[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#993796: marked as done (bullseye-pu: package knot-resolver/5.3.1-1)

Your message dated Sat, 09 Jul 2022 11:42:13 +0100
with message-id <9234fbc42ce26a15590efa86149b0e79df7718e3.camel@adam-barratt.org.uk>
and subject line Closing requests for updates included in 11.4
has caused the Debian Bug report #993796,
regarding bullseye-pu: package knot-resolver/5.3.1-1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
993796: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=993796
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: jakub.ruzicka@nic.cz

[ Reason ]
Fixing bug #991463 (CVE-2021-40083) - potential DoS.

[ Impact ]
Vulnerability to DoS attack.

[ Tests ]
I've tested the fix manually by running the deckard (DNS test harness)
test sets/resolver/val_iter_high.rpl supplied with the upstream fix.

It's not trivial to setup system for deckard so I've used upstream
Debian bullseye docker image from Knot CI:

docker run -it --privileged registry.nic.cz/knot/knot-resolver/ci/debian-11:knot-3.0

With current knot-resolver-5.3.1-1 the test failed.
With suggested knot-resolver-5.3.1-1+deb11u1 the test passed.

[ Risks ]
This is a simple backport of upstream fix.

Upstream tests run during package build so chances of something
breaking are small.

[ Checklist ]
  [*] *all* changes are documented in the d/changelog
  [*] I reviewed all changes and I approve them
  [*] attach debdiff against the package in (old)stable
  [*] the issue is verified as fixed in unstable

[ Changes ]
Backport of upstream fix for #991463:

https://gitlab.nic.cz/knot/knot-resolver/-/merge_requests/1169/diffs#c22c39e3a02cdfb0d3d47b16ff46e65d196df19d

diff -Nru knot-resolver-5.3.1/debian/changelog knot-resolver-5.3.1/debian/changelog
--- knot-resolver-5.3.1/debian/changelog	2021-04-12 05:59:28.000000000 +0000
+++ knot-resolver-5.3.1/debian/changelog	2021-08-31 16:20:00.000000000 +0000
@@ -1,3 +1,10 @@
+knot-resolver (5.3.1-1+deb11u1) bullseye; urgency=medium
+
+  * Fix possible assertion failure in NSEC3 edge-case (CVE-2021-40083)
+    (Closes: #991463)
+
+ -- Jakub Ružička <jakub.ruzicka@nic.cz>  Tue, 31 Aug 2021 16:20:00 +0000
+
 knot-resolver (5.3.1-1) unstable; urgency=medium
 
   [ Jakub Ružička ]
diff -Nru knot-resolver-5.3.1/debian/gbp.conf knot-resolver-5.3.1/debian/gbp.conf
--- knot-resolver-5.3.1/debian/gbp.conf	2021-04-12 05:59:28.000000000 +0000
+++ knot-resolver-5.3.1/debian/gbp.conf	2021-08-31 16:20:00.000000000 +0000
@@ -1,5 +1,5 @@
 [DEFAULT]
-debian-branch = debian/master
+debian-branch = debian/bullseye
 debian-tag = debian/%(version)s
 upstream-branch = upstream
 upstream-tag = upstream/%(version)s
diff -Nru knot-resolver-5.3.1/debian/patches/0002-validator-avoid-assertion-in-an-edge-case.patch knot-resolver-5.3.1/debian/patches/0002-validator-avoid-assertion-in-an-edge-case.patch
--- knot-resolver-5.3.1/debian/patches/0002-validator-avoid-assertion-in-an-edge-case.patch	1970-01-01 00:00:00.000000000 +0000
+++ knot-resolver-5.3.1/debian/patches/0002-validator-avoid-assertion-in-an-edge-case.patch	2021-08-31 16:20:00.000000000 +0000
@@ -0,0 +1,58 @@
+From: =?utf-8?b?VmxhZGltw61yIMSMdW7DoXQ=?= <vladimir.cunat@nic.cz>
+Date: Mon, 12 Apr 2021 15:23:02 +0200
+Subject: [PATCH] validator: avoid assertion in an edge-case
+
+Case: NSEC3 with too many iterations used for a positive wildcard proof.
+
+To really fix the answers, this also needed fixing the `any_rank` part
+which I somehow forgot in commit 7107faebc :-(
+---
+ lib/dnssec/nsec3.c   | 7 +++++++
+ lib/dnssec/nsec3.h   | 1 +
+ lib/layer/validate.c | 3 ++-
+ 3 files changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/lib/dnssec/nsec3.c b/lib/dnssec/nsec3.c
+index e9e536a..f3a48c0 100644
+--- a/lib/dnssec/nsec3.c
++++ b/lib/dnssec/nsec3.c
+@@ -596,6 +596,13 @@ int kr_nsec3_wildcard_answer_response_check(const knot_pkt_t *pkt, knot_section_
+ 		if (rrset->type != KNOT_RRTYPE_NSEC3) {
+ 			continue;
+ 		}
++		if (knot_nsec3_iters(rrset->rrs.rdata) > KR_NSEC3_MAX_ITERATIONS) {
++			/* Avoid hashing with too many iterations.
++			 * If we get here, the `sname` wildcard probably ends up bogus,
++			 * but it gets downgraded to KR_RANK_INSECURE when validator
++			 * gets to verifying one of these over-limit NSEC3 RRs. */
++			continue;
++		}
+ 		int ret = covers_name(&flags, rrset, sname);
+ 		if (ret != 0) {
+ 			return ret;
+diff --git a/lib/dnssec/nsec3.h b/lib/dnssec/nsec3.h
+index 1e316f5..0fdbfce 100644
+--- a/lib/dnssec/nsec3.h
++++ b/lib/dnssec/nsec3.h
+@@ -39,6 +39,7 @@ int kr_nsec3_name_error_response_check(const knot_pkt_t *pkt, knot_section_t sec
+  *                     KNOT_ERANGE - NSEC3 RR that covers a wildcard
+  *                     has been found, but has opt-out flag set;
+  *                     otherwise - error.
++ * Records over KR_NSEC3_MAX_ITERATIONS are skipped, so you probably get kr_error(ENOENT).
+  */
+ int kr_nsec3_wildcard_answer_response_check(const knot_pkt_t *pkt, knot_section_t section_id,
+                                             const knot_dname_t *sname, int trim_to_next);
+diff --git a/lib/layer/validate.c b/lib/layer/validate.c
+index cf5dda2..cf5c88a 100644
+--- a/lib/layer/validate.c
++++ b/lib/layer/validate.c
+@@ -894,7 +894,8 @@ static void rank_records(struct kr_query *qry, bool any_rank, enum kr_rank rank_
+ 								 bailiwick) < 0) {
+ 				continue;
+ 			}
+-			if (kr_rank_test(entry->rank, KR_RANK_INITIAL)
++			if (any_rank
++			    || kr_rank_test(entry->rank, KR_RANK_INITIAL)
+ 			    || kr_rank_test(entry->rank, KR_RANK_TRY)
+ 			    || kr_rank_test(entry->rank, KR_RANK_MISSING)) {
+ 				kr_rank_set(&entry->rank, rank_to_set);
diff -Nru knot-resolver-5.3.1/debian/patches/series knot-resolver-5.3.1/debian/patches/series
--- knot-resolver-5.3.1/debian/patches/series	2021-04-12 05:59:28.000000000 +0000
+++ knot-resolver-5.3.1/debian/patches/series	2021-08-31 16:20:00.000000000 +0000
@@ -1 +1,2 @@
 0001-treewide-fix-unaligned-access.patch
+0002-validator-avoid-assertion-in-an-edge-case.patch
diff -Nru knot-resolver-5.3.1/debian/salsa-ci.yml knot-resolver-5.3.1/debian/salsa-ci.yml
--- knot-resolver-5.3.1/debian/salsa-ci.yml	2021-04-12 05:59:28.000000000 +0000
+++ knot-resolver-5.3.1/debian/salsa-ci.yml	2021-08-31 16:20:00.000000000 +0000
@@ -2,3 +2,6 @@
 include:
   - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml
   - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml
+
+variables:
+  RELEASE: 'bullseye'

--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 11.4

Hi,

Each of the requests discussed in these bugs was included in today's
bullseye point release.

Regards,

Adam

--- End Message ---
Reply to: