Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 700556 (CVE-2019-18934) - <net-dns/unbound-1.9.5: IPSEC shell injection (CVE-2019-18934)
Summary: <net-dns/unbound-1.9.5: IPSEC shell injection (CVE-2019-18934)
Status: RESOLVED FIXED
Alias: CVE-2019-18934
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://www.x41-dsec.de/security/rese...
Whiteboard: C2 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2019-11-19 09:33 UTC by Hanno Böck
Modified: 2020-02-29 15:38 UTC (History)
2 users (show)

See Also:
Package list:
net-dns/unbound-1.9.5
Runtime testing required: ---
stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Hanno Böck gentoo-dev 2019-11-19 09:33:58 UTC 
See
https://www.x41-dsec.de/security/research/job/news/2019/11/19/unbound/

The gentoo ebuild enables the ipsec module, so we're affected this issue. 
Genereally I am wondering why this is enabled by default, it looks like a rather obscure feature.

Fixes in 1.9.5:
https://www.nlnetlabs.nl/news/2019/Nov/19/unbound-1.9.5-released/
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2019-11-19 12:14:37 UTC 
(In reply to Hanno Böck from comment #0)
> The gentoo ebuild enables the ipsec module, so we're affected this issue. 
> Genereally I am wondering why this is enabled by default, it looks like a
> rather obscure feature.

We set --enable-ipsecmod but we don't enable it in configuration. To quote from mentioned news article:

> This issue can _only_ be triggered when _all_ of the below conditions are met:
> 
>     - unbound was compiled with --enable-ipsecmod support, and
>     - ipsecmod is enabled and used in the configuration (either in the configuration file or using unbound-control), and
>     - a domain is part of the ipsecmod-whitelist (if ipsecmod-whitelist is used), and
>     - unbound receives an A/AAAA query for a domain that has an A/AAAA record(s) and an IPSECKEY record(s) available.
Comment 2 Agostino Sarubbo gentoo-dev 2019-11-20 11:22:05 UTC 
ppc64 stable
Comment 3 Agostino Sarubbo gentoo-dev 2019-11-20 11:29:29 UTC 
ppc stable
Comment 4 Agostino Sarubbo gentoo-dev 2019-11-20 13:21:57 UTC 
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2019-11-20 13:24:20 UTC 
x86 stable
Comment 6 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-11-22 09:51:36 UTC 
arm stable
Comment 7 Thomas Deutschmann (RETIRED) gentoo-dev 2020-02-29 15:38:51 UTC 
GLSA Vote: No!

Repository is clean, all done.