Your message dated Sat, 09 Jul 2022 11:42:13 +0100
with message-id
<9234fbc42ce26a15590efa86149b0e79df7718e3.ca...@adam-barratt.org.uk>
and subject line Closing requests for updates included in 11.4
has caused the Debian Bug report #993796,
regarding bullseye-pu: package knot-resolver/5.3.1-1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
993796: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=993796
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bullseye
User: [email protected]
Usertags: pu
X-Debbugs-Cc: [email protected]
[ Reason ]
Fixing bug #991463 (CVE-2021-40083) - potential DoS.
[ Impact ]
Vulnerability to DoS attack.
[ Tests ]
I've tested the fix manually by running the deckard (DNS test harness)
test sets/resolver/val_iter_high.rpl supplied with the upstream fix.
It's not trivial to setup system for deckard so I've used upstream
Debian bullseye docker image from Knot CI:
docker run -it --privileged
registry.nic.cz/knot/knot-resolver/ci/debian-11:knot-3.0
With current knot-resolver-5.3.1-1 the test failed.
With suggested knot-resolver-5.3.1-1+deb11u1 the test passed.
[ Risks ]
This is a simple backport of upstream fix.
Upstream tests run during package build so chances of something
breaking are small.
[ Checklist ]
[*] *all* changes are documented in the d/changelog
[*] I reviewed all changes and I approve them
[*] attach debdiff against the package in (old)stable
[*] the issue is verified as fixed in unstable
[ Changes ]
Backport of upstream fix for #991463:
https://gitlab.nic.cz/knot/knot-resolver/-/merge_requests/1169/diffs#c22c39e3a02cdfb0d3d47b16ff46e65d196df19d
diff -Nru knot-resolver-5.3.1/debian/changelog
knot-resolver-5.3.1/debian/changelog
--- knot-resolver-5.3.1/debian/changelog 2021-04-12 05:59:28.000000000
+0000
+++ knot-resolver-5.3.1/debian/changelog 2021-08-31 16:20:00.000000000
+0000
@@ -1,3 +1,10 @@
+knot-resolver (5.3.1-1+deb11u1) bullseye; urgency=medium
+
+ * Fix possible assertion failure in NSEC3 edge-case (CVE-2021-40083)
+ (Closes: #991463)
+
+ -- Jakub Ružička <[email protected]> Tue, 31 Aug 2021 16:20:00 +0000
+
knot-resolver (5.3.1-1) unstable; urgency=medium
[ Jakub Ružička ]
diff -Nru knot-resolver-5.3.1/debian/gbp.conf
knot-resolver-5.3.1/debian/gbp.conf
--- knot-resolver-5.3.1/debian/gbp.conf 2021-04-12 05:59:28.000000000 +0000
+++ knot-resolver-5.3.1/debian/gbp.conf 2021-08-31 16:20:00.000000000 +0000
@@ -1,5 +1,5 @@
[DEFAULT]
-debian-branch = debian/master
+debian-branch = debian/bullseye
debian-tag = debian/%(version)s
upstream-branch = upstream
upstream-tag = upstream/%(version)s
diff -Nru
knot-resolver-5.3.1/debian/patches/0002-validator-avoid-assertion-in-an-edge-case.patch
knot-resolver-5.3.1/debian/patches/0002-validator-avoid-assertion-in-an-edge-case.patch
---
knot-resolver-5.3.1/debian/patches/0002-validator-avoid-assertion-in-an-edge-case.patch
1970-01-01 00:00:00.000000000 +0000
+++
knot-resolver-5.3.1/debian/patches/0002-validator-avoid-assertion-in-an-edge-case.patch
2021-08-31 16:20:00.000000000 +0000
@@ -0,0 +1,58 @@
+From: =?utf-8?b?VmxhZGltw61yIMSMdW7DoXQ=?= <[email protected]>
+Date: Mon, 12 Apr 2021 15:23:02 +0200
+Subject: [PATCH] validator: avoid assertion in an edge-case
+
+Case: NSEC3 with too many iterations used for a positive wildcard proof.
+
+To really fix the answers, this also needed fixing the `any_rank` part
+which I somehow forgot in commit 7107faebc :-(
+---
+ lib/dnssec/nsec3.c | 7 +++++++
+ lib/dnssec/nsec3.h | 1 +
+ lib/layer/validate.c | 3 ++-
+ 3 files changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/lib/dnssec/nsec3.c b/lib/dnssec/nsec3.c
+index e9e536a..f3a48c0 100644
+--- a/lib/dnssec/nsec3.c
++++ b/lib/dnssec/nsec3.c
+@@ -596,6 +596,13 @@ int kr_nsec3_wildcard_answer_response_check(const
knot_pkt_t *pkt, knot_section_
+ if (rrset->type != KNOT_RRTYPE_NSEC3) {
+ continue;
+ }
++ if (knot_nsec3_iters(rrset->rrs.rdata) >
KR_NSEC3_MAX_ITERATIONS) {
++ /* Avoid hashing with too many iterations.
++ * If we get here, the `sname` wildcard probably ends
up bogus,
++ * but it gets downgraded to KR_RANK_INSECURE when
validator
++ * gets to verifying one of these over-limit NSEC3 RRs.
*/
++ continue;
++ }
+ int ret = covers_name(&flags, rrset, sname);
+ if (ret != 0) {
+ return ret;
+diff --git a/lib/dnssec/nsec3.h b/lib/dnssec/nsec3.h
+index 1e316f5..0fdbfce 100644
+--- a/lib/dnssec/nsec3.h
++++ b/lib/dnssec/nsec3.h
+@@ -39,6 +39,7 @@ int kr_nsec3_name_error_response_check(const knot_pkt_t
*pkt, knot_section_t sec
+ * KNOT_ERANGE - NSEC3 RR that covers a wildcard
+ * has been found, but has opt-out flag set;
+ * otherwise - error.
++ * Records over KR_NSEC3_MAX_ITERATIONS are skipped, so you probably get
kr_error(ENOENT).
+ */
+ int kr_nsec3_wildcard_answer_response_check(const knot_pkt_t *pkt,
knot_section_t section_id,
+ const knot_dname_t *sname, int
trim_to_next);
+diff --git a/lib/layer/validate.c b/lib/layer/validate.c
+index cf5dda2..cf5c88a 100644
+--- a/lib/layer/validate.c
++++ b/lib/layer/validate.c
+@@ -894,7 +894,8 @@ static void rank_records(struct kr_query *qry, bool
any_rank, enum kr_rank rank_
+ bailiwick) <
0) {
+ continue;
+ }
+- if (kr_rank_test(entry->rank, KR_RANK_INITIAL)
++ if (any_rank
++ || kr_rank_test(entry->rank, KR_RANK_INITIAL)
+ || kr_rank_test(entry->rank, KR_RANK_TRY)
+ || kr_rank_test(entry->rank, KR_RANK_MISSING)) {
+ kr_rank_set(&entry->rank, rank_to_set);
diff -Nru knot-resolver-5.3.1/debian/patches/series
knot-resolver-5.3.1/debian/patches/series
--- knot-resolver-5.3.1/debian/patches/series 2021-04-12 05:59:28.000000000
+0000
+++ knot-resolver-5.3.1/debian/patches/series 2021-08-31 16:20:00.000000000
+0000
@@ -1 +1,2 @@
0001-treewide-fix-unaligned-access.patch
+0002-validator-avoid-assertion-in-an-edge-case.patch
diff -Nru knot-resolver-5.3.1/debian/salsa-ci.yml
knot-resolver-5.3.1/debian/salsa-ci.yml
--- knot-resolver-5.3.1/debian/salsa-ci.yml 2021-04-12 05:59:28.000000000
+0000
+++ knot-resolver-5.3.1/debian/salsa-ci.yml 2021-08-31 16:20:00.000000000
+0000
@@ -2,3 +2,6 @@
include:
- https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml
-
https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml
+
+variables:
+ RELEASE: 'bullseye'
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 11.4
Hi,
Each of the requests discussed in these bugs was included in today's
bullseye point release.
Regards,
Adam
--- End Message ---
