Your message dated Sat, 29 Jun 2024 10:47:46 +0000
with message-id <e1snvcq-002bpr...@coccia.debian.org>
and subject line Released with 11.10
has caused the Debian Bug report #1063821,
regarding bullseye-pu: package python-dnslib/0.9.14-1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1063821: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1063821
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian....@packages.debian.org
Usertags: pu
[ Reason ]
Address no-dsa CVE. CVE-2022-22846
[ Impact ]
Continued vulnerability to minor issue.
[ Tests ]
Package has tests which are run via autopkgtest and during the build.
Both pass locally with the added patch.
[ Risks ]
Risk is minimal. Patch is from upstream and has been around for awhile
without known issues. Change is trivial.
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
Add verify that the ID value in a DNS reply matches an ID value in a query.
[ Other info ]
I've only ever used this for running local tests to mock DNS responses,
which is not a case that's at risk for this issue, but it did occur to
me others may use it differently, so probably better to fix it.
Scott K
diff -Nru python-dnslib-0.9.14/debian/changelog
python-dnslib-0.9.14/debian/changelog
--- python-dnslib-0.9.14/debian/changelog 2020-06-10 00:51:44.000000000
-0400
+++ python-dnslib-0.9.14/debian/changelog 2024-02-12 19:43:55.000000000
-0500
@@ -1,3 +1,9 @@
+python-dnslib (0.9.14-1+deb11u1) bullseye; urgency=medium
+
+ * Add d/p/0002-Validate-TXID-in-client.py.patch to address CVE-2022-22846
+
+ -- Scott Kitterman <sc...@kitterman.com> Mon, 12 Feb 2024 19:43:55 -0500
+
python-dnslib (0.9.14-1) unstable; urgency=medium
* New upstream release
diff -Nru
python-dnslib-0.9.14/debian/patches/0002-Validate-TXID-in-client.py.patch
python-dnslib-0.9.14/debian/patches/0002-Validate-TXID-in-client.py.patch
--- python-dnslib-0.9.14/debian/patches/0002-Validate-TXID-in-client.py.patch
1969-12-31 19:00:00.000000000 -0500
+++ python-dnslib-0.9.14/debian/patches/0002-Validate-TXID-in-client.py.patch
2024-02-12 19:42:50.000000000 -0500
@@ -0,0 +1,24 @@
+From: Scott Kitterman <sc...@kitterman.com>
+Date: Sat, 12 Feb 2024 19:41:26 -0500
+Subject: Validate TXID in client.py
+Fixes CVE-2022-22846
+Origin: backport,
https://github.com/paulc/dnslib/commit/76e8677699ed098387d502c57980f58da642aeba
+
+---
+ dnslib/client.py | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/dnslib/client.py b/dnslib/client.py
+index 628ea81..09572b6 100644
+--- a/dnslib/client.py
++++ b/dnslib/client.py
+@@ -76,6 +76,9 @@ if __name__ == '__main__':
+ a_pkt = q.send(address,port,tcp=args.tcp)
+ a = DNSRecord.parse(a_pkt)
+
++ if q.header.id != a.header.id:
++ raise DNSError('Response transaction id does not match query
transaction id')
++
+ if a.header.tc and args.noretry == False:
+ # Truncated - retry in TCP mode
+ a_pkt = q.send(address,port,tcp=True)
diff -Nru python-dnslib-0.9.14/debian/patches/series
python-dnslib-0.9.14/debian/patches/series
--- python-dnslib-0.9.14/debian/patches/series 2020-06-10 00:50:31.000000000
-0400
+++ python-dnslib-0.9.14/debian/patches/series 2024-02-12 19:43:55.000000000
-0500
@@ -1 +1,2 @@
0001-Only-run-tests-for-python3.patch
+0002-Validate-TXID-in-client.py.patch
--- End Message ---
--- Begin Message ---
Version: 11.10
The upload requested in this bug has been released as part of 11.10.
--- End Message ---
