microsoft · aadhar-agarwal · Aug 21, 2024 · Aug 15, 2024
@@ -0,0 +1,25 @@
+From 193401e7543a1e561dd634a3eaae932fa462a2b9 Mon Sep 17 00:00:00 2001
+From: zhailiangliang <zhailiangliang@loongson.cn>
+Date: Wed, 3 Apr 2024 15:40:58 +0800
+Subject: [PATCH] fix heap-buffer-overflow issue in function cfg_mark_ports of
+ file util/config_file.c
+
+---
+ util/config_file.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/util/config_file.c b/util/config_file.c
+index 26185da02..e7b2f1959 100644
+--- a/util/config_file.c
++++ b/util/config_file.c
+@@ -1761,6 +1761,10 @@ cfg_mark_ports(const char* str, int allow, int* avail, int num)
+ #endif
+ 	if(!mid) {
+ 		int port = atoi(str);
++		if(port < 0) {
++			log_err("Prevent out-of-bounds access to array avail");
++			return 0;
++		}
+ 		if(port == 0 && strcmp(str, "0") != 0) {
+ 			log_err("cannot parse port number '%s'", str);
+ 			return 0;
@@ -1,14 +1,15 @@
 Summary:        unbound dns server
 Name:           unbound
 Version:        1.19.1
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        BSD
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
 Group:          System/Servers
 URL:            https://nlnetlabs.nl/projects/unbound/about/
 Source0:        https://github.com/nlnetlabs/%{name}/archive/release-%{version}.tar.gz#/%{name}-release-%{version}.tar.gz
 Source1:        %{name}.service
+Patch0:         CVE-2024-43168.patch
 BuildRequires:  expat-devel
 BuildRequires:  libevent-devel
 BuildRequires:  python3-devel
@@ -96,6 +97,9 @@ useradd -r -g unbound -d %{_sysconfdir}/unbound -s /sbin/nologin \
 %{_mandir}/*
 
 %changelog
+* Thu Aug 15 2024 Aadhar Agarwal <aadagarwal@microsoft.com> - 1.19.1-2
+- Add patch to fix CVE-2024-43168
+
 * Wed Feb 28 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 1.19.1-1
 - Auto-upgrade to 1.19.1 - Fix CVE-2023-50387