Bug 1222693 (CVE-2023-29483)

Summary: VUL-0: CVE-2023-29483: python-dnspython: potential DoS via the Tudoor mechanism
Product: [Novell Products] SUSE Security Incidents Reporter: SMASH SMASH <smash_bz>
Component: IncidentsAssignee: Daniel Garcia <daniel.garcia>
Status: IN_PROGRESS --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: camila.matos, cloud-bugs, daniel.garcia, gayane.osipyan, python-maintainers
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/401509/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-29483:5.9:(AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2024-04-11 19:15:50 UTC 
eventlet before 0.35.2, as used in dnspython before 2.6.0, allows remote attackers to interfere with DNS name resolution by quickly sending an invalid packet from the expected IP address and source port, aka a "TuDoor" attack. In other words, dnspython does not have the preferred behavior in which the DNS name resolution algorithm would proceed, within the full time window, in order to wait for a valid packet. NOTE: dnspython 2.6.0 is unusable for a different reason that was addressed in 2.6.1.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-29483
https://bugzilla.redhat.com/show_bug.cgi?id=2274520
https://www.cve.org/CVERecord?id=CVE-2023-29483
https://github.com/eventlet/eventlet/issues/913
https://github.com/eventlet/eventlet/releases/tag/v0.35.2
https://github.com/rthalley/dnspython/issues/1045
https://github.com/rthalley/dnspython/releases/tag/v2.6.0
https://security.snyk.io/vuln/SNYK-PYTHON-DNSPYTHON-6241713
https://www.dnspython.org/
Comment 2 Camila Camargo de Matos 2024-04-11 19:26:32 UTC 
It seems like three commits are needed in order to fix the issue:
- the initial fix: https://github.com/rthalley/dnspython/commit/f66e25b5f549acf66d1fb6ead13eb3cff7d09af3
- some additional necessary changes: https://github.com/rthalley/dnspython/commit/5a441b9854425c4e23abb8f91973361fe8401e33
- a regression fix (see upstream issue 1053): https://github.com/rthalley/dnspython/commit/2ab3d1628c9ae0545e225522b3b445c3478dc6ad
Comment 4 Camila Camargo de Matos 2024-04-12 11:55:04 UTC 
For dnspython versions preceding 1.16, application of the patches might require backporting, as changes from commit ac2bd6f2 [0] had not yet been introduced to the code. This commit adds one of the patched functions from dns/query.py, receive_udp.

File dns/asyncquery.py from the patch is also not present in versions below 1.16 (and even versions below 2.0), as it was introduced later with commit 98b344d6 [1] (this functionality in general was introduced with the previously mentioned commit).

For file dns/nameserver.py, it seems to have not been present in dnspython before the introduction of changes from commit f7daeb87 [2] (changes introduced in version 2.4). Therefore, code that should be changed by the patch in nameserver.py needs to possibly be changed in dns/resolver.py. Once again, this indicates that a more elaborate backport of the original patch might be necessary.

[0] https://github.com/rthalley/dnspython/commit/ac2bd6f2
[1] https://github.com/rthalley/dnspython/commit/98b344d6
[2] https://github.com/rthalley/dnspython/commit/f7daeb87