fix CVE-2024-25629

Signed-off-by: lwg <liweiganga@uniontech.com>

backport-CVE-2024-25629.patch

@@ -0,0 +1,30 @@
+From a804c04ddc8245fc8adf0e92368709639125e183 Mon Sep 17 00:00:00 2001
+From: Brad House <brad@brad-house.com>
+Date: Thu, 22 Feb 2024 16:23:33 -0500
+Subject: [PATCH] Merge pull request from GHSA-mg26-v6qh-x48q
+
+---
+ src/lib/ares__read_line.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/src/lib/ares__read_line.c b/src/lib/ares__read_line.c
+index d65ac1fcf..018f55e8b 100644
+--- a/src/lib/ares__read_line.c
++++ b/src/lib/ares__read_line.c
+@@ -49,6 +49,14 @@ int ares__read_line(FILE *fp, char **buf, size_t *bufsize)
+       if (!fgets(*buf + offset, bytestoread, fp))
+         return (offset != 0) ? 0 : (ferror(fp)) ? ARES_EFILE : ARES_EOF;
+       len = offset + strlen(*buf + offset);
++
++      /* Probably means there was an embedded NULL as the first character in
++       * the line, throw away line */
++      if (len == 0) {
++        offset = 0;
++        continue;
++      }
++
+       if ((*buf)[len - 1] == '\n')
+         {
+           (*buf)[len - 1] = 0;
+-- 
+2.20.1

c-ares.spec

@@ -1,6 +1,6 @@
 Name:           c-ares
 Version:        1.18.1
-Release:        7
+Release:        8
 Summary:        A C library for asynchronous DNS requests
 
 License:        MIT
@@ -22,6 +22,7 @@ Patch9:         backport-003-CVE-2023-31147.patch
 Patch10:        backport-004-CVE-2023-31147.patch
 Patch11:        backport-005-CVE-2023-31147.patch
 Patch12:        backport-CVE-2023-31124.patch
+Patch13:        backport-CVE-2024-25629.patch
 
 %description
 This is c-ares, an asynchronous resolver library. It is intended for applications
@@ -68,6 +69,12 @@ make %{?_smp_mflags}
 %{_mandir}/man3/*
 
 %changelog
+* Tue Feb 27 2024 liweigang <izmirvii@gmail.com> - 1.18.1-8
+- Type: CVE
+- CVE: CVE-2024-25629
+- SUG: NA
+- DESC: fix CVE-2024-25629
+
 * Mon May 29 2023 xinghe <xinghe2@h-partners.com> - 1.18.1-7
 - Type:CVE
 - CVE:CVE-2023-31124 CVE-2023-31147