import CS python-dns-1.15.0-12.el8
This commit is contained in:
parent
c7bf39cfdb
commit
b051ffef9f
99
SOURCES/CVE-2023-29483.patch
Normal file
99
SOURCES/CVE-2023-29483.patch
Normal file
@ -0,0 +1,99 @@
|
|||||||
|
From a77e0c662c6d5b8224ac1e283aee8353bcd1536e Mon Sep 17 00:00:00 2001
|
||||||
|
From: Lumir Balhar <lbalhar@redhat.com>
|
||||||
|
Date: Mon, 22 Apr 2024 16:49:15 +0200
|
||||||
|
Subject: [PATCH] CVE-2023-29483
|
||||||
|
|
||||||
|
---
|
||||||
|
dns/query.py | 60 +++++++++++++++++++++++++++++++++++-----------------
|
||||||
|
1 file changed, 41 insertions(+), 19 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/dns/query.py b/dns/query.py
|
||||||
|
index 19b9fbb..2dba3cc 100644
|
||||||
|
--- a/dns/query.py
|
||||||
|
+++ b/dns/query.py
|
||||||
|
@@ -170,6 +170,22 @@ def _addresses_equal(af, a1, a2):
|
||||||
|
return n1 == n2 and a1[1:] == a2[1:]
|
||||||
|
|
||||||
|
|
||||||
|
+def _matches_destination(af, from_address, destination, ignore_unexpected):
|
||||||
|
+ # Check that from_address is appropriate for a response to a query
|
||||||
|
+ # sent to destination.
|
||||||
|
+ if not destination:
|
||||||
|
+ return True
|
||||||
|
+ if _addresses_equal(af, from_address, destination) or (
|
||||||
|
+ dns.inet.is_multicast(destination[0]) and from_address[1:] == destination[1:]
|
||||||
|
+ ):
|
||||||
|
+ return True
|
||||||
|
+ elif ignore_unexpected:
|
||||||
|
+ return False
|
||||||
|
+ raise UnexpectedSource(
|
||||||
|
+ f"got a response from {from_address} instead of " f"{destination}"
|
||||||
|
+ )
|
||||||
|
+
|
||||||
|
+
|
||||||
|
def _destination_and_source(af, where, port, source, source_port):
|
||||||
|
# Apply defaults and compute destination and source tuples
|
||||||
|
# suitable for use in connect(), sendto(), or bind().
|
||||||
|
@@ -194,7 +210,7 @@ def _destination_and_source(af, where, port, source, source_port):
|
||||||
|
|
||||||
|
|
||||||
|
def udp(q, where, timeout=None, port=53, af=None, source=None, source_port=0,
|
||||||
|
- ignore_unexpected=False, one_rr_per_rrset=False):
|
||||||
|
+ ignore_unexpected=False, one_rr_per_rrset=False, ignore_errors=False):
|
||||||
|
"""Return the response obtained after sending a query via UDP.
|
||||||
|
|
||||||
|
@param q: the query
|
||||||
|
@@ -239,26 +255,32 @@ def udp(q, where, timeout=None, port=53, af=None, source=None, source_port=0,
|
||||||
|
while 1:
|
||||||
|
_wait_for_readable(s, expiration)
|
||||||
|
(wire, from_address) = s.recvfrom(65535)
|
||||||
|
- if _addresses_equal(af, from_address, destination) or \
|
||||||
|
- (dns.inet.is_multicast(where) and
|
||||||
|
- from_address[1:] == destination[1:]):
|
||||||
|
- break
|
||||||
|
- if not ignore_unexpected:
|
||||||
|
- raise UnexpectedSource('got a response from '
|
||||||
|
- '%s instead of %s' % (from_address,
|
||||||
|
- destination))
|
||||||
|
- finally:
|
||||||
|
- if begin_time is None:
|
||||||
|
- response_time = 0
|
||||||
|
- else:
|
||||||
|
+ if not _matches_destination(
|
||||||
|
+ s.family, from_address, destination, ignore_unexpected
|
||||||
|
+ ):
|
||||||
|
+ continue
|
||||||
|
+
|
||||||
|
response_time = time.time() - begin_time
|
||||||
|
+
|
||||||
|
+ try:
|
||||||
|
+ r = dns.message.from_wire(wire, keyring=q.keyring, request_mac=q.mac,
|
||||||
|
+ one_rr_per_rrset=one_rr_per_rrset)
|
||||||
|
+ r.time = response_time
|
||||||
|
+ except Exception:
|
||||||
|
+ if ignore_errors:
|
||||||
|
+ continue
|
||||||
|
+ else:
|
||||||
|
+ raise
|
||||||
|
+
|
||||||
|
+ if q.is_response(r):
|
||||||
|
+ return r
|
||||||
|
+ else:
|
||||||
|
+ if ignore_errors:
|
||||||
|
+ continue
|
||||||
|
+ else:
|
||||||
|
+ raise BadResponse
|
||||||
|
+ finally:
|
||||||
|
s.close()
|
||||||
|
- r = dns.message.from_wire(wire, keyring=q.keyring, request_mac=q.mac,
|
||||||
|
- one_rr_per_rrset=one_rr_per_rrset)
|
||||||
|
- r.time = response_time
|
||||||
|
- if not q.is_response(r):
|
||||||
|
- raise BadResponse
|
||||||
|
- return r
|
||||||
|
|
||||||
|
|
||||||
|
def _net_read(sock, count, expiration):
|
||||||
|
--
|
||||||
|
2.44.0
|
||||||
|
|
||||||
@ -1,6 +1,6 @@
|
|||||||
Name: python-dns
|
Name: python-dns
|
||||||
Version: 1.15.0
|
Version: 1.15.0
|
||||||
Release: 11%{?dist}
|
Release: 12%{?dist}
|
||||||
Summary: DNS toolkit for Python
|
Summary: DNS toolkit for Python
|
||||||
|
|
||||||
License: MIT
|
License: MIT
|
||||||
@ -18,6 +18,12 @@ Patch1: fix_unicode_label_escaping.patch
|
|||||||
# Backported from upstream: https://github.com/rthalley/dnspython/commit/9fbf9b223dc26262b1cf23f623f89283ee9c8375
|
# Backported from upstream: https://github.com/rthalley/dnspython/commit/9fbf9b223dc26262b1cf23f623f89283ee9c8375
|
||||||
Patch2: float_none_comparison_fix.patch
|
Patch2: float_none_comparison_fix.patch
|
||||||
|
|
||||||
|
# Fix for CVE-2023-29483
|
||||||
|
# Upstream fix:
|
||||||
|
# https://github.com/rthalley/dnspython/commit/f66e25b5f549acf66d1fb6ead13eb3cff7d09af3
|
||||||
|
# Backported to completely different codebase hence not very similar to upstream fix.
|
||||||
|
Patch3: CVE-2023-29483.patch
|
||||||
|
|
||||||
BuildRequires: python3-devel
|
BuildRequires: python3-devel
|
||||||
BuildRequires: python3-setuptools
|
BuildRequires: python3-setuptools
|
||||||
|
|
||||||
@ -75,6 +81,10 @@ find examples -type f | xargs chmod a-x
|
|||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon Apr 22 2024 Lumír Balhar <lbalhar@redhat.com> - 1.15.0-12
|
||||||
|
- Security fix for CVE-2023-29483
|
||||||
|
Resolves: RHEL-32630
|
||||||
|
|
||||||
* Thu Apr 21 2022 Charalampos Stratakis <cstratak@redhat.com> - 1.15.0-11
|
* Thu Apr 21 2022 Charalampos Stratakis <cstratak@redhat.com> - 1.15.0-11
|
||||||
- Fix comparison between float and None types
|
- Fix comparison between float and None types
|
||||||
Resolves: rhbz#2075187
|
Resolves: rhbz#2075187
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user