Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu
Hi,
I would like to fix a DNSSEC validation bug (CVE-2017-15105) in the
unbound package shipped in stretch. After discussion with the security
team, this bug was deemed minor enough that the fix could be shipped in
a point release:
https://security-tracker.debian.org/tracker/CVE-2017-15105
Please see attached a debdiff for unbound 1.6.0-3+deb9u2 containing the
backported fix from upstream version 1.6.8. I'd like to have this
considered for the upcoming stable point release.
Details on the bug and its impact are available in this upstream
advisory:
https://unbound.net/downloads/CVE-2017-15105.txt
I have cherry-picked two commits (svn r4441, r4528) from the upstream
repository containing the fix and a test case. Those upstream commits
are available here:
https://github.com/NLnetLabs/unbound/commit/2a6250e3fb3ccd6e9a0a16b6908c5cfb76d8d6f3
https://github.com/NLnetLabs/unbound/commit/eff62cecac1388214032906eb6944ceb9c0e6d41
(There was a minor conflict when merging the cherry-picked commit r4441
due to the renaming of some internal types in svn r3989.)
A very similar fix has already been shipped for wheezy-lts in
1.4.17-3+deb7u3.
Thanks!
--
Robert Edmonds
edmo...@debian.org
diff -Nru unbound-1.6.0/debian/changelog unbound-1.6.0/debian/changelog
--- unbound-1.6.0/debian/changelog 2017-08-27 00:43:42.0 -0400
+++ unbound-1.6.0/debian/changelog 2018-02-28 17:00:51.0 -0500
@@ -1,3 +1,12 @@
+unbound (1.6.0-3+deb9u2) stretch; urgency=high
+
+ * Cherry-pick upstream commit svn r4441, "patch for CVE-2017-15105:
+vulnerability in the processing of wildcard synthesized NSEC records."
+ * Cherry-pick upstream commit svn r4528, "Added tests with wildcard
+expanded NSEC records (CVE-2017-15105 test)".
+
+ -- Robert Edmonds Wed, 28 Feb 2018 17:00:51 -0500
+
unbound (1.6.0-3+deb9u1) stretch; urgency=high
* Cherry-pick upstream commit svn r4301, "Fix install of trust anchor
diff -Nru unbound-1.6.0/debian/patches/debian-changes
unbound-1.6.0/debian/patches/debian-changes
--- unbound-1.6.0/debian/patches/debian-changes 2017-08-27 00:43:42.0
-0400
+++ unbound-1.6.0/debian/patches/debian-changes 2018-02-28 17:00:51.0
-0500
@@ -5,14 +5,12 @@
information below has been extracted from the changelog. Adjust it or drop
it.
.
- unbound (1.6.0-3+deb9u1) stretch; urgency=high
+ unbound (1.6.0-3+deb9u2) stretch; urgency=high
.
- * Cherry-pick upstream commit svn r4301, "Fix install of trust anchor
- when two anchors are present, makes both valid. Checks hash of DS but
- not signature of new key. This fixes installs between sep11 and oct11
- 2017."
- * debian/control: unbound: Add versioned dependency on dns-root-data (>=
- 2017072601~) for KSK-2017 in RFC 5011 state VALID.
+ * Cherry-pick upstream commit svn r4441, "patch for CVE-2017-15105:
+ vulnerability in the processing of wildcard synthesized NSEC records."
+ * Cherry-pick upstream commit svn r4528, "Added tests with wildcard
+ expanded NSEC records (CVE-2017-15105 test)".
Author: Robert Edmonds
---
@@ -26,7 +24,7 @@
Bug-Ubuntu: https://launchpad.net/bugs/
Forwarded:
Reviewed-By:
-Last-Update: 2017-08-27
+Last-Update: 2018-02-28
--- unbound-1.6.0.orig/acx_python.m4
+++ unbound-1.6.0/acx_python.m4
@@ -79,6 +77,165 @@
+echo "Setup success. Certificates created."
exit 0
+--- unbound-1.6.0.orig/testcode/unitverify.c
unbound-1.6.0/testcode/unitverify.c
+@@ -186,7 +186,9 @@ verifytest_rrset(struct module_env* env,
+ ntohs(rrset->rk.rrset_class));
+ }
+ setup_sigalg(dnskey, sigalg); /* check all algorithms in the dnskey */
+- sec = dnskeyset_verify_rrset(env, ve, rrset, dnskey, sigalg, &reason);
++ /* ok to give null as qstate here, won't be used for answer section. */
++ sec = dnskeyset_verify_rrset(env, ve, rrset, dnskey, sigalg, &reason,
++ LDNS_SECTION_ANSWER, NULL);
+ if(vsig) {
+ printf("verify outcome is: %s %s\n", sec_status_to_string(sec),
+ reason?reason:"");
+--- /dev/null
unbound-1.6.0/testdata/val_nodata_failwc.rpl
+@@ -0,0 +1,71 @@
++; config options
++; The island of trust is at nsecwc.nlnetlabs.nl
++server:
++ trust-anchor: "nsecwc.nlnetlabs.nl. 10024 IN DS 565 8 2
0C15C04C022700C8713028F6F64CF2343DE627B8F83CDA1C421C65DB 52908A2E"
++ val-override-date: "20181202115531"
++ target-fetch-policy: "0 0 0 0 0"
++ fake-sha1: yes
++ trust-anchor-signaling: no
++stub-zone:
++ name: "nsecwc.nlnetlabs.nl"
++ stub-addr: "185.49.140.60"
++
++CONFIG_END
++
++SCENARIO_BEGIN Test validator with nodata response with wildcard expanded
NSEC record, original NSEC owner does not provide proof for QNAME.
CVE-2017-15105 test.
++
++ ; ns.example.com.