Skip to content

Update dependency pycares to v4.9.0 [SECURITY] #62

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Update dependency pycares to v4.9.0 [SECURITY] #62

wants to merge 1 commit into from
+1 −1

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Jun 16, 2025
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
pycares ==4.4.0 -> ==4.9.0 age confidence

GitHub Vulnerability Alerts

GHSA-5qpg-rh4j-qp35

Summary

pycares is vulnerable to a use-after-free condition that occurs when a Channel object is garbage collected while DNS queries are still pending. This results in a fatal Python error and interpreter crash.

Details

Root Cause

The vulnerability stems from improper handling of callback references when the Channel object is destroyed:

  1. When a DNS query is initiated, pycares stores a callback reference using ffi.new_handle()
  2. If the Channel object is garbage collected while queries are pending, the callback references become invalid
  3. When c-ares attempts to invoke the callback, it accesses freed memory, causing a fatal error

This issue was much more likely to occur when using event_thread=True but could happen without it under the right circumstances.

Technical Details

The core issue is a race condition between Python's garbage collector and c-ares's callback execution:

  1. When __del__ is called from within a c-ares callback context, we cannot immediately call ares_destroy() because c-ares is still executing code after the callback returns
  2. c-ares needs to execute cleanup code after our Python callback returns (specifically at lines 1422-1429 in ares_process.c)
  3. If we destroy the channel too quickly, c-ares accesses freed memory

Impact

Applications using pycares can be crashed remotely by triggering DNS queries that result in Channel objects being garbage collected before query completion. This is particularly problematic in scenarios where:

  • Channel objects are created per-request
  • Multiple failed DNS queries are processed rapidly
  • The application doesn't properly manage Channel lifecycle

The error manifests as:

Fatal Python error: b_from_handle: ffi.from_handle() detected that the address passed points to garbage

Fix

The vulnerability has been fixed in pycares 4.9.0 by implementing a safe channel destruction mechanism

Mitigation

For Application Developers

  1. Upgrade to pycares >= 4.9.0 - This version includes the fix and requires no code changes
  2. Best practices (optional but recommended): 
    # Explicit cleanup
channel.close()

# Or use context manager
with pycares.Channel() as channel:
    # ... use channel ...
# Automatically closed
  3. Avoid creating Channel objects per-request - Prefer long-lived instances for better performance and safety

The fix is completely transparent - no API changes or code modifications are required.

Credit

This vulnerability was reported by @​vEpiphyte through the aio-libs security program.

Release Notes

saghul/pycares (pycares)

v4.9.0

Compare Source

What's Changed
New Contributors

Full Changelog: saghul/pycares@v4.8.0...v4.9.0

v4.8.0

Compare Source

What's Changed

Full Changelog: saghul/pycares@v4.7.0...v4.8.0

v4.7.0: 4.7.0

What's Changed

Full Changelog: saghul/pycares@v4.6.1...v4.7.0

v4.6.1: 4.6.1

What's Changed

Full Changelog: saghul/pycares@v4.6.0...v4.6.1

v4.6.0: 4.6.0

Compare Source

What's Changed

New Contributors

Full Changelog: saghul/pycares@v4.5.0...v4.6.0

v4.5.0: 4.5.0

Compare Source

What's Changed

New Contributors

Full Changelog: saghul/pycares@v4.4.0...v4.5.0

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants