Bug 1221164 (CVE-2024-1931)

Summary: VUL-0: CVE-2024-1931: unbound: Infinite loop due to improper EDE message size check
Product: [Novell Products] SUSE Security Incidents Reporter: SMASH SMASH <smash_bz>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: abergmann
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/396589/
Whiteboard: CVSSv3.1:SUSE:CVE-2024-1931:5.9:(AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2024-03-08 08:10:16 UTC 
NLnet Labs Unbound version 1.18.0 up to and including version 1.19.1 contain a vulnerability that can cause denial of service by a certain code path that can lead to an infinite loop. Unbound 1.18.0 introduced a feature that removes EDE records from responses with size higher than the client's advertised buffer size. Before removing all the EDE records however, it would try to see if trimming the extra text fields on those records would result in an acceptable size while still retaining the EDE codes. Due to an unchecked condition, the code that trims the text of the EDE records could loop indefinitely. This happens when Unbound would reply with attached EDE information on a positive reply and the client's buffer size is smaller than the needed space to include EDE records. The vulnerability can only be triggered when the 'ede: yes' option is used; non default configuration. From version 1.19.2 on, the code is fixed to avoid looping indefinitely.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-1931
https://www.cve.org/CVERecord?id=CVE-2024-1931
https://www.nlnetlabs.nl/downloads/unbound/CVE-2024-1931.txt
https://bugzilla.redhat.com/show_bug.cgi?id=2268418
Comment 1 Alexander Bergmann 2024-03-08 08:13:09 UTC 
The ede_trim_text(..) function is only present in newer unbound versions. Therefore only Factory is affected.

commit ccbe31c21f91ae96e759547be264a34ac63f4f90
Author: W.C.A. Wijngaards <wouter@nlnetlabs.nl>
Date:   Thu Feb 22 16:22:31 2024 +0100

    - Fix trim of EDE text from large udp responses from spinning cpu.

diff --git a/doc/Changelog b/doc/Changelog
index 88c9dbb3..08964afb 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,6 @@
+22 February 2024: Wouter
+       - Fix trim of EDE text from large udp responses from spinning cpu.
+
 20 February 2024: Yorgos
        - Merge #1010: Mention REFUSED has the TC bit set with unmatched
          allow_cookie acl in the manpage. It also fixes the code to match the
diff --git a/util/data/msgencode.c b/util/data/msgencode.c
index 80ae33a3..898ff841 100644
--- a/util/data/msgencode.c
+++ b/util/data/msgencode.c
@@ -886,6 +886,9 @@ ede_trim_text(struct edns_option** list)
                                curr->opt_len = 2;
                                prev = curr;
                                curr = curr->next;
+                       } else {
+                               prev = curr;
+                               curr = curr->next;
                        }
                } else {
                        /* continue */
Comment 2 OBSbugzilla Bot 2024-03-08 13:35:06 UTC 
This is an autogenerated message for OBS integration:
This bug (1221164) was mentioned in
https://build.opensuse.org/request/show/1156332 Factory / unbound
Comment 3 Jorik Cronenberg 2024-05-07 14:14:16 UTC 
Affected codestreams are fixed
Comment 4 Andrea Mattiazzo 2024-06-11 09:53:14 UTC 
All done, closing.