[Python-modules-team] Bug#1021851: bullseye-pu: package python-dnslib/0.9.14-1

Scott Kitterman debian at kitterman.com
Sun Oct 16 01:37:20 BST 2022 

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org at packages.debian.org
Usertags: pu
X-Debbugs-Cc: python-modules-team at lists.alioth.debian.org

(Please provide enough information to help the release team
to judge the request efficiently. E.g. by filling in the
sections below.)

[ Reason ]
Backport of upstream fix for CVE-2022-22846 (no changes needed).

[ Impact ]
User impact is potential vulnerability to DNS cache poisoning.

[ Tests ]
Package runs the upstream test suite both during build and in an
autopkgtest.

[ Risks ]
Code change is trivial and pretty obviously correct.  There were no
other changes between 0.9.14 (in Bullseye) and 0.9.17 where this fix is
backported from in the file in question.

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
Adds a check that the ID value in a DNS reply matches an ID value in a
query.

[ Other info ]
Security team rated this a minor issue, so addressing fix to stable
update.
-------------- next part --------------
diff -Nru python-dnslib-0.9.14/debian/changelog python-dnslib-0.9.14/debian/changelog
--- python-dnslib-0.9.14/debian/changelog	2020-06-10 00:51:44.000000000 -0400
+++ python-dnslib-0.9.14/debian/changelog	2022-10-15 20:23:24.000000000 -0400
@@ -1,3 +1,10 @@
+python-dnslib (0.9.14-1+deb11u1) bullseye; urgency=medium
+
+  * Add debian/patches/0002-Validate-TXID-in-client.py.patch from upstream to
+    address CVE-2022-22846
+
+ -- Scott Kitterman <scott at kitterman.com>  Sat, 15 Oct 2022 20:23:24 -0400
+
 python-dnslib (0.9.14-1) unstable; urgency=medium
 
   * New upstream release
diff -Nru python-dnslib-0.9.14/debian/patches/0002-Validate-TXID-in-client.py.patch python-dnslib-0.9.14/debian/patches/0002-Validate-TXID-in-client.py.patch
--- python-dnslib-0.9.14/debian/patches/0002-Validate-TXID-in-client.py.patch	1969-12-31 19:00:00.000000000 -0500
+++ python-dnslib-0.9.14/debian/patches/0002-Validate-TXID-in-client.py.patch	2022-10-15 20:21:51.000000000 -0400
@@ -0,0 +1,24 @@
+From: Scott Kitterman <scott at kitterman.com>
+Date: Sat, 15 Oct 2022 20:17:26 -0400
+Subject: Validate TXID in client.py
+Fixes CVE-2022-22846
+Origin: backport, https://github.com/paulc/dnslib/commit/76e8677699ed098387d502c57980f58da642aeba
+
+---
+ dnslib/client.py | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/dnslib/client.py b/dnslib/client.py
+index 628ea81..09572b6 100644
+--- a/dnslib/client.py
++++ b/dnslib/client.py
+@@ -76,6 +76,9 @@ if __name__ == '__main__':
+         a_pkt = q.send(address,port,tcp=args.tcp)
+         a = DNSRecord.parse(a_pkt)
+ 
++        if q.header.id != a.header.id:
++            raise DNSError('Response transaction id does not match query transaction id')
++
+         if a.header.tc and args.noretry == False:
+             # Truncated - retry in TCP mode
+             a_pkt = q.send(address,port,tcp=True)
diff -Nru python-dnslib-0.9.14/debian/patches/series python-dnslib-0.9.14/debian/patches/series
--- python-dnslib-0.9.14/debian/patches/series	2020-06-10 00:50:31.000000000 -0400
+++ python-dnslib-0.9.14/debian/patches/series	2022-10-15 20:17:32.000000000 -0400
@@ -1 +1,2 @@
 0001-Only-run-tests-for-python3.patch
+0002-Validate-TXID-in-client.py.patch

More information about the Python-modules-team mailing list