summaryrefslogtreecommitdiffstats
path: root/debian/patches/0004-validator-limit-the-amount-of-work-on-SHA1-in-NSEC3-.patch
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-08 14:54:47 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-08 14:54:47 +0000
commitdf4711df64fd2ed7e60e08c65a0e220fe54e83b5 (patch)
treea1775390cdb8bf9da2568f139bfda6bd1164f146 /debian/patches/0004-validator-limit-the-amount-of-work-on-SHA1-in-NSEC3-.patch
parentReleasing progress-linux version 5.6.0-1progress7u1. (diff)
downloadknot-resolver-df4711df64fd2ed7e60e08c65a0e220fe54e83b5.tar.xz
knot-resolver-df4711df64fd2ed7e60e08c65a0e220fe54e83b5.zip
Merging debian version 5.6.0-1+deb12u1.
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'debian/patches/0004-validator-limit-the-amount-of-work-on-SHA1-in-NSEC3-.patch')
-rw-r--r--debian/patches/0004-validator-limit-the-amount-of-work-on-SHA1-in-NSEC3-.patch31
1 files changed, 31 insertions, 0 deletions
diff --git a/debian/patches/0004-validator-limit-the-amount-of-work-on-SHA1-in-NSEC3-.patch b/debian/patches/0004-validator-limit-the-amount-of-work-on-SHA1-in-NSEC3-.patch
new file mode 100644
index 0000000..a72b7e5
--- /dev/null
+++ b/debian/patches/0004-validator-limit-the-amount-of-work-on-SHA1-in-NSEC3-.patch
@@ -0,0 +1,31 @@
+From: =?utf-8?b?VmxhZGltw61yIMSMdW7DoXQ=?= <vladimir.cunat@nic.cz>
+Date: Mon, 12 Feb 2024 11:16:37 +0100
+Subject: validator: limit the amount of work on SHA1 in NSEC3 proofs
+
+---
+ lib/dnssec/nsec3.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/lib/dnssec/nsec3.c b/lib/dnssec/nsec3.c
+index e4d314b..4199f25 100644
+--- a/lib/dnssec/nsec3.c
++++ b/lib/dnssec/nsec3.c
+@@ -146,6 +146,18 @@ static int closest_encloser_match(int *flags, const knot_rrset_t *nsec3,
+ const knot_dname_t *encloser = knot_wire_next_label(name, NULL);
+ *skipped = 1;
+
++ /* Avoid doing too much work on SHA1, mitigating:
++ * CVE-2023-50868: NSEC3 closest encloser proof can exhaust CPU
++ * We log nothing here; it wouldn't be easy from this place
++ * and huge SNAME should be suspicious on its own.
++ */
++ const int max_labels = knot_dname_labels(nsec3->owner, NULL) - 1
++ + kr_nsec3_max_depth(&params);
++ for (int l = knot_dname_labels(encloser, NULL); l > max_labels; --l) {
++ encloser = knot_wire_next_label(encloser, NULL);
++ ++(*skipped);
++ }
++
+ while(encloser) {
+ ret = hash_name(&name_hash, &params, encloser);
+ if (ret != 0)