Bug#993796: bullseye-pu: package knot-resolver/5.3.1-1

2022-07-01 Thread Adam D. Barratt 
On Fri, 2021-12-03 at 16:59 +0100, Julien Cristau wrote:
> Control: tag -1 confirmed
> 
> On Mon, Sep 06, 2021 at 04:21:15PM +, Jakub Ružička wrote:
> > [ Reason ]
> > Fixing bug #991463 (CVE-2021-40083) - potential DoS.
[...]
> Feel free to go ahead and upload, thank you.

Ping?

Regards,

Adam

Processed: Re: Bug#993796: bullseye-pu: package knot-resolver/5.3.1-1

2021-12-03 Thread Debian Bug Tracking System 
Processing control commands:

> tag -1 confirmed
Bug #993796 [release.debian.org] bullseye-pu: package knot-resolver/5.3.1-1
Added tag(s) confirmed.

-- 
993796: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=993796
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#993796: bullseye-pu: package knot-resolver/5.3.1-1

2021-12-03 Thread Julien Cristau 
Control: tag -1 confirmed

On Mon, Sep 06, 2021 at 04:21:15PM +, Jakub Ružička wrote:
> [ Reason ]
> Fixing bug #991463 (CVE-2021-40083) - potential DoS.
> 
> [ Impact ]
> Vulnerability to DoS attack.
> 
> [ Tests ]
> I've tested the fix manually by running the deckard (DNS test harness)
> test sets/resolver/val_iter_high.rpl supplied with the upstream fix.
> 
> It's not trivial to setup system for deckard so I've used upstream
> Debian bullseye docker image from Knot CI:
> 
> docker run -it --privileged 
> registry.nic.cz/knot/knot-resolver/ci/debian-11:knot-3.0
> 
> With current knot-resolver-5.3.1-1 the test failed.
> With suggested knot-resolver-5.3.1-1+deb11u1 the test passed.
> 
> [ Risks ]
> This is a simple backport of upstream fix.
> 
> Upstream tests run during package build so chances of something
> breaking are small.
> 
> [ Checklist ]
>   [*] *all* changes are documented in the d/changelog
>   [*] I reviewed all changes and I approve them
>   [*] attach debdiff against the package in (old)stable
>   [*] the issue is verified as fixed in unstable
> 
Feel free to go ahead and upload, thank you.

Cheers,
Julien

Bug#993796: bullseye-pu: package knot-resolver/5.3.1-1

2021-09-06 Thread Jakub Ružička 
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: jakub.ruzi...@nic.cz

[ Reason ]
Fixing bug #991463 (CVE-2021-40083) - potential DoS.

[ Impact ]
Vulnerability to DoS attack.

[ Tests ]
I've tested the fix manually by running the deckard (DNS test harness)
test sets/resolver/val_iter_high.rpl supplied with the upstream fix.

It's not trivial to setup system for deckard so I've used upstream
Debian bullseye docker image from Knot CI:

docker run -it --privileged 
registry.nic.cz/knot/knot-resolver/ci/debian-11:knot-3.0

With current knot-resolver-5.3.1-1 the test failed.
With suggested knot-resolver-5.3.1-1+deb11u1 the test passed.

[ Risks ]
This is a simple backport of upstream fix.

Upstream tests run during package build so chances of something
breaking are small.

[ Checklist ]
  [*] *all* changes are documented in the d/changelog
  [*] I reviewed all changes and I approve them
  [*] attach debdiff against the package in (old)stable
  [*] the issue is verified as fixed in unstable

[ Changes ]
Backport of upstream fix for #991463:

https://gitlab.nic.cz/knot/knot-resolver/-/merge_requests/1169/diffs#c22c39e3a02cdfb0d3d47b16ff46e65d196df19d
diff -Nru knot-resolver-5.3.1/debian/changelog 
knot-resolver-5.3.1/debian/changelog
--- knot-resolver-5.3.1/debian/changelog2021-04-12 05:59:28.0 
+
+++ knot-resolver-5.3.1/debian/changelog2021-08-31 16:20:00.0 
+
@@ -1,3 +1,10 @@
+knot-resolver (5.3.1-1+deb11u1) bullseye; urgency=medium
+
+  * Fix possible assertion failure in NSEC3 edge-case (CVE-2021-40083)
+(Closes: #991463)
+
+ -- Jakub Ružička   Tue, 31 Aug 2021 16:20:00 +
+
 knot-resolver (5.3.1-1) unstable; urgency=medium
 
   [ Jakub Ružička ]
diff -Nru knot-resolver-5.3.1/debian/gbp.conf 
knot-resolver-5.3.1/debian/gbp.conf
--- knot-resolver-5.3.1/debian/gbp.conf 2021-04-12 05:59:28.0 +
+++ knot-resolver-5.3.1/debian/gbp.conf 2021-08-31 16:20:00.0 +
@@ -1,5 +1,5 @@
 [DEFAULT]
-debian-branch = debian/master
+debian-branch = debian/bullseye
 debian-tag = debian/%(version)s
 upstream-branch = upstream
 upstream-tag = upstream/%(version)s
diff -Nru 
knot-resolver-5.3.1/debian/patches/0002-validator-avoid-assertion-in-an-edge-case.patch
 
knot-resolver-5.3.1/debian/patches/0002-validator-avoid-assertion-in-an-edge-case.patch
--- 
knot-resolver-5.3.1/debian/patches/0002-validator-avoid-assertion-in-an-edge-case.patch
 1970-01-01 00:00:00.0 +
+++ 
knot-resolver-5.3.1/debian/patches/0002-validator-avoid-assertion-in-an-edge-case.patch
 2021-08-31 16:20:00.0 +
@@ -0,0 +1,58 @@
+From: =?utf-8?b?VmxhZGltw61yIMSMdW7DoXQ=?= 
+Date: Mon, 12 Apr 2021 15:23:02 +0200
+Subject: [PATCH] validator: avoid assertion in an edge-case
+
+Case: NSEC3 with too many iterations used for a positive wildcard proof.
+
+To really fix the answers, this also needed fixing the `any_rank` part
+which I somehow forgot in commit 7107faebc :-(
+---
+ lib/dnssec/nsec3.c   | 7 +++
+ lib/dnssec/nsec3.h   | 1 +
+ lib/layer/validate.c | 3 ++-
+ 3 files changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/lib/dnssec/nsec3.c b/lib/dnssec/nsec3.c
+index e9e536a..f3a48c0 100644
+--- a/lib/dnssec/nsec3.c
 b/lib/dnssec/nsec3.c
+@@ -596,6 +596,13 @@ int kr_nsec3_wildcard_answer_response_check(const 
knot_pkt_t *pkt, knot_section_
+   if (rrset->type != KNOT_RRTYPE_NSEC3) {
+   continue;
+   }
++  if (knot_nsec3_iters(rrset->rrs.rdata) > 
KR_NSEC3_MAX_ITERATIONS) {
++  /* Avoid hashing with too many iterations.
++   * If we get here, the `sname` wildcard probably ends 
up bogus,
++   * but it gets downgraded to KR_RANK_INSECURE when 
validator
++   * gets to verifying one of these over-limit NSEC3 RRs. 
*/
++  continue;
++  }
+   int ret = covers_name(, rrset, sname);
+   if (ret != 0) {
+   return ret;
+diff --git a/lib/dnssec/nsec3.h b/lib/dnssec/nsec3.h
+index 1e316f5..0fdbfce 100644
+--- a/lib/dnssec/nsec3.h
 b/lib/dnssec/nsec3.h
+@@ -39,6 +39,7 @@ int kr_nsec3_name_error_response_check(const knot_pkt_t 
*pkt, knot_section_t sec
+  * KNOT_ERANGE - NSEC3 RR that covers a wildcard
+  * has been found, but has opt-out flag set;
+  * otherwise - error.
++ * Records over KR_NSEC3_MAX_ITERATIONS are skipped, so you probably get 
kr_error(ENOENT).
+  */
+ int kr_nsec3_wildcard_answer_response_check(const knot_pkt_t *pkt, 
knot_section_t section_id,
+ const knot_dname_t *sname, int 
trim_to_next);
+diff --git a/lib/layer/validate.c b/lib/layer/validate.c
+index cf5dda2..cf5c88a 100644
+--- a/lib/layer/validate.c
 b/lib/layer/validate.c
+@@ -894,7