Bug#993796: bullseye-pu: package knot-resolver/5.3.1-1
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: jakub.ruzicka@nic.cz
[ Reason ]
Fixing bug #991463 (CVE-2021-40083) - potential DoS.
[ Impact ]
Vulnerability to DoS attack.
[ Tests ]
I've tested the fix manually by running the deckard (DNS test harness)
test sets/resolver/val_iter_high.rpl supplied with the upstream fix.
It's not trivial to setup system for deckard so I've used upstream
Debian bullseye docker image from Knot CI:
docker run -it --privileged registry.nic.cz/knot/knot-resolver/ci/debian-11:knot-3.0
With current knot-resolver-5.3.1-1 the test failed.
With suggested knot-resolver-5.3.1-1+deb11u1 the test passed.
[ Risks ]
This is a simple backport of upstream fix.
Upstream tests run during package build so chances of something
breaking are small.
[ Checklist ]
[*] *all* changes are documented in the d/changelog
[*] I reviewed all changes and I approve them
[*] attach debdiff against the package in (old)stable
[*] the issue is verified as fixed in unstable
[ Changes ]
Backport of upstream fix for #991463:
https://gitlab.nic.cz/knot/knot-resolver/-/merge_requests/1169/diffs#c22c39e3a02cdfb0d3d47b16ff46e65d196df19d
diff -Nru knot-resolver-5.3.1/debian/changelog knot-resolver-5.3.1/debian/changelog
--- knot-resolver-5.3.1/debian/changelog 2021-04-12 05:59:28.000000000 +0000
+++ knot-resolver-5.3.1/debian/changelog 2021-08-31 16:20:00.000000000 +0000
@@ -1,3 +1,10 @@
+knot-resolver (5.3.1-1+deb11u1) bullseye; urgency=medium
+
+ * Fix possible assertion failure in NSEC3 edge-case (CVE-2021-40083)
+ (Closes: #991463)
+
+ -- Jakub Ružička <jakub.ruzicka@nic.cz> Tue, 31 Aug 2021 16:20:00 +0000
+
knot-resolver (5.3.1-1) unstable; urgency=medium
[ Jakub Ružička ]
diff -Nru knot-resolver-5.3.1/debian/gbp.conf knot-resolver-5.3.1/debian/gbp.conf
--- knot-resolver-5.3.1/debian/gbp.conf 2021-04-12 05:59:28.000000000 +0000
+++ knot-resolver-5.3.1/debian/gbp.conf 2021-08-31 16:20:00.000000000 +0000
@@ -1,5 +1,5 @@
[DEFAULT]
-debian-branch = debian/master
+debian-branch = debian/bullseye
debian-tag = debian/%(version)s
upstream-branch = upstream
upstream-tag = upstream/%(version)s
diff -Nru knot-resolver-5.3.1/debian/patches/0002-validator-avoid-assertion-in-an-edge-case.patch knot-resolver-5.3.1/debian/patches/0002-validator-avoid-assertion-in-an-edge-case.patch
--- knot-resolver-5.3.1/debian/patches/0002-validator-avoid-assertion-in-an-edge-case.patch 1970-01-01 00:00:00.000000000 +0000
+++ knot-resolver-5.3.1/debian/patches/0002-validator-avoid-assertion-in-an-edge-case.patch 2021-08-31 16:20:00.000000000 +0000
@@ -0,0 +1,58 @@
+From: =?utf-8?b?VmxhZGltw61yIMSMdW7DoXQ=?= <vladimir.cunat@nic.cz>
+Date: Mon, 12 Apr 2021 15:23:02 +0200
+Subject: [PATCH] validator: avoid assertion in an edge-case
+
+Case: NSEC3 with too many iterations used for a positive wildcard proof.
+
+To really fix the answers, this also needed fixing the `any_rank` part
+which I somehow forgot in commit 7107faebc :-(
+---
+ lib/dnssec/nsec3.c | 7 +++++++
+ lib/dnssec/nsec3.h | 1 +
+ lib/layer/validate.c | 3 ++-
+ 3 files changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/lib/dnssec/nsec3.c b/lib/dnssec/nsec3.c
+index e9e536a..f3a48c0 100644
+--- a/lib/dnssec/nsec3.c
++++ b/lib/dnssec/nsec3.c
+@@ -596,6 +596,13 @@ int kr_nsec3_wildcard_answer_response_check(const knot_pkt_t *pkt, knot_section_
+ if (rrset->type != KNOT_RRTYPE_NSEC3) {
+ continue;
+ }
++ if (knot_nsec3_iters(rrset->rrs.rdata) > KR_NSEC3_MAX_ITERATIONS) {
++ /* Avoid hashing with too many iterations.
++ * If we get here, the `sname` wildcard probably ends up bogus,
++ * but it gets downgraded to KR_RANK_INSECURE when validator
++ * gets to verifying one of these over-limit NSEC3 RRs. */
++ continue;
++ }
+ int ret = covers_name(&flags, rrset, sname);
+ if (ret != 0) {
+ return ret;
+diff --git a/lib/dnssec/nsec3.h b/lib/dnssec/nsec3.h
+index 1e316f5..0fdbfce 100644
+--- a/lib/dnssec/nsec3.h
++++ b/lib/dnssec/nsec3.h
+@@ -39,6 +39,7 @@ int kr_nsec3_name_error_response_check(const knot_pkt_t *pkt, knot_section_t sec
+ * KNOT_ERANGE - NSEC3 RR that covers a wildcard
+ * has been found, but has opt-out flag set;
+ * otherwise - error.
++ * Records over KR_NSEC3_MAX_ITERATIONS are skipped, so you probably get kr_error(ENOENT).
+ */
+ int kr_nsec3_wildcard_answer_response_check(const knot_pkt_t *pkt, knot_section_t section_id,
+ const knot_dname_t *sname, int trim_to_next);
+diff --git a/lib/layer/validate.c b/lib/layer/validate.c
+index cf5dda2..cf5c88a 100644
+--- a/lib/layer/validate.c
++++ b/lib/layer/validate.c
+@@ -894,7 +894,8 @@ static void rank_records(struct kr_query *qry, bool any_rank, enum kr_rank rank_
+ bailiwick) < 0) {
+ continue;
+ }
+- if (kr_rank_test(entry->rank, KR_RANK_INITIAL)
++ if (any_rank
++ || kr_rank_test(entry->rank, KR_RANK_INITIAL)
+ || kr_rank_test(entry->rank, KR_RANK_TRY)
+ || kr_rank_test(entry->rank, KR_RANK_MISSING)) {
+ kr_rank_set(&entry->rank, rank_to_set);
diff -Nru knot-resolver-5.3.1/debian/patches/series knot-resolver-5.3.1/debian/patches/series
--- knot-resolver-5.3.1/debian/patches/series 2021-04-12 05:59:28.000000000 +0000
+++ knot-resolver-5.3.1/debian/patches/series 2021-08-31 16:20:00.000000000 +0000
@@ -1 +1,2 @@
0001-treewide-fix-unaligned-access.patch
+0002-validator-avoid-assertion-in-an-edge-case.patch
diff -Nru knot-resolver-5.3.1/debian/salsa-ci.yml knot-resolver-5.3.1/debian/salsa-ci.yml
--- knot-resolver-5.3.1/debian/salsa-ci.yml 2021-04-12 05:59:28.000000000 +0000
+++ knot-resolver-5.3.1/debian/salsa-ci.yml 2021-08-31 16:20:00.000000000 +0000
@@ -2,3 +2,6 @@
include:
- https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml
- https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml
+
+variables:
+ RELEASE: 'bullseye'
Reply to: