The c-ares project may not be very fancy or make a lot of noise, but it steadily moves forward and boasts an amazing 95% code coverage in the automated tests.
Today we release c-ares 1.13.0.
This time there’s basically three notable things to take home from this, apart from the 20-something bug-fixes.
Due to an oversight there was an API function that we didn’t fuzz and yes, it was found out to have a security flaw. If you ask a server for a NAPTR DNS field and that response comes back crafted carefully, it could cause c-ares to access memory out of bounds.
All details for CVE-2017-1000381 on the c-ares site.
(Side-note: this is the first CVE I’ve received with a 7(!)-digit number to the right of the year.)
Now c-ares can optionally be built using cmake, in addition to the existing autotools setup.
Virtual socket IO
If you have a special setup or custom needs, c-ares now allows you to fully replace all the socket IO functions with your own custom set with ares_set_socket_functions.