Package: release.debian.org Severity: normal Tags: bullseye User: release.debian....@packages.debian.org Usertags: pu
[ Reason ] Address no-dsa CVE. CVE-2022-22846 [ Impact ] Continued vulnerability to minor issue. [ Tests ] Package has tests which are run via autopkgtest and during the build. Both pass locally with the added patch. [ Risks ] Risk is minimal. Patch is from upstream and has been around for awhile without known issues. Change is trivial. [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] Add verify that the ID value in a DNS reply matches an ID value in a query. [ Other info ] I've only ever used this for running local tests to mock DNS responses, which is not a case that's at risk for this issue, but it did occur to me others may use it differently, so probably better to fix it. Scott K
diff -Nru python-dnslib-0.9.14/debian/changelog python-dnslib-0.9.14/debian/changelog --- python-dnslib-0.9.14/debian/changelog 2020-06-10 00:51:44.000000000 -0400 +++ python-dnslib-0.9.14/debian/changelog 2024-02-12 19:43:55.000000000 -0500 @@ -1,3 +1,9 @@ +python-dnslib (0.9.14-1+deb11u1) bullseye; urgency=medium + + * Add d/p/0002-Validate-TXID-in-client.py.patch to address CVE-2022-22846 + + -- Scott Kitterman <sc...@kitterman.com> Mon, 12 Feb 2024 19:43:55 -0500 + python-dnslib (0.9.14-1) unstable; urgency=medium * New upstream release diff -Nru python-dnslib-0.9.14/debian/patches/0002-Validate-TXID-in-client.py.patch python-dnslib-0.9.14/debian/patches/0002-Validate-TXID-in-client.py.patch --- python-dnslib-0.9.14/debian/patches/0002-Validate-TXID-in-client.py.patch 1969-12-31 19:00:00.000000000 -0500 +++ python-dnslib-0.9.14/debian/patches/0002-Validate-TXID-in-client.py.patch 2024-02-12 19:42:50.000000000 -0500 @@ -0,0 +1,24 @@ +From: Scott Kitterman <sc...@kitterman.com> +Date: Sat, 12 Feb 2024 19:41:26 -0500 +Subject: Validate TXID in client.py +Fixes CVE-2022-22846 +Origin: backport, https://github.com/paulc/dnslib/commit/76e8677699ed098387d502c57980f58da642aeba + +--- + dnslib/client.py | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/dnslib/client.py b/dnslib/client.py +index 628ea81..09572b6 100644 +--- a/dnslib/client.py ++++ b/dnslib/client.py +@@ -76,6 +76,9 @@ if __name__ == '__main__': + a_pkt = q.send(address,port,tcp=args.tcp) + a = DNSRecord.parse(a_pkt) + ++ if q.header.id != a.header.id: ++ raise DNSError('Response transaction id does not match query transaction id') ++ + if a.header.tc and args.noretry == False: + # Truncated - retry in TCP mode + a_pkt = q.send(address,port,tcp=True) diff -Nru python-dnslib-0.9.14/debian/patches/series python-dnslib-0.9.14/debian/patches/series --- python-dnslib-0.9.14/debian/patches/series 2020-06-10 00:50:31.000000000 -0400 +++ python-dnslib-0.9.14/debian/patches/series 2024-02-12 19:43:55.000000000 -0500 @@ -1 +1,2 @@ 0001-Only-run-tests-for-python3.patch +0002-Validate-TXID-in-client.py.patch
