Hi Daniel,
This CVE-2024-43168 was registered by RedHat. We (NLnet Labs) are a CNA
for our products and MITRE notified us about the out-of-scope
appointment of some CVEs from RedHat.
We are in talks with MITRE because although the issue is for RedHat
products, the software package mentioned is Unbound.
One of two things will happen with those CVEs:
- They will stay under our (NLnet Labs) control and we will reject
them, or
- They will stay under RedHat control and make it clear that it is for
the configuration of Unbound in their systems.
With that out of the way, on to the issue.
The issue is about a bug in the configuration code. We only see it as a
bug and not a CVE vulnerability because a user with configuration access
for Unbound is required.
There are two distinct issues involved with that:
- https://github.com/NLnetLabs/unbound/issues/1039
- https://github.com/NLnetLabs/unbound/pull/1062
The initial commits from the reporter solve the issues but further
commits from us complement the solution. It would be good to apply the
whole set of commits.
The commits deal with erroneous input in Unbound's configuration.
I confirm that the chronological order of the commits is the following:
-
https://github.com/NLnetLabs/unbound/commit/193401e7543a1e561dd634a3eaae932fa462a2b9
-
https://github.com/NLnetLabs/unbound/commit/dfff8d23cf4145c58e5c1e99d4159d3a91a70ab7
-
https://github.com/NLnetLabs/unbound/commit/4497e8a154f53cd5947a6ee5aa65cf99be57152e
-
https://github.com/NLnetLabs/unbound/commit/c085a53268940dfbb907cbaa7a690740b6c8210c
If you have further questions let me know.
Best regards,
-- Yorgos
On 23/09/2024 22:26, Daniel Leidert via Unbound-users wrote:
Hi,
I am a Debian developer and part of the Debian LTS team. I'm currently
going through the open vulnerabilities for the unbound versions in
Debian Buster and Bullseye.
One of the issues is described in CVE-2024-43168. That particular issue
was closed by [1]. However, it was then followed by a series of other
commits [2,3,4]. In the pull request you mention [5] that these changes
stop unbound "from taking a long time" and "having trouble with
malformed input causing invalid accesses".
How serious are these issues? There hasn't been any additonal CVE as
far as I know. Should these additional commits be applied to complete
the fix for CVE-2024-43168?
Regards, Daniel
[1] https://github.com/NLnetLabs/unbound/pull/1040
[2]
https://github.com/NLnetLabs/unbound/commit/dfff8d23cf4145c58e5c1e99d4159d3a91a70ab7
[3]
https://github.com/NLnetLabs/unbound/commit/4497e8a154f53cd5947a6ee5aa65cf99be57152e
[4]
https://github.com/NLnetLabs/unbound/commit/c085a53268940dfbb907cbaa7a690740b6c8210c
[5] https://github.com/NLnetLabs/unbound/pull/1040#issuecomment-2033884392
