CVE-2023-31147

NameCVE-2023-31147
Descriptionc-ares is an asynchronous resolver library. When /dev/urandom or RtlGenRandom() are unavailable, c-ares uses rand() to generate random numbers used for DNS query ids. This is not a CSPRNG, and it is also not seeded by srand() so will generate predictable output. Input from the random number generator is fed into a non-compilant RC4 implementation and may not be as strong as the original RC4 implementation. No attempt is made to look for modern OS-provided CSPRNGs like arc4random() that is widely available. This issue has been fixed in version 1.19.1.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
c-ares (PTS)jessie, jessie (lts)1.10.0-2+deb8u7vulnerable
stretch (security)1.12.0-1+deb9u2vulnerable
stretch (lts), stretch1.12.0-1+deb9u6vulnerable
buster (security), buster, buster (lts)1.14.0-1+deb10u4vulnerable
bullseye (security), bullseye1.17.1-1+deb11u3vulnerable
bookworm1.18.1-3vulnerable
sid, trixie1.34.2-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
c-aressourceexperimental1.19.1-1
c-aressource(unstable)1.19.1-2unimportant

Notes

https://github.com/c-ares/c-ares/security/advisories/GHSA-8r8p-23f3-64c2
https://github.com/c-ares/c-ares/commit/823df3b989e59465d17b0a2eb1239a5fc048b4e5 (cares-1_19_1)
Any Debian system/port provides /dev/urandom
Search for package or bug name: Reporting problems