Bug 2128712
| Summary: | CVE-2022-38177 dhcp: bind: memory leak in ECDSA DNSSEC verification code [fedora-all] | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Marian Rehak <mrehak> |
| Component: | dhcp | Assignee: | Martin Osvald 🛹 <mosvald> |
| Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 36 | CC: | jorton, mosvald, pavel, pemensik |
| Target Milestone: | --- | Keywords: | Security, SecurityTracking |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | No Doc Update | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-09-22 13:43:17 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 2128601 | ||
|
Description
Marian Rehak
2022-09-21 13:01:15 UTC
Use the following template to for the 'fedpkg update' request to submit an update for this issue as it contains the top-level parent bug(s) as well as this tracking bug. This will ensure that all associated bugs get updated when new packages are pushed to stable. ===== # bugfix, security, enhancement, newpackage (required) type=security # low, medium, high, urgent (required) severity=medium # testing, stable request=testing # Bug numbers: 1234,9876 bugs=2128601,2128712 # Description of your update notes=Security fix for [PUT CVEs HERE] # Enable request automation based on the stable/unstable karma thresholds autokarma=True stable_karma=3 unstable_karma=-3 # Automatically close bugs when this marked as stable close_bugs=True # Suggest that users restart after update suggest_reboot=False ====== Additionally, you may opt to use the bodhi web interface to submit updates: https://bodhi.fedoraproject.org/updates/new Dhcp is not affected by this flaw because:
1. Dhcp doesn't do DNSSEC verification (it passes DNS_CLIENTRESOPT_NODNSSEC option to bind's dns_client_startresolve())
2. The code containing the bug [1] is not compiled in dhcp bundled bind - added #error directive just above the function containing the flaw and it finished compilation:
~~~
[mosvald@fedora dhcp-fedora-rawhide]$ git diff HEAD
diff --git a/dhcp.spec b/dhcp.spec
index 04f38fb..adb397f 100644
--- a/dhcp.spec
+++ b/dhcp.spec
@@ -15,7 +15,7 @@
Summary: Dynamic host configuration protocol software
Name: dhcp
Version: 4.4.3
-Release: 3%{?prever:.%prever}%{?patchver:.%patchver}%{?dist}
+Release: 4%{?prever:.%prever}%{?patchver:.%patchver}%{?dist}
# NEVER CHANGE THE EPOCH on this package. The previous maintainer (prior to
# dcantrell maintaining the package) made incorrect use of the epoch and
@@ -64,6 +64,7 @@ Patch26: 0026-Add-dhclient-5-B-option-description.patch
Patch27: 0027-Add-missed-sd-notify-patch-to-manage-dhcpd-with-syst.patch
Patch28: 0028-Use-system-getaddrinfo-for-dhcp.patch
Patch29: CVE-2021-25220.patch
+Patch30: my.patch
BuildRequires: autoconf
BuildRequires: automake
@@ -535,6 +536,9 @@ done
%attr(0644,root,root) %{_mandir}/man8/keama.8.gz
%changelog
+* Thu Sep 22 2022 Martin Osvald <mosvald> - 12:4.4.3-4
+- rebuilt
+
* Thu Jul 21 2022 Fedora Release Engineering <releng> - 12:4.4.3-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
diff --git a/my.patch b/my.patch
new file mode 100644
index 0000000..6327c3f
--- /dev/null
+++ b/my.patch
@@ -0,0 +1,13 @@
+diff --git a/bind/bind-9.11.36/lib/dns/opensslecdsa_link.c b/bind/bind-9.11.36/lib/dns/opensslecdsa_link.c
+index 83b5b51..d0fdb0b 100644
+--- a/bind/bind-9.11.36/lib/dns/opensslecdsa_link.c
++++ b/bind/bind-9.11.36/lib/dns/opensslecdsa_link.c
+@@ -198,6 +198,8 @@ opensslecdsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
+ return (ret);
+ }
+
++#error opensslecdsa_verify is compiled in
++
+ static isc_result_t
+ opensslecdsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
+ isc_result_t ret;
[mosvald@fedora dhcp-fedora-rawhide]$
[mosvald@fedora dhcp-fedora-rawhide]$ fedpkg srpm
Using dhcp.spec
Not downloading already downloaded dhcp-4.4.3.tar.gz
Not downloading already downloaded dhcp-4.4.3.tar.gz.asc
setting SOURCE_DATE_EPOCH=1663804800
Wrote: /home/mosvald/Work/redhat/src/dhcp/dhcp-fedora-rawhide/dhcp-4.4.3-4.fc38.src.rpm
[mosvald@fedora dhcp-fedora-rawhide]$ fedpkg scratch-build --srpm ./dhcp-4.4.3-4.fc38.src.rpm --arches x86_64
[====================================] 100% 00:00:11 9.73 MiB 901.61 KiB/secc
Building dhcp-4.4.3-4.fc38.src.rpm for rawhide
Created task: 92268278
Task info: https://koji.fedoraproject.org/koji/taskinfo?taskID=92268278
Watching tasks (this may be safely interrupted)...
92268278 build (rawhide, dhcp-4.4.3-4.fc38.src.rpm): free
92268278 build (rawhide, dhcp-4.4.3-4.fc38.src.rpm): free -> open (buildvm-s390x-21.s390.fedoraproject.org)
92268279 rebuildSRPM (noarch): open (buildvm-s390x-18.s390.fedoraproject.org)
92268292 buildArch (dhcp-4.4.3-4.fc38.src.rpm, x86_64): free
92268279 rebuildSRPM (noarch): open (buildvm-s390x-18.s390.fedoraproject.org) -> closed
1 free 1 open 1 done 0 failed
92268292 buildArch (dhcp-4.4.3-4.fc38.src.rpm, x86_64): free -> open (buildvm-x86-28.iad2.fedoraproject.org)
92268292 buildArch (dhcp-4.4.3-4.fc38.src.rpm, x86_64): open (buildvm-x86-28.iad2.fedoraproject.org) -> closed
0 free 1 open 2 done 0 failed
92268278 build (rawhide, dhcp-4.4.3-4.fc38.src.rpm): open (buildvm-s390x-21.s390.fedoraproject.org) -> closed
0 free 0 open 3 done 0 failed
92268278 build (rawhide, dhcp-4.4.3-4.fc38.src.rpm) completed successfully
[mosvald@fedora dhcp-fedora-rawhide]$
~~~
Given the above findings, closing this as NOTABUG.
|