pycares Use-After-Free Vulnerability in Channel Object Prior to 4.9.0

A use-after-free vulnerability has been identified in the pycares Python module, which interfaces with the c-ares library for asynchronous DNS requests. This vulnerability exists in pycares versions prior to 4.9.0 and arises when a Channel object is garbage collected while DNS queries are still pending. The issue leads to a fatal error in Python and crashes the interpreter. The vulnerability is more likely to occur when 'event_thread' is enabled, but can also happen under certain conditions without it.

Impact

Exploiting this vulnerability can cause applications using pycares to crash. This can be done remotely by initiating DNS queries that result in Channel objects being garbage collected before the queries are completed, especially if the application does not manage the Channel lifecycle properly.

Reproduction

To reproduce this vulnerability, create a Channel object with 'event_thread=True' and initiate multiple DNS queries. While these queries are still pending, delete the Channel object or allow it to go out of scope, triggering garbage collection. This will cause the callbacks for the DNS queries to access freed memory, leading to a crash. The error message will indicate a fatal Python error related to accessing garbage memory.

Remediation

Upgrade to pycares version 4.9.0 or later, which includes a fix for this vulnerability. After upgrading, it is recommended to explicitly close Channel objects when they are no longer needed, or to use them as context managers, which automatically handle closure.