new file mode 100644
@@ -0,0 +1,87 @@
+From b9b8413cfdb70a3f99e1573333b23052d57ec1ae Mon Sep 17 00:00:00 2001
+From: Brad House <brad@brad-house.com>
+Date: Mon, 22 May 2023 06:51:49 -0400
+Subject: [PATCH] Merge pull request from GHSA-9g78-jv2r-p7vc
+
+CVE: CVE-2023-32067
+
+Upstream Status: Backport
+[https://github.com/c-ares/c-ares/commit/b9b8413cfdb70a3f99e1573333b23052d57ec1ae]
+
+Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
+---
+ src/lib/ares_process.c | 41 +++++++++++++++++++++++++----------------
+ 1 file changed, 25 insertions(+), 16 deletions(-)
+
+diff --git a/src/lib/ares_process.c b/src/lib/ares_process.c
+index bf0cde4..6cac0a9 100644
+--- a/src/lib/ares_process.c
++++ b/src/lib/ares_process.c
+@@ -470,7 +470,7 @@ static void read_udp_packets(ares_channel channel, fd_set *read_fds,
+ {
+ struct server_state *server;
+ int i;
+- ares_ssize_t count;
++ ares_ssize_t read_len;
+ unsigned char buf[MAXENDSSZ + 1];
+ #ifdef HAVE_RECVFROM
+ ares_socklen_t fromlen;
+@@ -513,32 +513,41 @@ static void read_udp_packets(ares_channel channel, fd_set *read_fds,
+ /* To reduce event loop overhead, read and process as many
+ * packets as we can. */
+ do {
+- if (server->udp_socket == ARES_SOCKET_BAD)
+- count = 0;
+-
+- else {
+- if (server->addr.family == AF_INET)
++ if (server->udp_socket == ARES_SOCKET_BAD) {
++ read_len = -1;
++ } else {
++ if (server->addr.family == AF_INET) {
+ fromlen = sizeof(from.sa4);
+- else
++ } else {
+ fromlen = sizeof(from.sa6);
+- count = socket_recvfrom(channel, server->udp_socket, (void *)buf,
+- sizeof(buf), 0, &from.sa, &fromlen);
++ }
++ read_len = socket_recvfrom(channel, server->udp_socket, (void *)buf,
++ sizeof(buf), 0, &from.sa, &fromlen);
+ }
+
+- if (count == -1 && try_again(SOCKERRNO))
++ if (read_len == 0) {
++ /* UDP is connectionless, so result code of 0 is a 0-length UDP
++ * packet, and not an indication the connection is closed like on
++ * tcp */
+ continue;
+- else if (count <= 0)
++ } else if (read_len < 0) {
++ if (try_again(SOCKERRNO))
++ continue;
++
+ handle_error(channel, i, now);
++
+ #ifdef HAVE_RECVFROM
+- else if (!same_address(&from.sa, &server->addr))
++ } else if (!same_address(&from.sa, &server->addr)) {
+ /* The address the response comes from does not match the address we
+ * sent the request to. Someone may be attempting to perform a cache
+ * poisoning attack. */
+- break;
++ continue;
+ #endif
+- else
+- process_answer(channel, buf, (int)count, i, 0, now);
+- } while (count > 0);
++
++ } else {
++ process_answer(channel, buf, (int)read_len, i, 0, now);
++ }
++ } while (read_len >= 0);
+ }
+ }
+
+--
+2.40.0
@@ -7,6 +7,7 @@ LIC_FILES_CHKSUM = "file://LICENSE.md;md5=fb997454c8d62aa6a47f07a8cd48b006"
SRC_URI = "git://github.com/c-ares/c-ares.git;branch=main;protocol=https \
file://CVE-2022-4904.patch \
+ file://CVE-2023-32067.patch \
"
SRCREV = "2aa086f822aad5017a6f2061ef656f237a62d0ed"
c-ares is an asynchronous resolver library. c-ares is vulnerable to denial of service. If a target resolver sends a query, the attacker forges a malformed UDP packet with a length of 0 and returns them to the target resolver. The target resolver erroneously interprets the 0 length as a graceful shutdown of the connection. This issue has been patched in version 1.19.1. References: https://nvd.nist.gov/vuln/detail/CVE-2023-32067 https://github.com/c-ares/c-ares/security/advisories/GHSA-9g78-jv2r-p7vc Signed-off-by: Yogita Urade <yogita.urade@windriver.com> --- .../c-ares/c-ares/CVE-2023-32067.patch | 87 +++++++++++++++++++ .../recipes-support/c-ares/c-ares_1.18.1.bb | 1 + 2 files changed, 88 insertions(+) create mode 100644 meta-oe/recipes-support/c-ares/c-ares/CVE-2023-32067.patch