Debian Bug report logs - #865678
knot: CVE-2017-11104: Improper TSIG validity period check can allow TSIG forgery

version graph

Package: src:knot; Maintainer for src:knot is knot packagers <knot@packages.debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Fri, 23 Jun 2017 17:03:01 UTC

Severity: grave

Tags: patch, security, upstream

Found in versions knot/2.4.3-1, knot/1.6.0-1, knot/2.5.1-1, knot/2.4.0-3

Fixed in versions knot/2.5.3-1, knot/1.6.0-1+deb8u1, knot/2.4.0-3+deb9u1

Done: Yves-Alexis Perez <corsac@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian DNS Packaging <pkg-dns-devel@lists.alioth.debian.org>:
Bug#865678; Package src:knot. (Fri, 23 Jun 2017 17:03:04 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian DNS Packaging <pkg-dns-devel@lists.alioth.debian.org>. (Fri, 23 Jun 2017 17:03:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: knot: Improper TSIG validity period check can allow TSIG forgery
Date: Fri, 23 Jun 2017 19:01:49 +0200
Source: knot
Version: 2.4.3-1
Severity: grave
Tags: security upstream patch
Control: found -1 2.5.1-1

Hi

See
https://lists.nic.cz/pipermail/knot-dns-users/2017-June/001144.html
and
http://www.synacktiv.ninja/ressources/Knot_DNS_TSIG_Signature_Forgery.pdf
and filling a bug in BTS to have a reference, afaik there is no CVE
yet assigned.

[16:19] < KGB-1> Yves-Alexis Perez 52846  /data/CVE/list add temporary entry for knot
[16:21] < Corsac> ondrej: I guess you know about it?

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Marked as found in versions knot/2.5.1-1. Request was from Salvatore Bonaccorso <carnil@debian.org> to submit@bugs.debian.org. (Fri, 23 Jun 2017 17:03:04 GMT) (full text, mbox, link).

Marked as found in versions knot/2.4.0-3. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Thu, 29 Jun 2017 19:45:06 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Debian DNS Packaging <pkg-dns-devel@lists.alioth.debian.org>:
Bug#865678; Package src:knot. (Sat, 08 Jul 2017 12:36:03 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian DNS Packaging <pkg-dns-devel@lists.alioth.debian.org>. (Sat, 08 Jul 2017 12:36:03 GMT) (full text, mbox, link).

Message #14 received at 865678@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: 865678@bugs.debian.org
Subject: Re: Bug#865678: knot: Improper TSIG validity period check can allow TSIG forgery
Date: Sat, 8 Jul 2017 14:33:50 +0200
Control: retitle -1 knot: CVE-2017-11104: Improper TSIG validity period check can allow TSIG forgery

On Fri, Jun 23, 2017 at 07:01:49PM +0200, Salvatore Bonaccorso wrote:
> Source: knot
> Version: 2.4.3-1
> Severity: grave
> Tags: security upstream patch
> Control: found -1 2.5.1-1
> 
> Hi
> 
> See
> https://lists.nic.cz/pipermail/knot-dns-users/2017-June/001144.html
> and
> http://www.synacktiv.ninja/ressources/Knot_DNS_TSIG_Signature_Forgery.pdf
> and filling a bug in BTS to have a reference, afaik there is no CVE
> yet assigned.
> 
> [16:19] < KGB-1> Yves-Alexis Perez 52846  /data/CVE/list add temporary entry for knot
> [16:21] < Corsac> ondrej: I guess you know about it?
> 
> Please adjust the affected versions in the BTS as needed.

This now was assigned CVE-2017-11104.

Regards,
Salvatore

Changed Bug title to 'knot: CVE-2017-11104: Improper TSIG validity period check can allow TSIG forgery' from 'knot: Improper TSIG validity period check can allow TSIG forgery'. Request was from Salvatore Bonaccorso <carnil@debian.org> to 865678-submit@bugs.debian.org. (Sat, 08 Jul 2017 12:36:03 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Debian DNS Packaging <pkg-dns-devel@lists.alioth.debian.org>:
Bug#865678; Package src:knot. (Fri, 14 Jul 2017 20:12:03 GMT) (full text, mbox, link).

Acknowledgement sent to Yves-Alexis Perez <corsac@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian DNS Packaging <pkg-dns-devel@lists.alioth.debian.org>. (Fri, 14 Jul 2017 20:12:03 GMT) (full text, mbox, link).

Message #21 received at 865678@bugs.debian.org (full text, mbox, reply):

From: Yves-Alexis Perez <corsac@debian.org>
To: 865678@bugs.debian.org, Ondřej Surý <ondrej@sury.org>
Cc: team@security.debian.org
Subject: Re: Bug#865678: knot: Improper TSIG validity period check can allow TSIG forgery
Date: Fri, 14 Jul 2017 22:09:28 +0200
[Message part 1 (text/plain, inline)]
On Fri, 2017-06-23 at 19:01 +0200, Salvatore Bonaccorso wrote:
> Source: knot
> Version: 2.4.3-1
> Severity: grave
> Tags: security upstream patch
> Control: found -1 2.5.1-1
> 
> Hi
> 
> See
> https://lists.nic.cz/pipermail/knot-dns-users/2017-June/001144.html
> and
> http://www.synacktiv.ninja/ressources/Knot_DNS_TSIG_Signature_Forgery.pdf
> and filling a bug in BTS to have a reference, afaik there is no CVE
> yet assigned.
> 
> [16:19] < KGB-1> Yves-Alexis Perez 52846  /data/CVE/list add temporary entry
> for knot
> [16:21] < Corsac> ondrej: I guess you know about it?

I went ahead and uploaded fixes to jessie and stretch. I've also pushed my
branches to https://anonscm.debian.org/cgit/users/corsac/security/knot.git/ in
case you want to reimport them.

Regards,
-- 
Yves-Alexis
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian DNS Packaging <pkg-dns-devel@lists.alioth.debian.org>:
Bug#865678; Package src:knot. (Sat, 15 Jul 2017 05:24:02 GMT) (full text, mbox, link).

Acknowledgement sent to Ondřej Surý <ondrej@sury.org>:
Extra info received and forwarded to list. Copy sent to Debian DNS Packaging <pkg-dns-devel@lists.alioth.debian.org>. (Sat, 15 Jul 2017 05:24:02 GMT) (full text, mbox, link).

Message #26 received at 865678@bugs.debian.org (full text, mbox, reply):

From: Ondřej Surý <ondrej@sury.org>
To: "Yves-Alexis Perez" <corsac@debian.org>, <865678@bugs.debian.org>
Cc: <team@security.debian.org>
Subject: Re: [Pkg-dns-devel] Bug#865678: knot: Improper TSIG validity period check can allow TSIG forgery
Date: Sat, 15 Jul 2017 07:20:56 +0200
Thanks for the upload. I didn't give it a very high priority as there was 
an easy fix using ACLs and I had a rough plan to fix it during next week.

Cheers, Ondřej


On 14 July 2017 22:12:11 Yves-Alexis Perez <corsac@debian.org> wrote:

> On Fri, 2017-06-23 at 19:01 +0200, Salvatore Bonaccorso wrote:
>> Source: knot
>> Version: 2.4.3-1
>> Severity: grave
>> Tags: security upstream patch
>> Control: found -1 2.5.1-1
>>
>> Hi
>>
>> See
>> https://lists.nic.cz/pipermail/knot-dns-users/2017-June/001144.html
>> and
>> http://www.synacktiv.ninja/ressources/Knot_DNS_TSIG_Signature_Forgery.pdf
>> and filling a bug in BTS to have a reference, afaik there is no CVE
>> yet assigned.
>>
>> [16:19] < KGB-1> Yves-Alexis Perez 52846  /data/CVE/list add temporary entry
>> for knot
>> [16:21] < Corsac> ondrej: I guess you know about it?
>
> I went ahead and uploaded fixes to jessie and stretch. I've also pushed my
> branches to https://anonscm.debian.org/cgit/users/corsac/security/knot.git/ in
> case you want to reimport them.
>
> Regards,
> --
> Yves-Alexis
>
>
> ----------
> _______________________________________________
> pkg-dns-devel mailing list
> pkg-dns-devel@lists.alioth.debian.org
> https://lists.alioth.debian.org/mailman/listinfo/pkg-dns-devel
>

Reply sent to Yves-Alexis Perez <corsac@debian.org>:
You have taken responsibility. (Sat, 15 Jul 2017 20:51:06 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Sat, 15 Jul 2017 20:51:06 GMT) (full text, mbox, link).

Message #31 received at 865678-close@bugs.debian.org (full text, mbox, reply):

From: Yves-Alexis Perez <corsac@debian.org>
To: 865678-close@bugs.debian.org
Subject: Bug#865678: fixed in knot 1.6.0-1+deb8u1
Date: Sat, 15 Jul 2017 20:47:53 +0000
Source: knot
Source-Version: 1.6.0-1+deb8u1

We believe that the bug you reported is fixed in the latest version of
knot, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 865678@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Yves-Alexis Perez <corsac@debian.org> (supplier of updated knot package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 14 Jul 2017 14:11:36 +0200
Source: knot
Binary: knot knot-libs knot-dbg knot-dnsutils knot-host knot-doc
Architecture: source amd64 all
Version: 1.6.0-1+deb8u1
Distribution: jessie-security
Urgency: high
Maintainer: Ondřej Surý <ondrej@debian.org>
Changed-By: Yves-Alexis Perez <corsac@debian.org>
Description:
 knot       - authoritative domain name server
 knot-dbg   - Debug symbols for Knot DNS
 knot-dnsutils - Clients provided with Knot DNS (kdig, knslookup, knsupdate)
 knot-doc   - Documentation for Knot DNS
 knot-host  - Version of 'host' bundled with Knot DNS
 knot-libs  - authoritative domain name server
Closes: 865678
Changes:
 knot (1.6.0-1+deb8u1) jessie-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * debian/patches:
     - 0001-tsig-move-signature-validity-period-check-after-the- added, fix
     TSIG signature validation bypass (CVE-2017-11104)           closes: #865678
Checksums-Sha1:
 c98698e4096f9d7f98cc0923c1c5b152fd3e4016 2018 knot_1.6.0-1+deb8u1.dsc
 7c005d549bf8946743b8e02a1369a94b92ba1629 781192 knot_1.6.0.orig.tar.xz
 e35bed027d7d6023d35fac7498ba796a1775b285 17744 knot_1.6.0-1+deb8u1.debian.tar.xz
 3d7babb3008aa1ded4b20c8a55cdab242d7a7517 203532 knot_1.6.0-1+deb8u1_amd64.deb
 8a421826543ccbcbf1daf4c51d97afdc64b7c929 168174 knot-libs_1.6.0-1+deb8u1_amd64.deb
 330f721d0d83dcb741b816ae75ea2606b2cee2e9 1773014 knot-dbg_1.6.0-1+deb8u1_amd64.deb
 5e915b33be3ce5bb3d10ca7d880e6c5ad51f3c64 66904 knot-dnsutils_1.6.0-1+deb8u1_amd64.deb
 5f936812663b3879ed61e554b73ef1759ff71520 49744 knot-host_1.6.0-1+deb8u1_amd64.deb
 ea7d8cdcf0959fdef08cb29841b64806bde10064 448320 knot-doc_1.6.0-1+deb8u1_all.deb
Checksums-Sha256:
 e8c6babce53b8d885e63f276e14ac1051147f8094c8a68aa970dba729b3933a8 2018 knot_1.6.0-1+deb8u1.dsc
 38d6c19c70f0640bc9331afd1bee61196c647f138f4d36bdea7d0e1b49514f46 781192 knot_1.6.0.orig.tar.xz
 169dfa98ce408d00add4b93c73246443834c730f0910f9147bf275ab3a8d92e1 17744 knot_1.6.0-1+deb8u1.debian.tar.xz
 e5c84db19c7afd7e50976aad47ddce74c82b9ad906841845f3fbf6b31c727157 203532 knot_1.6.0-1+deb8u1_amd64.deb
 0af985056c7b098fe1da0cc31a4af440b5c50081043714d8845a6e638961e8c7 168174 knot-libs_1.6.0-1+deb8u1_amd64.deb
 a1f813a61d568043607bd0c3e794632531ab429e53ada987c9a35765ffd9a6da 1773014 knot-dbg_1.6.0-1+deb8u1_amd64.deb
 972128fcc7c15bd89df7ee9b7f44a9a7d4299281a0dfafbeebb5ad869fb26d27 66904 knot-dnsutils_1.6.0-1+deb8u1_amd64.deb
 28c8f87375d5d12d27e5084597e4d1db4b81e5c8f199795ff4e52a6f62648a46 49744 knot-host_1.6.0-1+deb8u1_amd64.deb
 6213e9d5304ee8b9a1587c7477c9a2033c8b8e122d04f2ffad0559a8213e07f3 448320 knot-doc_1.6.0-1+deb8u1_all.deb
Files:
 3098ea100fa17048bb377ccf3c13fbb0 2018 net optional knot_1.6.0-1+deb8u1.dsc
 63cd27658e05a7cd4f950b7e0b5c723a 781192 net optional knot_1.6.0.orig.tar.xz
 b1a186db075c3b261580b64f82025ec6 17744 net optional knot_1.6.0-1+deb8u1.debian.tar.xz
 9de68c366084b6d926204a88d774b3ea 203532 net optional knot_1.6.0-1+deb8u1_amd64.deb
 f024fdcac2df16026e6532c4ed07c2b8 168174 libs optional knot-libs_1.6.0-1+deb8u1_amd64.deb
 d516a656ec9076b369bd13da2e4f3841 1773014 debug extra knot-dbg_1.6.0-1+deb8u1_amd64.deb
 b3723db8a7a03c8657647a57cccb17be 66904 net optional knot-dnsutils_1.6.0-1+deb8u1_amd64.deb
 3a4dd15ee90d4f345fc1e5520ab1b4fe 49744 net optional knot-host_1.6.0-1+deb8u1_amd64.deb
 999da006c2abf553d6659e03a85b0436 448320 doc optional knot-doc_1.6.0-1+deb8u1_all.deb

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEl0WwInMjgf6efq/1bdtT8qZ1wKUFAlloxxAACgkQbdtT8qZ1
wKWYGwf/UK1m4wV16b7/J7gpt7BPRh0TBp6A6r75G/0am5B6j3oQgCe9gOWg3Avl
FKmivd1tF8oZhc2lv6d5HS2nR39RrrTcjiCvd4U4kWKtQE4CB83wi112GKhfRNPC
NnvD+eFml603N15vjsqrDRgpLPAPInsWUJxxPHQP9LxHKOsdAm34q52Q8iFa92PH
Nur5s2LowEElSBBQnTAmMcukwQL5cCXjnB32ddCmxlAHVSzDvHk5Cp7FoccJ3xZu
uKCPdNcYYS4mXiipMOuMFlLBtTpKP7dcenNwtDq/UyX5jxvUfcuxRYI231L57Sn/
0u2TetX6uIcxjJFY+M4thj8Y2t8vTA==
=fcDC
-----END PGP SIGNATURE-----

Reply sent to Yves-Alexis Perez <corsac@debian.org>:
You have taken responsibility. (Sat, 15 Jul 2017 21:48:20 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Sat, 15 Jul 2017 21:48:20 GMT) (full text, mbox, link).

Message #36 received at 865678-close@bugs.debian.org (full text, mbox, reply):

From: Yves-Alexis Perez <corsac@debian.org>
To: 865678-close@bugs.debian.org
Subject: Bug#865678: fixed in knot 2.4.0-3+deb9u1
Date: Sat, 15 Jul 2017 21:47:22 +0000
Source: knot
Source-Version: 2.4.0-3+deb9u1

We believe that the bug you reported is fixed in the latest version of
knot, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 865678@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Yves-Alexis Perez <corsac@debian.org> (supplier of updated knot package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 13 Jul 2017 21:56:05 +0200
Source: knot
Binary: knot libknot5 libzscanner1 libdnssec2 libknot-dev knot-dnsutils knot-host knot-doc
Architecture: source
Version: 2.4.0-3+deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: Debian DNS Packaging <pkg-dns-devel@lists.alioth.debian.org>
Changed-By: Yves-Alexis Perez <corsac@debian.org>
Closes: 865678
Description: 
 knot       - Authoritative domain name server
 knot-dnsutils - Clients provided with Knot DNS (kdig, knslookup, knsupdate)
 knot-doc   - Documentation for Knot DNS
 knot-host  - Version of 'host' bundled with Knot DNS
 libdnssec2 - DNSSEC shared library from Knot
 libknot5   - Authoritative domain name server (shared library)
 libknot-dev - Knot DNS shared library development files
 libzscanner1 - DNS zone-parsing library from Knot
Changes:
 knot (2.4.0-3+deb9u1) stretch-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * debian/patches:
     - 0001-tsig-move-signature-validity-period-check-after-the- added, fix
     TSIG signature validation bypass (CVE-2017-11104)           closes: #865678
Checksums-Sha1: 
 cd190e31c3b910dd139a8f60d09567a3a47193f5 2349 knot_2.4.0-3+deb9u1.dsc
 c1ad6007f5ecd31940f967e4370255d83869add7 1102856 knot_2.4.0.orig.tar.xz
 d20ac0f28e1a11cf38795b7a8692972a942ca00b 22592 knot_2.4.0-3+deb9u1.debian.tar.xz
Checksums-Sha256: 
 72fa5a5ea38bf1131dd57065f9d5b2920104b557693ae0a066042689b421691e 2349 knot_2.4.0-3+deb9u1.dsc
 0ba4d3e6951fc4d5c0e3dc88a720462690dd1d25f4bc1e7c24bb5747d3853679 1102856 knot_2.4.0.orig.tar.xz
 8f023a2a91f838af742851d420ed7f5a0049e1dea2b9129b58e7ace7fc5ddfdb 22592 knot_2.4.0-3+deb9u1.debian.tar.xz
Files: 
 b58e4de0ccf430a0b878785ecd4db18a 2349 net optional knot_2.4.0-3+deb9u1.dsc
 549dcc3778f12adee8d624dbc2c4de20 1102856 net optional knot_2.4.0.orig.tar.xz
 aa92495bdb4dbbd687e765d130cdec2a 22592 net optional knot_2.4.0-3+deb9u1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEl0WwInMjgf6efq/1bdtT8qZ1wKUFAllotKkACgkQbdtT8qZ1
wKXzawf+NMh1E4IQTU0bIOlQARSzmIlT9TYWwz6Ifentl5Rrr74k9Wmr7Us8eXmM
6O5/VAJSoVW3iLC089pFnMKKNA/WR2v4ESK9BT/V4jc4I8vJd1yyzpRr9FpcV9+B
dpx7wtg70SxYpUlZnZMDWqs+bgXxk3pgbliMVMgfOvaZF3Ngb+jHuD9OncJqCQrE
4afPjbhas8ZFzdD/pB4opwF2ePqhjKNRHBcUsoNr3hnh4Ek4zPw+1DQ4AAZFKRAI
xwWz4f9k+XZZselDL8/FOB+ymAY3R8kLQX4IODt1SYAuBCLD8V1iAoSe/qr6myCi
p88GgXgmT6diWdmV46uTX0QoXilefg==
=s4Em
-----END PGP SIGNATURE-----

Marked as fixed in versions knot/2.5.3-1. Request was from Ondřej Surý <ondrej@debian.org> to control@bugs.debian.org. (Fri, 21 Jul 2017 09:51:14 GMT) (full text, mbox, link).

Marked as found in versions knot/1.6.0-1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Fri, 21 Jul 2017 10:57:07 GMT) (full text, mbox, link).

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 22 Aug 2017 07:32:23 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri May 17 16:06:07 2024; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.