SRU template added. I've got everything reproducing properly, and testing steps show the steps for reproduction.
** Description changed: + [ SRU ] + [ Impact ] + + * regression introduced by CVE-2024-43167, anyone with a configuration file that ends up parsed by contents_view, who has an large file (> 9994 zones), will lead to memory exhaustion. + * due to the bug being introduced by a security patch, it has been patched all the way to 20.04 in the security pocket. + * due to the file size requirement, this is likely only hitting the largest deployments. + + + [ Test Plan ] + + [[ Reproduction ]] + + * download conf from comment 2 : https://bugs.launchpad.net/ubuntu/oracular/+source/unbound/+bug/2087526/comments/2 + * download example zone from comment 5 : https://bugs.launchpad.net/ubuntu/oracular/+source/unbound/+bug/2087526/comments/5 + * lxc launch ubuntu-daily:$SUITE $SUITE-test-unbound + * lxc file push <unbound.conf | security.zone> $SUITE-test-unbound/tmp/ + * lxc shell $SUITE-test-unbound + * sudo apt update && sudo apt full-upgrade + * sudo apt install unbound + * sudo service unbound stop + * mv /tmp/unbound.conf /etc/unbound/unbound.conf + * mkdir /etc/unbound/zones + * mv /etc/unbound/zones/security.zone + * sudo service unbound start + * observe the failure (memory exhaustion) + * sudo service unbound stop (just in case -- it should be dead) + * setup proposed (or the PPA) + * sudo apt update + * make sure you get the update installed (apt-cache policy unbound) + * upgrade unbound + * sudo service unbound start + * no error should occur from reading the configuration file + * note: there may be a different error in the resolveconf service due to a loopback device being used in an lxc container. This is unrelated to the issue. + + + [ Where problems could occur ] + + * the patch happens in configparser.y . the bug was introduced by another change to this file. It is difficult to know the amount of configurations available and how those can be parsed. + * scanning past bugs in upstream github and debian, I am not seeing recent bugs related to configuration. + + [ Other Info ] + + * PPA builds available in + https://launchpad.net/~jchittum/+archive/ubuntu/lp-2087526-unbound + + + [ ORIGINAL BUG REPORT ] + Starting with version 1.19, when loading unbound and using include directive to load a large file with lots of NXDOMAIN (244 859 entries), unbound gives a memory exhausted error and does not load on Ubuntu 24.04 To reproduce Steps to reproduce the behavior: - add include directive to file with lots (over 244000) of entries like this "local-zone: "vip.xvpn.io" always_nxdomain" - unbound.conf: include: /etc/unbound/zones/db.malware.zone - try to start unbound with service start unbound + add include directive to file with lots (over 244000) of entries like this "local-zone: "vip.xvpn.io" always_nxdomain" + unbound.conf: include: /etc/unbound/zones/db.malware.zone + try to start unbound with service start unbound Expected behavior - Unbound should start + Unbound should start System: - Unbound version: 1.19.2 (1.19.2-1ubuntu3.3) - OS: Ubuntu Noble 24.04.1 - unbound: 1.19.2-1ubuntu3.3 + Unbound version: 1.19.2 (1.19.2-1ubuntu3.3) + OS: Ubuntu Noble 24.04.1 + unbound: 1.19.2-1ubuntu3.3 Additional information Error message: unbound-helper[236519]: /etc/unbound/zones/db.malware.zone:23463: error: memory exhausted Older package 1.19.2-1ubuntu3.1 is working fine with the configuration If I use just a couple of lines /e.g. 20000) in the include directive works just fine and unbound loads and returns NXDOMAIN for the few remaining domains. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2087526 Title: unbound cannot start with large zone files > 24.000 lines : memory exhausted To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/unbound/+bug/2087526/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
