Package: release.debian.org Severity: normal Tags: bullseye User: release.debian....@packages.debian.org Usertags: pu X-Debbugs-Cc: python-modules-t...@lists.alioth.debian.org
(Please provide enough information to help the release team to judge the request efficiently. E.g. by filling in the sections below.) [ Reason ] Backport of upstream fix for CVE-2022-22846 (no changes needed). [ Impact ] User impact is potential vulnerability to DNS cache poisoning. [ Tests ] Package runs the upstream test suite both during build and in an autopkgtest. [ Risks ] Code change is trivial and pretty obviously correct. There were no other changes between 0.9.14 (in Bullseye) and 0.9.17 where this fix is backported from in the file in question. [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] Adds a check that the ID value in a DNS reply matches an ID value in a query. [ Other info ] Security team rated this a minor issue, so addressing fix to stable update.
diff -Nru python-dnslib-0.9.14/debian/changelog python-dnslib-0.9.14/debian/changelog --- python-dnslib-0.9.14/debian/changelog 2020-06-10 00:51:44.000000000 -0400 +++ python-dnslib-0.9.14/debian/changelog 2022-10-15 20:23:24.000000000 -0400 @@ -1,3 +1,10 @@ +python-dnslib (0.9.14-1+deb11u1) bullseye; urgency=medium + + * Add debian/patches/0002-Validate-TXID-in-client.py.patch from upstream to + address CVE-2022-22846 + + -- Scott Kitterman <sc...@kitterman.com> Sat, 15 Oct 2022 20:23:24 -0400 + python-dnslib (0.9.14-1) unstable; urgency=medium * New upstream release diff -Nru python-dnslib-0.9.14/debian/patches/0002-Validate-TXID-in-client.py.patch python-dnslib-0.9.14/debian/patches/0002-Validate-TXID-in-client.py.patch --- python-dnslib-0.9.14/debian/patches/0002-Validate-TXID-in-client.py.patch 1969-12-31 19:00:00.000000000 -0500 +++ python-dnslib-0.9.14/debian/patches/0002-Validate-TXID-in-client.py.patch 2022-10-15 20:21:51.000000000 -0400 @@ -0,0 +1,24 @@ +From: Scott Kitterman <sc...@kitterman.com> +Date: Sat, 15 Oct 2022 20:17:26 -0400 +Subject: Validate TXID in client.py +Fixes CVE-2022-22846 +Origin: backport, https://github.com/paulc/dnslib/commit/76e8677699ed098387d502c57980f58da642aeba + +--- + dnslib/client.py | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/dnslib/client.py b/dnslib/client.py +index 628ea81..09572b6 100644 +--- a/dnslib/client.py ++++ b/dnslib/client.py +@@ -76,6 +76,9 @@ if __name__ == '__main__': + a_pkt = q.send(address,port,tcp=args.tcp) + a = DNSRecord.parse(a_pkt) + ++ if q.header.id != a.header.id: ++ raise DNSError('Response transaction id does not match query transaction id') ++ + if a.header.tc and args.noretry == False: + # Truncated - retry in TCP mode + a_pkt = q.send(address,port,tcp=True) diff -Nru python-dnslib-0.9.14/debian/patches/series python-dnslib-0.9.14/debian/patches/series --- python-dnslib-0.9.14/debian/patches/series 2020-06-10 00:50:31.000000000 -0400 +++ python-dnslib-0.9.14/debian/patches/series 2022-10-15 20:17:32.000000000 -0400 @@ -1 +1,2 @@ 0001-Only-run-tests-for-python3.patch +0002-Validate-TXID-in-client.py.patch