From 8e7af2b5fea95c406cf394c5c2fefbc55b96894b Mon Sep 17 00:00:00 2001 From: rdobuilder Date: Aug 30 2024 15:13:04 +0000 Subject: Backport CVE-2023-29483 Fix CentOS 9-stream updated python3-dns to 2.6.1 and this broke services running with eventlet. In order to resolve the issue backporting the fix from eventlet 0.35.2. Related-Issue: RHEL-32628 Closes-Issue: OSPCIX-437 Related-to: https://review.rdoproject.org/r/q/Ib20691b075d2bee0cf60ed36276436ad44644ef6 --- diff --git a/SOURCES/0001-Dnspython-2.6.1-Address-DoS-via-the-Tudoor-mechanism.patch b/SOURCES/0001-Dnspython-2.6.1-Address-DoS-via-the-Tudoor-mechanism.patch new file mode 100644 index 0000000..95994a3 --- /dev/null +++ b/SOURCES/0001-Dnspython-2.6.1-Address-DoS-via-the-Tudoor-mechanism.patch @@ -0,0 +1,107 @@ +From 51e3c4928d4938beb576eff34f3bf97e6e64e6b4 Mon Sep 17 00:00:00 2001 +From: Kelvin J Li <72498127+kelvin-j-li@users.noreply.github.com> +Date: Mon, 19 Feb 2024 21:42:27 +0800 +Subject: [PATCH] Dnspython 2.6.1 - Address DoS via the Tudoor mechanism + (CVE-2023-29483) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Fix for (CVE-2023-29483) and handling of truncated exceptions in greendns.py provided by Bob Halley from https://github.com/rthalley/eventlet/tree/tudoor + +Do not eat legitimate Truncated exceptions. +--------- +Co-authored-by: Bob Halley +Co-authored-by: Hervé Beraud +--- + eventlet/support/greendns.py | 56 ++++++++++++++++++++++++------------ + 1 file changed, 38 insertions(+), 18 deletions(-) + +diff --git a/eventlet/support/greendns.py b/eventlet/support/greendns.py +index 62621423..365664f2 100644 +--- a/eventlet/support/greendns.py ++++ b/eventlet/support/greendns.py +@@ -713,7 +713,7 @@ except TypeError: + def udp(q, where, timeout=DNS_QUERY_TIMEOUT, port=53, + af=None, source=None, source_port=0, ignore_unexpected=False, + one_rr_per_rrset=False, ignore_trailing=False, +- raise_on_truncation=False, sock=None): ++ raise_on_truncation=False, sock=None, ignore_errors=False): + """coro friendly replacement for dns.query.udp + Return the response obtained after sending a query via UDP. + +@@ -752,7 +752,10 @@ def udp(q, where, timeout=DNS_QUERY_TIMEOUT, port=53, + query. If None, the default, a socket is created. Note that + if a socket is provided, it must be a nonblocking datagram socket, + and the source and source_port are ignored. +- @type sock: socket.socket | None""" ++ @type sock: socket.socket | None ++ @param ignore_errors: if various format errors or response mismatches occur, ++ continue listening. ++ @type ignore_errors: bool""" + + wire = q.to_wire() + if af is None: +@@ -816,26 +819,43 @@ def udp(q, where, timeout=DNS_QUERY_TIMEOUT, port=53, + addr = from_address[0] + addr = dns.ipv6.inet_ntoa(dns.ipv6.inet_aton(addr)) + from_address = (addr, from_address[1], from_address[2], from_address[3]) +- if from_address == destination: ++ if from_address != destination: ++ if ignore_unexpected: ++ continue ++ else: ++ raise dns.query.UnexpectedSource( ++ 'got a response from %s instead of %s' ++ % (from_address, destination)) ++ try: ++ if _handle_raise_on_truncation: ++ r = dns.message.from_wire(wire, ++ keyring=q.keyring, ++ request_mac=q.mac, ++ one_rr_per_rrset=one_rr_per_rrset, ++ ignore_trailing=ignore_trailing, ++ raise_on_truncation=raise_on_truncation) ++ else: ++ r = dns.message.from_wire(wire, ++ keyring=q.keyring, ++ request_mac=q.mac, ++ one_rr_per_rrset=one_rr_per_rrset, ++ ignore_trailing=ignore_trailing) ++ if not q.is_response(r): ++ raise dns.query.BadResponse() + break +- if not ignore_unexpected: +- raise dns.query.UnexpectedSource( +- 'got a response from %s instead of %s' +- % (from_address, destination)) ++ except dns.message.Truncated as e: ++ if ignore_errors and not q.is_response(e.message()): ++ continue ++ else: ++ raise ++ except Exception: ++ if ignore_errors: ++ continue ++ else: ++ raise + finally: + s.close() + +- if _handle_raise_on_truncation: +- r = dns.message.from_wire(wire, keyring=q.keyring, request_mac=q.mac, +- one_rr_per_rrset=one_rr_per_rrset, +- ignore_trailing=ignore_trailing, +- raise_on_truncation=raise_on_truncation) +- else: +- r = dns.message.from_wire(wire, keyring=q.keyring, request_mac=q.mac, +- one_rr_per_rrset=one_rr_per_rrset, +- ignore_trailing=ignore_trailing) +- if not q.is_response(r): +- raise dns.query.BadResponse() + return r + + +-- +2.46.0 + diff --git a/SPECS/python-eventlet.spec b/SPECS/python-eventlet.spec index b5bc72d..65a368f 100644 --- a/SPECS/python-eventlet.spec +++ b/SPECS/python-eventlet.spec @@ -9,12 +9,13 @@ io operations appear blocking at the source code level.} Name: python-%{srcname} Version: 0.35.1 -Release: 1%{?dist} +Release: 2%{?dist} Summary: Highly concurrent networking library License: MIT URL: https://eventlet.net Source: %pypi_source %{srcname} +Patch0001: 0001-Dnspython-2.6.1-Address-DoS-via-the-Tudoor-mechanism.patch BuildArch: noarch @@ -80,6 +81,10 @@ export EVENTLET_NO_GREENDNS=yes %doc doc/build/html %changelog +* Fri Aug 30 2024 Yatin Karel - 0.35.1-2 +- Backport CVE-2023-29483 Fix +- Related Issues RHEL-32628, OSPCIX-437 + * Fri Apr 5 2024 Alfredo Moralejo - 0.35.1-1 - Update to 0.35.1