Alerts This Week
Warning Icon 1 646
Alerts This Week
Warning Icon 1 646

Gentoo Security Update: LibXYZ Heap Overflow Risk Leading to DoS Potential

gentoo
Calendar Grey January 11, 2017
Dist Gentoo Esm H88
Debian Linux Notification highlights a moderate risk stack overflow in libcurl that could permit external Denial of Service assaults.
A heap-based buffer overflow in c-ares might allow remote attackers to cause a Denial of Service condition.

Summary

A hostname with an escaped trailing dot (such as "hello\\.") would have its size calculated incorrectly leading to a single byte written beyond the end of a buffer on the heap.

Topics%20covered

Topics Covered

security advisory gentoo buffer overflow software update DoS normal severity c-ares

Resolution

All c-ares users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-dns/c-ares-1.12.0"

References

[ 1 ] CVE-2016-5180 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5180

Availability

This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201701-28
style>.gentoo_availability{display:block;}

Concerns

Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.

Severity: Normal
Title: c-ares: Heap-based buffer overflow
Date: January 11, 2017
Bugs: #595536
ID: 201701-28

Topics%20covered

Topics Covered

security advisory gentoo buffer overflow software update DoS normal severity c-ares

Synopsis

A heap-based buffer overflow in c-ares might allow remote attackers to cause a Denial of Service condition.

Background

c-ares is a C library for asynchronous DNS requests (including name resolves).

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Affected Packages

------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 net-dns/c-ares < 1.12.0 >= 1.12.0

Impact

===== A remote attacker, able to provide a specially crafted hostname to an application using c-ares, could potentially cause a Denial of Service condition.

Workaround

There is no known workaround at this time.

Related News

Your message here