Update dependency pycares to v4.9.0 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
pycares	==4.4.0 → ==4.9.0

---

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in pycares

GHSA-c58j-88f5-h53f

More information

Details

Impact

pycares versions < 4.2.0 are affected by CVE-2021-3672.

Patches

Update to version 4.2.0.

Severity

• CVSS Score: 5.6 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

References

• https://github.com/saghul/pycares/security/advisories/GHSA-c58j-88f5-h53f
• https://github.com/advisories/GHSA-c58j-88f5-h53f

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

pycares has a Use-After-Free Vulnerability

GHSA-5qpg-rh4j-qp35

More information

Details

Summary

pycares is vulnerable to a use-after-free condition that occurs when a Channel object is garbage collected while DNS queries are still pending. This results in a fatal Python error and interpreter crash.

Details

Root Cause

The vulnerability stems from improper handling of callback references when the Channel object is destroyed:

1. When a DNS query is initiated, pycares stores a callback reference using ffi.new_handle()
2. If the Channel object is garbage collected while queries are pending, the callback references become invalid
3. When c-ares attempts to invoke the callback, it accesses freed memory, causing a fatal error

This issue was much more likely to occur when using event_thread=True but could happen without it under the right circumstances.

Technical Details

The core issue is a race condition between Python's garbage collector and c-ares's callback execution:

1. When __del__ is called from within a c-ares callback context, we cannot immediately call ares_destroy() because c-ares is still executing code after the callback returns
2. c-ares needs to execute cleanup code after our Python callback returns (specifically at lines 1422-1429 in ares_process.c)
3. If we destroy the channel too quickly, c-ares accesses freed memory

Impact

Applications using pycares can be crashed remotely by triggering DNS queries that result in Channel objects being garbage collected before query completion. This is particularly problematic in scenarios where:

• Channel objects are created per-request
• Multiple failed DNS queries are processed rapidly
• The application doesn't properly manage Channel lifecycle

The error manifests as:

Fatal Python error: b_from_handle: ffi.from_handle() detected that the address passed points to garbage

Fix

The vulnerability has been fixed in pycares 4.9.0 by implementing a safe channel destruction mechanism

Mitigation

For Application Developers

1. Upgrade to pycares >= 4.9.0 - This version includes the fix and requires no code changes
2. Best practices (optional but recommended):

   # Explicit cleanup
   channel.close()
   
   # Or use context manager
   with pycares.Channel() as channel:
       # ... use channel ...
   # Automatically closed

3. Avoid creating Channel objects per-request - Prefer long-lived instances for better performance and safety

The fix is completely transparent - no API changes or code modifications are required.

Credit

This vulnerability was reported by @​vEpiphyte through the aio-libs security program.

Severity

Medium

References

• https://github.com/saghul/pycares/security/advisories/GHSA-5qpg-rh4j-qp35
• https://github.com/saghul/pycares/commit/ebfd7d71eb8e74bc1057a361ea79a5906db510d4
• https://github.com/advisories/GHSA-5qpg-rh4j-qp35

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

saghul/pycares (pycares)

v4.9.0

Compare Source

What's Changed

• Create dependabot configuration by @​bdraco in #​226
• build(deps): bump pypa/cibuildwheel from 2.22.0 to 2.23.3 by @​dependabot in #​227
• Pin Python version to 3.13.3 to avoid Windows build error by @​saghul in #​235
• Fix shutdown race by @​bdraco in #​236
• Add support for windows arm64 by @​finnagin in #​233

New Contributors

• @​finnagin made their first contribution in #​233

Full Changelog: saghul/pycares@v4.8.0...v4.9.0

v4.8.0

Compare Source

What's Changed

• Cancel previous CI jobs on pull request update by @​bdraco in #​222
• Update bundled c-ares to v1.34.5 by @​bdraco in #​221
• Add ARES_FLAG_NO_DFLT_SVR and ARES_FLAG_EDNS to API by @​bdraco in #​224

Full Changelog: saghul/pycares@v4.7.0...v4.8.0

v4.7.0: 4.7.0

Compare Source

What's Changed

• Update c-ares to 1.29.0 to add reinit support to Channel by @​bdraco in #​219
• Add event thread support by @​bdraco in #​220

Full Changelog: saghul/pycares@v4.6.1...v4.7.0

v4.6.1: 4.6.1

Compare Source

What's Changed

• Fix missing attribute type information for errno by @​Dreamsorcerer in #​215

Full Changelog: saghul/pycares@v4.6.0...v4.6.1

v4.6.0: 4.6.0

Compare Source

What's Changed

• Swap out is_all_ascii for built-in str.isascii by @​bdraco in #​209
• Fixup tests by @​saghul in #​214
• Add initial type annotations by @​Dreamsorcerer in #​212
• Fix module has no attribute type errors by @​Dreamsorcerer in #​211

New Contributors

• @​bdraco made their first contribution in #​209
• @​Dreamsorcerer made their first contribution in #​212

Full Changelog: saghul/pycares@v4.5.0...v4.6.0

v4.5.0: 4.5.0

Compare Source

What's Changed

• Test data updates to fix test failures by @​kitterma in #​192
• Update test_idna_encoding_query_a with new errno to align to new c-ares version by @​kitterma in #​194
• Do not define HAVE_GETSERVBYPORT_R for platforms Android, Cygwin, Darwin by @​truboxl in #​195
• Drop distutils by @​saghul in #​198
• build(deps): bump actions/download-artifact from 3 to 4.1.7 in /.github/workflows by @​dependabot in #​201
• Add 3.13 support, remove 3.8 by @​ChrisLovering in #​202
• chore(ci): fix upload & add more platforms to cibuildwheel by @​monosans in #​204
• Test building release wheels on PRs by @​saghul in #​206
• Fix building sdist by @​saghul in #​207
• Fixup CI by @​saghul in #​208

New Contributors

• @​kitterma made their first contribution in #​192
• @​truboxl made their first contribution in #​195
• @​dependabot made their first contribution in #​201
• @​monosans made their first contribution in #​204

Full Changelog: saghul/pycares@v4.4.0...v4.5.0

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.