QID 355414

a flaw was found in the c-ares package.
The ares_set_sortlist is missing checks about the validity of the input string, which allows a possible arbitrary length stack overflow.
This issue may cause a denial of service or a limited impact on confidentiality and integrity. (
( CVE-2022-4904) when cross-compiling c-ares and using the autotools build system, cares_random_file will not be set, as seen when cross compiling aarch64 android.
This will downgrade to using rand() as a fallback which could allow an attacker to take advantage of the lack of entropy by not using a csprng. (
( CVE-2023-31124) ares_inet_net_pton() is vulnerable to a buffer underflow for certain ipv6 addresses, in particular "0::00:00:00/2" was found to cause an issue.
C-ares only uses this function internally for configuration purposes which would require an administrator to configure such an address via ares_set_sortlist(). however, users may externally use ares_inet_net_pton() for other purposes and thus be vulnerable to more severe issues. (
( CVE-2023-31130) insufficient randomness in generation of dns query ids when /dev/urandom or rtlgenrandom() are unavailable, c-ares uses rand() to generate random numbers used for dns query ids.
This is not a csprng, and it is also not seeded by srand() so will generate predictable output. input from the random number generator is fed into a non-compilant rc4 implementation and may not be as strong as the original rc4 implementation. no attempt is made to look for modern os-provided csprngs like arc4random() that is widely available. (
This is only valid for tcp connections, udp is connection-less) current resolution fails, dos attack is achieved. (

Successful exploitation of this vulnerability could lead to a securitybreach or could affect integrity, availability, and confidentiality.