Version in base suite: 1.17.1-1+deb11u1

Base version: c-ares_1.17.1-1+deb11u1
Target version: c-ares_1.17.1-1+deb11u2
Base file: /srv/ftp-master.debian.org/ftp/pool/main/c/c-ares/c-ares_1.17.1-1+deb11u1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/c/c-ares/c-ares_1.17.1-1+deb11u2.dsc

 changelog                  |   10 ++++++++++
 patches/CVE-2022-4904.diff |   36 ++++++++++++++++++++++++++++++++++++
 patches/series             |    1 +
 3 files changed, 47 insertions(+)

diff -Nru c-ares-1.17.1/debian/changelog c-ares-1.17.1/debian/changelog
--- c-ares-1.17.1/debian/changelog	2021-08-07 09:56:59.000000000 +0000
+++ c-ares-1.17.1/debian/changelog	2023-02-17 23:24:32.000000000 +0000
@@ -1,3 +1,13 @@
+c-ares (1.17.1-1+deb11u2) bullseye; urgency=medium
+
+   * Fix CVE-2022-4904:
+     It was discovered that in c-ares, an asynchronous name resolver library,
+     the config_sortlist function is missing checks about the validity of the
+     input string, which allows a possible arbitrary length stack overflow and
+     thus may cause a denial of service. (Closes: #1031525)
+
+ -- Gregor Jasny <gjasny@googlemail.com>  Sat, 18 Feb 2023 00:24:32 +0100
+
 c-ares (1.17.1-1+deb11u1) bullseye-security; urgency=high
 
   * Non-maintainer upload by the Security Team.
diff -Nru c-ares-1.17.1/debian/patches/CVE-2022-4904.diff c-ares-1.17.1/debian/patches/CVE-2022-4904.diff
--- c-ares-1.17.1/debian/patches/CVE-2022-4904.diff	1970-01-01 00:00:00.000000000 +0000
+++ c-ares-1.17.1/debian/patches/CVE-2022-4904.diff	2023-02-17 23:24:32.000000000 +0000
@@ -0,0 +1,36 @@
+Subject: Add str len check in config_sortlist to avoid stack overflow
+Origin: https://github.com/c-ares/c-ares/commit/9903253c347f9e0bffd285ae3829aef251cc852d
+Bug: https://github.com/c-ares/c-ares/issues/496
+Bug-Debian: https://bugs.debian.org/1031525
+
+--- a/src/lib/ares_init.c
++++ b/src/lib/ares_init.c
+@@ -2198,6 +2198,8 @@
+       q = str;
+       while (*q && *q != '/' && *q != ';' && !ISSPACE(*q))
+         q++;
++      if (q-str >= 16)
++        return ARES_EBADSTR;
+       memcpy(ipbuf, str, q-str);
+       ipbuf[q-str] = '\0';
+       /* Find the prefix */
+@@ -2206,6 +2208,8 @@
+           const char *str2 = q+1;
+           while (*q && *q != ';' && !ISSPACE(*q))
+             q++;
++          if (q-str >= 32)
++            return ARES_EBADSTR;
+           memcpy(ipbufpfx, str, q-str);
+           ipbufpfx[q-str] = '\0';
+           str = str2;
+--- a/test/ares-test-init.cc
++++ b/test/ares-test-init.cc
+@@ -270,6 +270,8 @@
+ 
+ TEST_F(DefaultChannelTest, SetSortlistFailures) {
+   EXPECT_EQ(ARES_ENODATA, ares_set_sortlist(nullptr, "1.2.3.4"));
++  EXPECT_EQ(ARES_EBADSTR, ares_set_sortlist(channel_, "111.111.111.111*/16"));
++  EXPECT_EQ(ARES_EBADSTR, ares_set_sortlist(channel_, "111.111.111.111/255.255.255.240*"));
+   EXPECT_EQ(ARES_SUCCESS, ares_set_sortlist(channel_, "xyzzy ; lwk"));
+   EXPECT_EQ(ARES_SUCCESS, ares_set_sortlist(channel_, "xyzzy ; 0x123"));
+ }
diff -Nru c-ares-1.17.1/debian/patches/series c-ares-1.17.1/debian/patches/series
--- c-ares-1.17.1/debian/patches/series	2021-08-07 09:56:59.000000000 +0000
+++ c-ares-1.17.1/debian/patches/series	2023-02-17 23:24:32.000000000 +0000
@@ -1,3 +1,4 @@
 disable-cflags-rewrite.diff
 ares_expand_name-should-escape-more-characters.patch
 ares_expand_name-fix-formatting-and-handling-of-root.patch
+CVE-2022-4904.diff