitch.conf|, the|HOSTALIASES|file, and if using a c-ares version prior to 1.22.0, the|/etc/hosts|file. If any of these configuration files has an embedded|NULL|character as the first character in a new line, it can lead to attempting to read memory prior to the start of the given buffer which may result in a crash.
Patches Fixed in c-ares 1.27.0 Workarounds No workarounds exist. Credit Vojtěch Vobr
Current thread:
- c-ares CVE-2024-25629 Brad House (Feb 23)