Bug 13825

Summary:	[CVE 21] c-ares 1.18.1 CVEs found
Product:	[ROSA-based products] ROSA Fresh	Reporter:	Yury <y.tumanov>
Component:	System (kernel, glibc, systemd, bash, PAM...)	Assignee:	ROSA Linux Bugs <bugs>
Status:	VERIFIED FIXED	QA Contact:	ROSA Linux Bugs <bugs>
Severity:	normal
Priority:	Normal	CC:	a.proklov, e.kosachev, e.malashin, s.matveev, v.potapov, y.tumanov
Version:	All	Flags:	v.potapov: qa_verified+ y.tumanov: secteam_verified+ a.proklov: published+
Target Milestone:	---
Hardware:	All
OS:	Linux
URL:	CVE-2023-31124, CVE-2023-31147,
Whiteboard:
Platform:	2021.1	ROSA Vulnerability identifier:
RPM Package:		ISO-related:
Bad POT generating:		Upstream:

Description Yury 2023-10-18 20:24:28 MSK

Please patch CVEs for package c-ares version 1.18.1
  
INFO (CVEs are): c-ares 1.18.1
 cves found
CVE-2023-31124
Desc: c-ares is an asynchronous resolver library. When cross-compiling c-ares and using the autotools build system, CARES_RANDOM_FILE will not be set, as seen when cross compiling aarch64 android.  This will downgrade to using rand() as a fallback which could allow an attacker to take advantage of the lack of entropy by not using a CSPRNG. This issue was patched in version 1.19.1.

Link: https://nvd.nist.gov/vuln/detail/CVE-2023-31124
Severity: LOW
CVE-2023-31147
Desc: c-ares is an asynchronous resolver library. When /dev/urandom or RtlGenRandom() are unavailable, c-ares uses rand() to generate random numbers used for DNS query ids. This is not a CSPRNG, and it is also not seeded by srand() so will generate predictable output. Input from the random number generator is fed into a non-compilant RC4 implementation and may not be as strong as the original RC4 implementation. No attempt is made to look for modern OS-provided CSPRNGs like arc4random() that is widely available. This issue has been fixed in version 1.19.1.
Link: https://nvd.nist.gov/vuln/detail/CVE-2023-31147
Severity: MEDIUM

Comment 1 Vladimir Potapov 2023-10-20 11:39:41 MSK

*** Bug 13693 has been marked as a duplicate of this bug. ***

Comment 2 Aleksandr Proklov 2023-11-10 09:25:39 MSK

предлагаю закрыть CVE обновлением версии

c-ares	1.19.1-1

https://abf.io/build_lists/4818415
https://abf.io/build_lists/4818416
https://abf.io/build_lists/4818417
https://abf.io/build_lists/4818418
https://abf.io/build_lists/4818419

Comment 3 e.malashin@rosalinux.ru 2023-11-10 15:03:07 MSK

(In reply to Aleksandr Proklov from comment #2)
> предлагаю закрыть CVE обновлением версии
> 
> c-ares	1.19.1-1
> 
> https://abf.io/build_lists/4818415
> https://abf.io/build_lists/4818416
> https://abf.io/build_lists/4818417
> https://abf.io/build_lists/4818418
> https://abf.io/build_lists/4818419

The update sent to testings

Comment 4 Vladimir Potapov 2023-11-14 11:33:37 MSK

c-ares-1.19.1-1
https://abf.io/build_lists/4818415
https://abf.io/build_lists/4818416
https://abf.io/build_lists/4818417
https://abf.io/build_lists/4818418
https://abf.io/build_lists/4818419
************************** Advisory ***********************
Close CVEs by version update
***********************************************************
QA Verified

Comment 5 Yury 2023-11-14 14:02:57 MSK

secteam_verified