third_party_cares
/
backport-CVE-2023-31124.patch

From c4930223e51d0e3dbfd8b2a814f4be2e269e2a9d Mon Sep 17 00:00:00 2001
From: Brad House <brad@brad-house.com>
Date: Sun, 30 Apr 2023 14:53:34 -0400
Subject: [PATCH] Merge pull request from GHSA-54xr-f67r-4pc4

* CARES_RANDOM_FILE should always default to /dev/urandom

During cross-compilation, CARES_RANDOM_FILE may not be able to be appropriately
detected, therefore we should always set it to /dev/urandom and allow the
entity requesting compilation override the value.  The code does appropriately
fall back if CARES_RANDOM_FILE cannot be opened.

* use set not option

Conflict: NA
Reference: https://github.com/c-ares/c-ares/commit/c4930223e51d0e3dbfd8b2a814f4be2e269e2a9d
---
 CMakeLists.txt |  6 ++----
 configure.ac   | 12 +-----------
 2 files changed, 3 insertions(+), 15 deletions(-)

diff --git a/CMakeLists.txt b/CMakeLists.txt
index 7a29fef..0ec8d41 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -36,6 +36,8 @@ OPTION (CARES_STATIC_PIC "Build the static library as PIC (position independent)
 OPTION (CARES_BUILD_TESTS "Build and run tests"                                                  OFF)
 OPTION (CARES_BUILD_CONTAINER_TESTS "Build and run container tests (implies CARES_BUILD_TESTS, Linux only)" OFF)
 OPTION (CARES_BUILD_TOOLS "Build tools"                                                          ON)
+SET    (CARES_RANDOM_FILE "/dev/urandom" CACHE STRING "Suitable File / Device Path for entropy, such as /dev/urandom")
+

 # Tests require static to be enabled on Windows to be able to access otherwise hidden symbols
 IF (CARES_BUILD_TESTS AND (NOT CARES_STATIC) AND WIN32)
@@ -402,10 +404,6 @@ SET (CMAKE_REQUIRED_DEFINITIONS)
 SET (CMAKE_REQUIRED_LIBRARIES)


-find_file(CARES_RANDOM_FILE urandom /dev)
-mark_as_advanced(CARES_RANDOM_FILE)
-
-
 ################################################################################
 # recv, recvfrom, send, getnameinfo, gethostname
 # ARGUMENTS AND RETURN VALUES
diff --git a/configure.ac b/configure.ac
index 56a570b..f8ebd07 100644
--- a/configure.ac
+++ b/configure.ac
@@ -896,17 +896,7 @@ AC_ARG_WITH(random,
 AS_HELP_STRING([--with-random=FILE],
                [read randomness from FILE (default=/dev/urandom)]),
     [ CARES_RANDOM_FILE="$withval" ],
-    [
-        dnl Check for random device.  If we're cross compiling, we can't
-        dnl check, and it's better to assume it doesn't exist than it is
-        dnl to fail on AC_CHECK_FILE or later.
-        if test "$cross_compiling" = "no"; then
-          AC_CHECK_FILE("/dev/urandom", [ CARES_RANDOM_FILE="/dev/urandom"] )
-        else
-          AC_MSG_WARN([cannot check for /dev/urandom while cross compiling; assuming none])
-        fi
-
-    ]
+    [ CARES_RANDOM_FILE="/dev/urandom" ]
 )
 if test -n "$CARES_RANDOM_FILE" && test X"$CARES_RANDOM_FILE" != Xno ; then
         AC_SUBST(CARES_RANDOM_FILE)
--
2.33.0