Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

CVE-2023-31130

Published: 25 May 2023

c-ares is an asynchronous resolver library. ares_inet_net_pton() is vulnerable to a buffer underflow for certain ipv6 addresses, in particular "0::00:00:00/2" was found to cause an issue. C-ares only uses this function internally for configuration purposes which would require an administrator to configure such an address via ares_set_sortlist(). However, users may externally use ares_inet_net_pton() for other purposes and thus be vulnerable to more severe issues. This issue has been fixed in 1.19.1.

Priority

Medium

Cvss 3 Severity Score

6.4

Score breakdown

Status

Package Release Status
c-ares
Launchpad, Ubuntu, Debian
bionic
Released (1.14.0-1ubuntu0.2+esm1)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only)
xenial
Released (1.10.0-3ubuntu0.2+esm2)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only)
trusty Ignored
(end of standard support)
upstream
Released (1.19.1,1.18.1-3)
focal
Released (1.15.0-1ubuntu0.3)
jammy
Released (1.18.1-1ubuntu0.22.04.2)
kinetic
Released (1.18.1-1ubuntu0.22.10.2)
lunar
Released (1.18.1-2ubuntu0.1)
mantic Not vulnerable
(1.18.1-3)
Patches:
upstream: https://github.com/c-ares/c-ares/commit/f22cc01039b6473b736d3bf438f56a2654cdf2b2

Severity score breakdown

Parameter Value
Base score 6.4
Attack vector Local
Attack complexity High
Privileges required High
User interaction None
Scope Unchanged
Confidentiality High
Integrity impact High
Availability impact High
Vector CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H