Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <b9af7d69-9cab-4cfe-8570-7909466c5c0f@brad-house.com>
Date: Tue, 8 Apr 2025 08:36:03 -0400
From: Brad House <brad@...d-house.com>
To: oss-security@...ts.openwall.com
Subject: CVE-2025-31498: c-ares use-after-free


    CVE-2025-31498


      Impact

Use after free() in read_answers() when process_answer() may re-enqueue 
a query either due to a DNS Cookie Failure or when the upstream server 
does not properly support EDNS, or possibly on TCP queries if the remote 
closed the connection immediately after a response. If there was an 
issue trying to put that new transaction on the wire, it would close the 
connection handle, but read_answers() was still expecting the connection 
handle to be available to possibly dequeue other responses.

In theory a remote attacker might be able to trigger this by flooding 
the target with ICMP UNREACHABLE packets if they also control the 
upstream nameserver and can return a result with one of those 
conditions, this has been untested. Otherwise only a local attacker 
might be able to change system behavior to make send()/write() return a 
failure condition.


      Patches

Versions 1.32.3 - 1.34.4 are affected. Patch in 1.34.5.


      Workarounds

None


      References

c-ares started handling UDP write failures in 1.32.3 in PR#821 
<https://github.com/c-ares/c-ares/pull/821>whereas they were previously 
ignored, thus uncovering this particular issue.

https://github.com/c-ares/c-ares/releases/tag/v1.34.5


      Credit


Reported by Erik Lax

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.