Question regarding the fix for CVE-2024-43168 in unbound
Petr Menšík
pemensik at redhat.com
Mon Oct 7 21:15:22 UTC 2024
These are a bit unfortunate, because were not properly coordinated with
upstream.
There are two similar assigned low severity CVEs:
- https://access.redhat.com/security/cve/CVE-2024-43167
Which points to MR: https://github.com/NLnetLabs/unbound/pull/1073
- https://access.redhat.com/security/cve/CVE-2024-43168
Which points to MR: https://github.com/NLnetLabs/unbound/pull/1040
On 24/09/2024 10:01, Yorgos Thessalonikefs via Unbound-users wrote:
> Hi Daniel,
>
> This CVE-2024-43168 was registered by RedHat. We (NLnet Labs) are a
> CNA for our products and MITRE notified us about the out-of-scope
> appointment of some CVEs from RedHat.
> We are in talks with MITRE because although the issue is for RedHat
> products, the software package mentioned is Unbound.
> One of two things will happen with those CVEs:
> - They will stay under our (NLnet Labs) control and we will reject
> them, or
> - They will stay under RedHat control and make it clear that it is for
> the configuration of Unbound in their systems.
>
> With that out of the way, on to the issue.
>
> The issue is about a bug in the configuration code. We only see it as
> a bug and not a CVE vulnerability because a user with configuration
> access for Unbound is required.
>
> There are two distinct issues involved with that:
> - https://github.com/NLnetLabs/unbound/issues/1039
> - https://github.com/NLnetLabs/unbound/pull/1062
>
> The initial commits from the reporter solve the issues but further
> commits from us complement the solution. It would be good to apply the
> whole set of commits.
>
> The commits deal with erroneous input in Unbound's configuration.
>
> I confirm that the chronological order of the commits is the following:
> -
> https://github.com/NLnetLabs/unbound/commit/193401e7543a1e561dd634a3eaae932fa462a2b9
> -
> https://github.com/NLnetLabs/unbound/commit/dfff8d23cf4145c58e5c1e99d4159d3a91a70ab7
> -
> https://github.com/NLnetLabs/unbound/commit/4497e8a154f53cd5947a6ee5aa65cf99be57152e
> -
> https://github.com/NLnetLabs/unbound/commit/c085a53268940dfbb907cbaa7a690740b6c8210c
>
> If you have further questions let me know.
>
> Best regards,
> -- Yorgos
>
> On 23/09/2024 22:26, Daniel Leidert via Unbound-users wrote:
>> Hi,
>>
>> I am a Debian developer and part of the Debian LTS team. I'm currently
>> going through the open vulnerabilities for the unbound versions in
>> Debian Buster and Bullseye.
>>
>> One of the issues is described in CVE-2024-43168. That particular issue
>> was closed by [1]. However, it was then followed by a series of other
>> commits [2,3,4]. In the pull request you mention [5] that these changes
>> stop unbound "from taking a long time" and "having trouble with
>> malformed input causing invalid accesses".
>>
>> How serious are these issues? There hasn't been any additonal CVE as
>> far as I know. Should these additional commits be applied to complete
>> the fix for CVE-2024-43168?
>>
>> Regards, Daniel
>>
>> [1] https://github.com/NLnetLabs/unbound/pull/1040
>> [2]
>> https://github.com/NLnetLabs/unbound/commit/dfff8d23cf4145c58e5c1e99d4159d3a91a70ab7
>> [3]
>> https://github.com/NLnetLabs/unbound/commit/4497e8a154f53cd5947a6ee5aa65cf99be57152e
>> [4]
>> https://github.com/NLnetLabs/unbound/commit/c085a53268940dfbb907cbaa7a690740b6c8210c
>> [5]
>> https://github.com/NLnetLabs/unbound/pull/1040#issuecomment-2033884392
>>
>>
>
--
Petr Menšík
Software Engineer, RHEL
Red Hat, https://www.redhat.com/
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB
More information about the Unbound-users
mailing list