[AUTO-CHERRYPICK] [Medium] patch c-ares to fix CVE-2024-25629 - branch main (#12529)

Co-authored-by: jykanase <v-jykanase@microsoft.com>

Author: CBL-Mariner-Bot

SPECS/c-ares/CVE-2024-25629.patch

@@ -0,0 +1,32 @@
+From a6c1bbf4c6f867072628e5435c337081d8907be7 Mon Sep 17 00:00:00 2001
+From: jykanase <v-jykanase@microsoft.com>
+Date: Mon, 10 Feb 2025 07:18:21 +0000
+Subject: [PATCH] CVE-2024-25629.patch
+
+Source Link: https://github.com/c-ares/c-ares/commit/a804c04ddc8245fc8adf0e92368709639125e183
+---
+ src/lib/ares__read_line.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/src/lib/ares__read_line.c b/src/lib/ares__read_line.c
+index c62ad2a..d6625a3 100644
+--- a/src/lib/ares__read_line.c
++++ b/src/lib/ares__read_line.c
+@@ -49,6 +49,14 @@ int ares__read_line(FILE *fp, char **buf, size_t *bufsize)
+       if (!fgets(*buf + offset, bytestoread, fp))
+         return (offset != 0) ? 0 : (ferror(fp)) ? ARES_EFILE : ARES_EOF;
+       len = offset + strlen(*buf + offset);
++
++      /* Probably means there was an embedded NULL as the first character in
++       * the line, throw away line */
++      if (len == 0) {
++        offset = 0;
++        continue;
++      }
++
+       if ((*buf)[len - 1] == '\n')
+         {
+           (*buf)[len - 1] = 0;
+-- 
+2.45.2
+

SPECS/c-ares/c-ares.spec

@@ -1,17 +1,18 @@
 Summary:        A library that performs asynchronous DNS operations
 Name:           c-ares
 Version:        1.19.1
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
 Group:          System Environment/Libraries
 URL:            https://c-ares.haxx.se/
-Source0:        https://c-ares.haxx.se/download/%{name}-%{version}.tar.gz
+Source0:        https://github.com/c-ares/c-ares/releases/download/cares-1_19_1/%{name}-%{version}.tar.gz
 BuildRequires:  autoconf
 BuildRequires:  automake
 BuildRequires:  libtool
 
+Patch0:         CVE-2024-25629.patch
 %description
 c-ares is a C library that performs DNS requests and name resolves
 asynchronously. c-ares is a fork of the library named 'ares', written
@@ -28,7 +29,7 @@ This package contains the header files and libraries needed to
 compile applications or shared objects that use c-ares.
 
 %prep
-%autosetup
+%autosetup -p1
 f=CHANGES ; iconv -f iso-8859-1 -t utf-8 $f -o $f.utf8 ; mv $f.utf8 $f
 
 %build
@@ -113,6 +114,9 @@ fi
 %{_mandir}/man3/ares_*
 
 %changelog
+* Mon Feb 10 2025 Jyoti Kanase <v-jykanase@microsoft.com> - 1.19.1-2
+- Patch to fix CVE-2024-25629.
+
 * Tue May 30 2023 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 1.19.1-1
 - Auto-upgrade to 1.19.1 - CVE-2023-32067
 

cgmanifest.json

@@ -1408,7 +1408,7 @@
         "other": {
           "name": "c-ares",
           "version": "1.19.1",
-          "downloadUrl": "https://c-ares.haxx.se/download/c-ares-1.19.1.tar.gz"
+          "downloadUrl": "https://github.com/c-ares/c-ares/releases/download/cares-1_19_1/c-ares-1.19.1.tar.gz"
         }
       }
     },