CVE-2023-31124

NameCVE-2023-31124
Descriptionc-ares is an asynchronous resolver library. When cross-compiling c-ares and using the autotools build system, CARES_RANDOM_FILE will not be set, as seen when cross compiling aarch64 android. This will downgrade to using rand() as a fallback which could allow an attacker to take advantage of the lack of entropy by not using a CSPRNG. This issue was patched in version 1.19.1.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
c-ares (PTS)buster1.14.0-1+deb10u1vulnerable (unimportant)
buster (security)1.14.0-1+deb10u4vulnerable (unimportant)
bullseye (security), bullseye1.17.1-1+deb11u3vulnerable (unimportant)
bookworm1.18.1-3vulnerable (unimportant)
sid, trixie1.27.0-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
c-aressourceexperimental1.19.1-1
c-aressource(unstable)1.19.1-2unimportant

Notes

https://github.com/c-ares/c-ares/security/advisories/GHSA-54xr-f67r-4pc4
https://github.com/c-ares/c-ares/commit/c4930223e51d0e3dbfd8b2a814f4be2e269e2a9d (cares-1_19_1)
No impact on binaries shipped by Debian

Search for package or bug name: Reporting problems