Bug#1053483: marked as done (tlsa can produce invalid records)

[Debian Bug Tracking System]

Your message dated Sun, 15 Oct 2023 15:34:31 +0000
with message-id <e1qs38r-001daa...@fasolo.debian.org>
and subject line Bug#1053483: fixed in hash-slinger 3.1-1.2
has caused the Debian Bug report #1053483,
regarding tlsa can produce invalid records
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1053483: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1053483
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: hash-slinger
X-Debbugs-Cc: lavam...@torproject.org
Version: 3.1-1.1~bpo11+1
Severity: grave

On Debian bullseye, running the following command here generates an
invalid DNS record:

pauli# ./tlsa --create --usage=3 --selector=1 --mtype=1 --certificate 
/srv/puppet.torproject.org/from-letsencrypt/cdn-fastly-backend.torproject.org.crt
 --port 443 cdn-fastly-backend.torproject.org --output=generic
Got a certificate for cdn-fastly-backend.torproject.org. with Subject:
/CN=cdn-fastly-backend.torproject.org
_443._tcp.cdn-fastly-backend.torproject.org. IN TYPE52 \# 35.0 
030101e86cb4aa5bec41b44c5e78c0b3b05992ab276d540376aca18eb494d8e229cd4c

Notice the float (35.0) there? That, of course, crashes bind with:

Notice: /Stage[main]/Dnsextras::Entries/Exec[rebuild torproject.org
zone]/returns: dns_rdata_fromtext:
/srv/dns.torproject.org/puppet-extra/include-torproject.org:945: near
'35.0': not a valid number

I suspect this wasn't caught by other users because it happens when the
len() of the cert string is an odd number, which, oddly, I guess it is
here.

I believe this is a release critical bug that should be fixed in
bookworm because it keeps the server from functioning at all. 

For a little background, we used hash-slinger as a replacement for
"swede" here (not packaged) that wasn't ported to Python 3. It *almost*
worked but crashed on some records with the above error, taking down our
main DNS server...

This was also reported in:

https://github.com/letoams/hash-slinger/issues/45

And is being tracked on our side at:

https://gitlab.torproject.org/tpo/tpa/team/-/issues/41350

-- System Information:
Debian Release: 11.7
  APT prefers oldstable-updates
  APT policy: (500, 'oldstable-updates'), (500, 'oldstable-security'), (500, 
'oldstable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-25-amd64 (SMP w/2 CPU threads)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages hash-slinger depends on:
ii  ca-certificates    20210119
ii  dns-root-data      2021011101
ii  openssh-client     1:8.4p1-5+deb11u1
ii  python3            3.9.2-3
ii  python3-dnspython  2.0.0-1
ii  python3-gnupg      0.4.6-1
ii  python3-m2crypto   0.37.1-2
ii  python3-unbound    1.13.1-1+deb11u1

hash-slinger recommends no packages.

hash-slinger suggests no packages.

-- no debconf information

-- debsums errors found:
debsums: changed file /usr/bin/tlsa (from hash-slinger package)

-- 
Antoine Beaupré
torproject.org system administration

--- End Message ---

--- Begin Message ---

Source: hash-slinger
Source-Version: 3.1-1.2
Done: Antoine Beaupré <anar...@debian.org>

We believe that the bug you reported is fixed in the latest version of
hash-slinger, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1053...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Antoine Beaupré <anar...@debian.org> (supplier of updated hash-slinger package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 05 Oct 2023 10:37:58 -0400
Source: hash-slinger
Architecture: source
Version: 3.1-1.2
Distribution: unstable
Urgency: medium
Maintainer: Debian DNS Team <team+...@tracker.debian.org>
Changed-By: Antoine Beaupré <anar...@debian.org>
Closes: 1053483
Changes:
 hash-slinger (3.1-1.2) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * Bug fix: "tlsa can produce invalid records" (Closes: #1053483)
Checksums-Sha1:
 b1d763b720668306ea87ad1ddb28f84255476cc9 1345 hash-slinger_3.1-1.2.dsc
 eabfef7012fbad126ef4969f4b0df08214d7cf9f 4368 
hash-slinger_3.1-1.2.debian.tar.xz
 66279e05320c7293c597eb8ee223217b6401086f 5978 
hash-slinger_3.1-1.2_amd64.buildinfo
Checksums-Sha256:
 0137064628e1d15d3d55841e43b334fd1ce84c28c15d7fbddccaeeac9ae84690 1345 
hash-slinger_3.1-1.2.dsc
 7ae1c34c294d4a882329f7d92e4257b7efaeddd239968479fc1ee7b30f9c1487 4368 
hash-slinger_3.1-1.2.debian.tar.xz
 8503c886a190ff270b2f2ad9499ec6983f90740227ff94041ce52278ddfcffd4 5978 
hash-slinger_3.1-1.2_amd64.buildinfo
Files:
 b3a6a3626de4045220f592aa8dfb99b2 1345 utils optional hash-slinger_3.1-1.2.dsc
 c8e8d397cb24ba1618d06529805dea4d 4368 utils optional 
hash-slinger_3.1-1.2.debian.tar.xz
 591716acde71e5c7a35bc20f9defad65 5978 utils optional 
hash-slinger_3.1-1.2_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iHUEARYIAB0WIQS7ts1MmNdOE1inUqYCKTpvpOU0cwUCZR7KwwAKCRACKTpvpOU0
c/gIAP4+riHAzMdodoeff66v5aGYZr+oSmFzv0dvvCsS+71JFgEAw0c3CS2A4C2/
qMekirx0U8meAq7o0OlhhSLsECh23wU=
=c1ue
-----END PGP SIGNATURE-----

--- End Message ---