c-ares is an asynchronous resolver library. ares_inet_net_pton() is vulnerable to a buffer underflow for certain ipv6 addresses, in particular “0::00:00:00/2” was found to cause an issue. C-ares only uses this function internally for configuration purposes which would require an administrator to configure such an address via ares_set_sortlist(). However, users may externally use ares_inet_net_pton() for other purposes and thus be vulnerable to more severe issues. This issue has been fixed in 1.19.1.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Debian | 12 | all | c-ares | < 1.18.1-3 | c-ares_1.18.1-3_all.deb |
Debian | 11 | all | c-ares | < 1.17.1-1+deb11u3 | c-ares_1.17.1-1+deb11u3_all.deb |
Debian | 10 | all | c-ares | < 1.14.0-1+deb10u3 | c-ares_1.14.0-1+deb10u3_all.deb |
Debian | 999 | all | c-ares | < 1.18.1-3 | c-ares_1.18.1-3_all.deb |
Debian | 13 | all | c-ares | < 1.18.1-3 | c-ares_1.18.1-3_all.deb |