These are a bit unfortunate, because were not properly coordinated with
upstream.
There are two similar assigned low severity CVEs:
- https://access.redhat.com/security/cve/CVE-2024-43167
Which points to MR: https://github.com/NLnetLabs/unbound/pull/1073
- https://access.redhat.com/security/cve/CVE-2024-43168
Which points to MR: https://github.com/NLnetLabs/unbound/pull/1040
On 24/09/2024 10:01, Yorgos Thessalonikefs via Unbound-users wrote:
Hi Daniel,
This CVE-2024-43168 was registered by RedHat. We (NLnet Labs) are a
CNA for our products and MITRE notified us about the out-of-scope
appointment of some CVEs from RedHat.
We are in talks with MITRE because although the issue is for RedHat
products, the software package mentioned is Unbound.
One of two things will happen with those CVEs:
- They will stay under our (NLnet Labs) control and we will reject
them, or
- They will stay under RedHat control and make it clear that it is for
the configuration of Unbound in their systems.
With that out of the way, on to the issue.
The issue is about a bug in the configuration code. We only see it as
a bug and not a CVE vulnerability because a user with configuration
access for Unbound is required.
There are two distinct issues involved with that:
- https://github.com/NLnetLabs/unbound/issues/1039
- https://github.com/NLnetLabs/unbound/pull/1062
The initial commits from the reporter solve the issues but further
commits from us complement the solution. It would be good to apply the
whole set of commits.
The commits deal with erroneous input in Unbound's configuration.
I confirm that the chronological order of the commits is the following:
-
https://github.com/NLnetLabs/unbound/commit/193401e7543a1e561dd634a3eaae932fa462a2b9
-
https://github.com/NLnetLabs/unbound/commit/dfff8d23cf4145c58e5c1e99d4159d3a91a70ab7
-
https://github.com/NLnetLabs/unbound/commit/4497e8a154f53cd5947a6ee5aa65cf99be57152e
-
https://github.com/NLnetLabs/unbound/commit/c085a53268940dfbb907cbaa7a690740b6c8210c
If you have further questions let me know.
Best regards,
-- Yorgos
On 23/09/2024 22:26, Daniel Leidert via Unbound-users wrote:
Hi,
I am a Debian developer and part of the Debian LTS team. I'm currently
going through the open vulnerabilities for the unbound versions in
Debian Buster and Bullseye.
One of the issues is described in CVE-2024-43168. That particular issue
was closed by [1]. However, it was then followed by a series of other
commits [2,3,4]. In the pull request you mention [5] that these changes
stop unbound "from taking a long time" and "having trouble with
malformed input causing invalid accesses".
How serious are these issues? There hasn't been any additonal CVE as
far as I know. Should these additional commits be applied to complete
the fix for CVE-2024-43168?
Regards, Daniel
[1] https://github.com/NLnetLabs/unbound/pull/1040
[2]
https://github.com/NLnetLabs/unbound/commit/dfff8d23cf4145c58e5c1e99d4159d3a91a70ab7
[3]
https://github.com/NLnetLabs/unbound/commit/4497e8a154f53cd5947a6ee5aa65cf99be57152e
[4]
https://github.com/NLnetLabs/unbound/commit/c085a53268940dfbb907cbaa7a690740b6c8210c
[5]
https://github.com/NLnetLabs/unbound/pull/1040#issuecomment-2033884392
--
Petr Menšík
Software Engineer, RHEL
Red Hat, https://www.redhat.com/
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB
