Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 700556 (CVE-2019-18934)

Summary: <net-dns/unbound-1.9.5: IPSEC shell injection (CVE-2019-18934)
Product: Gentoo Security Reporter: Hanno Böck <hanno>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: mschiff, whissi
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://www.x41-dsec.de/security/research/job/news/2019/11/19/unbound/
Whiteboard: C2 [noglsa]
Package list:
net-dns/unbound-1.9.5
Runtime testing required: ---

Description Hanno Böck gentoo-dev 2019-11-19 09:33:58 UTC
See
https://www.x41-dsec.de/security/research/job/news/2019/11/19/unbound/

The gentoo ebuild enables the ipsec module, so we're affected this issue. 
Genereally I am wondering why this is enabled by default, it looks like a rather obscure feature.

Fixes in 1.9.5:
https://www.nlnetlabs.nl/news/2019/Nov/19/unbound-1.9.5-released/
Comment 1 Thomas Deutschmann gentoo-dev Security 2019-11-19 12:14:37 UTC
(In reply to Hanno Böck from comment #0)
> The gentoo ebuild enables the ipsec module, so we're affected this issue. 
> Genereally I am wondering why this is enabled by default, it looks like a
> rather obscure feature.

We set --enable-ipsecmod but we don't enable it in configuration. To quote from mentioned news article:

> This issue can _only_ be triggered when _all_ of the below conditions are met:
> 
>     - unbound was compiled with --enable-ipsecmod support, and
>     - ipsecmod is enabled and used in the configuration (either in the configuration file or using unbound-control), and
>     - a domain is part of the ipsecmod-whitelist (if ipsecmod-whitelist is used), and
>     - unbound receives an A/AAAA query for a domain that has an A/AAAA record(s) and an IPSECKEY record(s) available.
Comment 2 Agostino Sarubbo gentoo-dev 2019-11-20 11:22:05 UTC
ppc64 stable
Comment 3 Agostino Sarubbo gentoo-dev 2019-11-20 11:29:29 UTC
ppc stable
Comment 4 Agostino Sarubbo gentoo-dev 2019-11-20 13:21:57 UTC
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2019-11-20 13:24:20 UTC
x86 stable
Comment 6 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2019-11-22 09:51:36 UTC
arm stable
Comment 7 Thomas Deutschmann gentoo-dev Security 2020-02-29 15:38:51 UTC
GLSA Vote: No!

Repository is clean, all done.