9 changed files with 118 additions and 2 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +1,2 @@
 SOURCES/dnspython-1.15.0.tar.gz
+/dnspython-1.15.0.tar.gz
--- a/.python-dns.metadata
+++ b/.python-dns.metadata
@ -1 +0,0 @@
-fcb8edb4b307f68a27cd356e7b44f53512b63b5e SOURCES/dnspython-1.15.0.tar.gz
--- a/CVE-2023-29483.patch
+++ b/CVE-2023-29483.patch
@ -0,0 +1,99 @@
+From a77e0c662c6d5b8224ac1e283aee8353bcd1536e Mon Sep 17 00:00:00 2001
+From: Lumir Balhar <lbalhar@redhat.com>
+Date: Mon, 22 Apr 2024 16:49:15 +0200
+Subject: [PATCH] CVE-2023-29483
+
+---
+ dns/query.py | 60 +++++++++++++++++++++++++++++++++++-----------------
+ 1 file changed, 41 insertions(+), 19 deletions(-)
+
+diff --git a/dns/query.py b/dns/query.py
+index 19b9fbb..2dba3cc 100644
+--- a/dns/query.py
+++ b/dns/query.py
+@@ -170,6 +170,22 @@ def _addresses_equal(af, a1, a2):
+     return n1 == n2 and a1[1:] == a2[1:]
+ 
+ 
+def _matches_destination(af, from_address, destination, ignore_unexpected):
+    # Check that from_address is appropriate for a response to a query
+    # sent to destination.
+    if not destination:
+        return True
+    if _addresses_equal(af, from_address, destination) or (
+        dns.inet.is_multicast(destination[0]) and from_address[1:] == destination[1:]
+    ):
+        return True
+    elif ignore_unexpected:
+        return False
+    raise UnexpectedSource(
+        f"got a response from {from_address} instead of " f"{destination}"
+    )
+
+
+ def _destination_and_source(af, where, port, source, source_port):
+     # Apply defaults and compute destination and source tuples
+     # suitable for use in connect(), sendto(), or bind().
+@@ -194,7 +210,7 @@ def _destination_and_source(af, where, port, source, source_port):
+ 
+ 
+ def udp(q, where, timeout=None, port=53, af=None, source=None, source_port=0,
+-        ignore_unexpected=False, one_rr_per_rrset=False):
+        ignore_unexpected=False, one_rr_per_rrset=False, ignore_errors=False):
+     """Return the response obtained after sending a query via UDP.
+ 
+     @param q: the query
+@@ -239,26 +255,32 @@ def udp(q, where, timeout=None, port=53, af=None, source=None, source_port=0,
+         while 1:
+             _wait_for_readable(s, expiration)
+             (wire, from_address) = s.recvfrom(65535)
+-            if _addresses_equal(af, from_address, destination) or \
+-                    (dns.inet.is_multicast(where) and
+-                     from_address[1:] == destination[1:]):
+-                break
+-            if not ignore_unexpected:
+-                raise UnexpectedSource('got a response from '
+-                                       '%s instead of %s' % (from_address,
+-                                                             destination))
+-    finally:
+-        if begin_time is None:
+-            response_time = 0
+-        else:
+            if not _matches_destination(
+                s.family, from_address, destination, ignore_unexpected
+            ):
+                continue
+
+             response_time = time.time() - begin_time
+
+            try:
+                r = dns.message.from_wire(wire, keyring=q.keyring, request_mac=q.mac,
+                                  one_rr_per_rrset=one_rr_per_rrset)
+                r.time = response_time
+            except Exception:
+                if ignore_errors:
+                    continue
+                else:
+                    raise
+
+            if q.is_response(r):
+                return r
+            else:
+                if ignore_errors:
+                    continue
+                else:
+                    raise BadResponse
+    finally:
+         s.close()
+-    r = dns.message.from_wire(wire, keyring=q.keyring, request_mac=q.mac,
+-                              one_rr_per_rrset=one_rr_per_rrset)
+-    r.time = response_time
+-    if not q.is_response(r):
+-        raise BadResponse
+-    return r
+ 
+ 
+ def _net_read(sock, count, expiration):
+-- 
+2.44.0
+
--- a/SOURCES/fix_unicode_label_escaping.patch
+++ b/SOURCES/fix_unicode_label_escaping.patch
--- a/SOURCES/float_none_comparison_fix.patch
+++ b/SOURCES/float_none_comparison_fix.patch
--- a/gating.yaml
+++ b/gating.yaml
@ -0,0 +1,6 @@
+--- !Policy
+product_versions:
+  - rhel-8
+decision_context: osci_compose_gate
+rules:
+  - !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier1.functional}
--- a/SPECS/python-dns.spec
+++ b/SPECS/python-dns.spec
@ -1,6 +1,6 @@
 Name:           python-dns
 Version:        1.15.0
-Release:        11%{?dist}
+Release:        12%{?dist}
 Summary:        DNS toolkit for Python

 License:        MIT
@ -18,6 +18,12 @@ Patch1:         fix_unicode_label_escaping.patch
 # Backported from upstream: https://github.com/rthalley/dnspython/commit/9fbf9b223dc26262b1cf23f623f89283ee9c8375
 Patch2:         float_none_comparison_fix.patch

+# Fix for CVE-2023-29483
+# Upstream fix:
+#   https://github.com/rthalley/dnspython/commit/f66e25b5f549acf66d1fb6ead13eb3cff7d09af3
+# Backported to completely different codebase hence not very similar to upstream fix.
+Patch3:         CVE-2023-29483.patch
+
 BuildRequires:  python3-devel
 BuildRequires:  python3-setuptools

@ -75,6 +81,10 @@ find examples -type f | xargs chmod a-x


 %changelog
+* Mon Apr 22 2024 Lumír Balhar <lbalhar@redhat.com> - 1.15.0-12
+- Security fix for CVE-2023-29483
+Resolves: RHEL-32630
+
 * Thu Apr 21 2022 Charalampos Stratakis <cstratak@redhat.com> - 1.15.0-11
 - Fix comparison between float and None types
 Resolves: rhbz#2075187
--- a/1
+++ b/1
@ -0,0 +1 @@
+SHA512 (dnspython-1.15.0.tar.gz) = 89792cc5033a1a93a4018cf437adf141364c8a072bf7e8eb4abbe7d7f6351e652129138405c0cee2173870618f480fba4cd30f3b4874f40f5c6f870c252f08ed
--- a/SOURCES/test_fails_on_missing_file.patch
+++ b/SOURCES/test_fails_on_missing_file.patch
				`@ -1 +0,0 @@`
				`fcb8edb4b307f68a27cd356e7b44f53512b63b5e SOURCES/dnspython-1.15.0.tar.gz`
				`@ -0,0 +1 @@`
				`SHA512 (dnspython-1.15.0.tar.gz) = 89792cc5033a1a93a4018cf437adf141364c8a072bf7e8eb4abbe7d7f6351e652129138405c0cee2173870618f480fba4cd30f3b4874f40f5c6f870c252f08ed`