Comments (5)
We added a parameter to dns.query.udp() as part of the fix, so this code will test:
import dns.message
import dns.query
q = dns.message.make_query("www.dnspython.org", "A")
try:
r = dns.query.udp(q, "1.1.1.1", ignore_errors=True)
print("has the CVE fix")
except TypeError:
# ignore_errors is not a valid parameter
print("does not have the CVE fix")
here's an example of it with various versions:
% git checkout v2.5.0
HEAD is now at 91e5027 2.5.0 versioning
% python ~/cve-fix-check.py
does not have the CVE fix
% git checkout v2.6.1
Previous HEAD position was 91e5027 2.5.0 versioning
HEAD is now at 0a742b9 update CI
% python ~/cve-fix-check.py
has the CVE fix
% git checkout main
Previous HEAD position was 0a742b9 update CI
Switched to branch 'main'
Your branch is up to date with 'origin/main'.
% python ~/cve-fix-check.py
has the CVE fix
from dnspython.
All versions of dnspython < 2.6.0 are affected by the issue. I don't think this problem really warrants aggressive backporting though, as a DoS against a stub resolver is not generally very appealing. Basically you'd have to know when some python application you cared about was about to do some critical query, like looking up the hostname of a database or something, guess the right one-time use port, and then spoof a bad message from that port before the real resolver answered, thus causing the python program to not connect to the database (unless there was another resolver in /etc/resolv.conf, or the application tried again, or ...).
At any rate, it didn't meet the severity level where I'd consider it worth aggressive backporting, which is why I didn't write those backports.
So, my vote would be "no need", but if someone at Debian feels otherwise, the fix is basically the same for all of them as far as adding ignore_errors to udp() and receive_udp(). It's a little different in that there is no "nameserver" abstraction in older versions, and the resolver just directly calls udp(), so you'd have to have it pass the ignore_errors and ignore_unexpected flags just like the final 2.6.0 code does in the nameserver object.
from dnspython.
Thanks. We have a category for yes it's an issue, but it's not worth the trouble. I'll recommend that to our security team.
from dnspython.
I'm in the same situation as @kitterma so thank you for the details. Given all the conditions that have to be met for a successful attack, I guess that there is not an easy way how to reproduce it. I mean having a code that verifies that a specific version of DNS lib contains the fix. Is there a way to do that?
from dnspython.
Thank you very much!
from dnspython.
Related Issues (20)
- dnspython 2.6.0: timeout with DNS servers that worked fine with dnspython 2.5.0 HOT 7
- On the wire answer size HOT 4
- The DNS operation timed out after seconds HOT 1
- Add an overridable socket_factory to dns.quic (like dns.query has) HOT 3
- dns.query.quic() cert validation with custom verify path broken? HOT 3
- Confusing docstring on dns.Set HOT 4
- License specification is missing HOT 2
- Query for SOA requires TSIG (for Catalog Zones). HOT 3
- Race conditions in dns.quic._asyncio can cause hangs or long closes
- response time while using asyncio is skewed HOT 2
- dnspython 2.x DNS lookup failed with "The DNS operation timed out" error over on Redhat HOT 7
- Question: resolving without chaining?
- Strange Behavior When Unpickling HOT 4
- [asyncio] Blocking call to import_module in rdata.py HOT 5
- Timeout for TXT records that are too large HOT 2
- Issue in Hostname Resolution with multiple Nameservers HOT 2
- Parsing of KEY records HOT 8
- AttributeError: 'NoneType' object has no attribute 'split' on importing dns.query HOT 5
- dns.resolver.override_system_resolver doesnt work in windows HOT 2
- Installing dnspython doesn't work HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from dnspython.