packages/python-eventlet
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!33 Address DoS via the Tudoor mechanism (CVE-2023-29483)

Browse Source 
From: @lilong88 
Reviewed-by: @yangzhao_kl 
Signed-off-by: @yangzhao_kl
This commit is contained in:
openeuler-ci-bot 2024-04-28 08:29:51 +00:00 committed by Gitee
commit fb21395402
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
2 changed files with 112 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

104
Address-DoS-via-the-Tudoor-mechanism.patch Normal file
View File

@ -0,0 +1,104 @@
From 51e3c4928d4938beb576eff34f3bf97e6e64e6b4 Mon Sep 17 00:00:00 2001
From: Kelvin J Li <72498127+kelvin-j-li@users.noreply.github.com>
Date: Mon, 19 Feb 2024 21:42:27 +0800
Subject: [PATCH] Dnspython 2.6.1 - Address DoS via the Tudoor mechanism
(CVE-2023-29483)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Fix for (CVE-2023-29483) and handling of truncated exceptions in greendns.py provided by Bob Halley from https://github.com/rthalley/eventlet/tree/tudoor
Do not eat legitimate Truncated exceptions.
---------
Co-authored-by: Bob Halley <halley@play-bow.org>
Co-authored-by: Hervé Beraud <hberaud@redhat.com>
---
eventlet/support/greendns.py | 56 ++++++++++++++++++++++++------------
1 file changed, 38 insertions(+), 18 deletions(-)
diff --git a/eventlet/support/greendns.py b/eventlet/support/greendns.py
index 626214235..365664f24 100644
--- a/eventlet/support/greendns.py
+++ b/eventlet/support/greendns.py
@@ -713,7 +713,7 @@ def _net_write(sock, data, expiration):
def udp(q, where, timeout=DNS_QUERY_TIMEOUT, port=53,
af=None, source=None, source_port=0, ignore_unexpected=False,
one_rr_per_rrset=False, ignore_trailing=False,
- raise_on_truncation=False, sock=None):
+ raise_on_truncation=False, sock=None, ignore_errors=False):
"""coro friendly replacement for dns.query.udp
Return the response obtained after sending a query via UDP.
@@ -752,7 +752,10 @@ def udp(q, where, timeout=DNS_QUERY_TIMEOUT, port=53,
query. If None, the default, a socket is created. Note that
if a socket is provided, it must be a nonblocking datagram socket,
and the source and source_port are ignored.
- @type sock: socket.socket | None"""
+ @type sock: socket.socket | None
+ @param ignore_errors: if various format errors or response mismatches occur,
+ continue listening.
+ @type ignore_errors: bool"""
wire = q.to_wire()
if af is None:
@@ -816,26 +819,43 @@ def udp(q, where, timeout=DNS_QUERY_TIMEOUT, port=53,
addr = from_address[0]
addr = dns.ipv6.inet_ntoa(dns.ipv6.inet_aton(addr))
from_address = (addr, from_address[1], from_address[2], from_address[3])
- if from_address == destination:
+ if from_address != destination:
+ if ignore_unexpected:
+ continue
+ else:
+ raise dns.query.UnexpectedSource(
+ 'got a response from %s instead of %s'
+ % (from_address, destination))
+ try:
+ if _handle_raise_on_truncation:
+ r = dns.message.from_wire(wire,
+ keyring=q.keyring,
+ request_mac=q.mac,
+ one_rr_per_rrset=one_rr_per_rrset,
+ ignore_trailing=ignore_trailing,
+ raise_on_truncation=raise_on_truncation)
+ else:
+ r = dns.message.from_wire(wire,
+ keyring=q.keyring,
+ request_mac=q.mac,
+ one_rr_per_rrset=one_rr_per_rrset,
+ ignore_trailing=ignore_trailing)
+ if not q.is_response(r):
+ raise dns.query.BadResponse()
break
- if not ignore_unexpected:
- raise dns.query.UnexpectedSource(
- 'got a response from %s instead of %s'
- % (from_address, destination))
+ except dns.message.Truncated as e:
+ if ignore_errors and not q.is_response(e.message()):
+ continue
+ else:
+ raise
+ except Exception:
+ if ignore_errors:
+ continue
+ else:
+ raise
finally:
s.close()
- if _handle_raise_on_truncation:
- r = dns.message.from_wire(wire, keyring=q.keyring, request_mac=q.mac,
- one_rr_per_rrset=one_rr_per_rrset,
- ignore_trailing=ignore_trailing,
- raise_on_truncation=raise_on_truncation)
- else:
- r = dns.message.from_wire(wire, keyring=q.keyring, request_mac=q.mac,
- one_rr_per_rrset=one_rr_per_rrset,
- ignore_trailing=ignore_trailing)
- if not q.is_response(r):
- raise dns.query.BadResponse()
return r

10
python-eventlet.spec
View File

@ -1,12 +1,15 @@
%global _empty_manifest_terminate_build 0 %global _empty_manifest_terminate_build 0
Name: python-eventlet Name: python-eventlet
Version: 0.33.3 Version: 0.33.3
Release: 1 Release: 2
Summary: Highly concurrent networking library Summary: Highly concurrent networking library
License: MIT License: MIT
URL: http://eventlet.net URL: http://eventlet.net
Source0: https://files.pythonhosted.org/packages/source/e/eventlet/eventlet-%{version}.tar.gz Source0: https://files.pythonhosted.org/packages/source/e/eventlet/eventlet-%{version}.tar.gz
BuildArch: noarch BuildArch: noarch
Patch0001: Address-DoS-via-the-Tudoor-mechanism.patch
%description %description
Eventlet is a concurrent networking library for Python that allows you to change how you run your code, not how you write it. Eventlet is a concurrent networking library for Python that allows you to change how you run your code, not how you write it.
@ -37,7 +40,7 @@ Provides: python3-eventlet-doc
Eventlet is a concurrent networking library for Python that allows you to change how you run your code, not how you write it. Eventlet is a concurrent networking library for Python that allows you to change how you run your code, not how you write it.
%prep %prep
%autosetup -n eventlet-%{version} %autosetup -n eventlet-%{version} -p1
%build %build
%py3_build %py3_build
@ -79,6 +82,9 @@ mv %{buildroot}/doclist.lst .
%{_docdir}/* %{_docdir}/*
%changelog %changelog
* Sun Apr 28 2024 lilong <lilong@kylinos.cn> - 0.33.3-2
- Address DoS via the Tudoor mechanism (CVE-2023-29483)
* Sat May 06 2023 xu_ping <707078654@qq.com> - 0.33.3-1 * Sat May 06 2023 xu_ping <707078654@qq.com> - 0.33.3-1
- Update to 0.33.3 - Update to 0.33.3