OESA-2023-1091

Source
https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2023-1091
Import Source
https://repo.openeuler.org/security/data/osv/OESA-2023-1091.json
JSON Data
https://api.test.osv.dev/v1/vulns/OESA-2023-1091
Upstream
Published
2023-02-17T11:04:54Z
Modified
2025-08-12T05:16:38.068487Z
Summary
c-ares security update
Details

This is c-ares, an asynchronous resolver library. It is intended for applications which need to perform DNS queries without blocking, or need to perform multiple

Security Fix(es):

In aressetsortlist, it calls configsortlist(..., sortstr) to parse the input str and initialize a sortlist configuration. However, aressetsortlist has not any checks about the validity of the input str. It is very easy to create an arbitrary length stack overflow with the unchecked memcpy(ipbuf, str, q-str); and memcpy(ipbufpfx, str, q-str); statements in the configsortlist call, which could potentially cause severe security impact in practical programs.(CVE-2022-4904)

Database specific
{
    "severity": "Medium"
}
References

Affected packages

openEuler:20.03-LTS-SP1 / c-ares

Package

Name
c-ares
Purl
pkg:rpm/openEuler/c-ares&distro=openEuler-20.03-LTS-SP1

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.16.1-4.oe1

Ecosystem specific

{
    "noarch": [
        "c-ares-help-1.16.1-4.oe1.noarch.rpm"
    ],
    "aarch64": [
        "c-ares-debuginfo-1.16.1-4.oe1.aarch64.rpm",
        "c-ares-debugsource-1.16.1-4.oe1.aarch64.rpm",
        "c-ares-devel-1.16.1-4.oe1.aarch64.rpm",
        "c-ares-1.16.1-4.oe1.aarch64.rpm"
    ],
    "src": [
        "c-ares-1.16.1-4.oe1.src.rpm"
    ],
    "x86_64": [
        "c-ares-debugsource-1.16.1-4.oe1.x86_64.rpm",
        "c-ares-1.16.1-4.oe1.x86_64.rpm",
        "c-ares-devel-1.16.1-4.oe1.x86_64.rpm",
        "c-ares-debuginfo-1.16.1-4.oe1.x86_64.rpm"
    ]
}

openEuler:20.03-LTS-SP3 / c-ares

Package

Name
c-ares
Purl
pkg:rpm/openEuler/c-ares&distro=openEuler-20.03-LTS-SP3

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.16.1-4.oe1

Ecosystem specific

{
    "noarch": [
        "c-ares-help-1.16.1-4.oe1.noarch.rpm"
    ],
    "aarch64": [
        "c-ares-debugsource-1.16.1-4.oe1.aarch64.rpm",
        "c-ares-devel-1.16.1-4.oe1.aarch64.rpm",
        "c-ares-debuginfo-1.16.1-4.oe1.aarch64.rpm",
        "c-ares-1.16.1-4.oe1.aarch64.rpm"
    ],
    "src": [
        "c-ares-1.16.1-4.oe1.src.rpm"
    ],
    "x86_64": [
        "c-ares-devel-1.16.1-4.oe1.x86_64.rpm",
        "c-ares-debuginfo-1.16.1-4.oe1.x86_64.rpm",
        "c-ares-debugsource-1.16.1-4.oe1.x86_64.rpm",
        "c-ares-1.16.1-4.oe1.x86_64.rpm"
    ]
}

openEuler:22.03-LTS / c-ares

Package

Name
c-ares
Purl
pkg:rpm/openEuler/c-ares&distro=openEuler-22.03-LTS

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.18.1-4.oe2203

Ecosystem specific

{
    "noarch": [
        "c-ares-help-1.18.1-4.oe2203.noarch.rpm"
    ],
    "aarch64": [
        "c-ares-devel-1.18.1-4.oe2203.aarch64.rpm",
        "c-ares-debugsource-1.18.1-4.oe2203.aarch64.rpm",
        "c-ares-1.18.1-4.oe2203.aarch64.rpm",
        "c-ares-debuginfo-1.18.1-4.oe2203.aarch64.rpm"
    ],
    "src": [
        "c-ares-1.18.1-4.oe2203.src.rpm"
    ],
    "x86_64": [
        "c-ares-1.18.1-4.oe2203.x86_64.rpm",
        "c-ares-devel-1.18.1-4.oe2203.x86_64.rpm",
        "c-ares-debugsource-1.18.1-4.oe2203.x86_64.rpm",
        "c-ares-debuginfo-1.18.1-4.oe2203.x86_64.rpm"
    ]
}