Ubuntu
unbound package

unbound-checkconf treats valid config as invalid

Bug #1988055 reported by trya uuum
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
unbound (Ubuntu)
Fix Released
Undecided
Unassigned
Jammy
Fix Released
Undecided
Lena Voytek

Bug Description

[Impact]

When a user attempts to run unbound-checkconf and any of their stated interfaces matches the name of an existing network interface, the program will crash and will be unable to verify the configuration.
For example, if an unbound configuration file contains something like

server:
  interface: lan0

or

server:
  interface: lo

and so on, unbound-checkconf will crash.

This fix should be added to Jammy so configuration files and network interfaces can be properly validated for unbound.

The bug was fixed by adding a few commits from upstream as patches to unbound-checkconf. A function in unbound-checkconf.c was modified to resolve the interface name and check
that it works correctly. Meanwhile a commit that modifies the function resolve_interface_names in listen_dnsport.c and its calls was added as a patch to allow interface resolution to work correctly.

[Test Plan]

The following test can be used to reproduce the error:
# lxc launch images:ubuntu/jammy test-unbound
# lxc exec test-unbound bash

# apt update && apt dist-upgrade -y
# apt install unbound -y

# echo "
server:
  interface: lo" >> /etc/unbound/unbound.conf

# unbound-checkconf

[Where problems could occur]

Since the resolve_interface_names function had to be updated for the unbound-checkconf to work, the places where it is called in the unbound package also had to be modified. This could lead to changes in behavior within unbound-control and the unbound daemon when checking interface names. Although this function will match the behavior upstream and in Kinetic, commits related to the handling of this function may be missed by the patch files.

The new patches also contain new memory allocation statements, so memory leaking from unfreed callocs can also be an issue.

[Other Info]

The issue was fixed upstream and was fixed in Kinetic through the most recent merge into Ubuntu.

[Original Description]

in unbound config one of the valid ways to specify IPs to listen on is to specify an interface name. e.g.

```
server:
  interface: lan0
```

unbound starts and works correctly, but unbound-checkconf returns an error:

```
# unbound-checkconf
[1661781808] unbound-checkconf[4362:0] fatal error: cannot parse interface specified as 'lan0'
```

this bug was fixed upstream https://github.com/NLnetLabs/unbound/issues/574 but it's still present in ubuntu 22.04

See original description

Related branches

~lvoytek/ubuntu/+source/unbound:fix-interface-name-error-jammy
git-ubuntu bot: Approve
Bryce Harrington (community): Approve
Canonical Server Reporter: Pending requested
Diff: 385 lines (+357/-0)
4 files modified
debian/changelog (+12/-0)
debian/patches/fix-checkconf-interface-name-error.patch (+102/-0)
debian/patches/resolve-control-interface-names.patch (+241/-0)
debian/patches/series (+2/-0)
trya uuum (tryauuum)
description: updated
Revision history for this message
Lucas Kanashiro (lucaskanashiro) wrote :

Thanks for taking the time to report this bug and trying to make Ubuntu better.

The commit which fixed the mentioned issue is this one:

https://github.com/NLnetLabs/unbound/commit/dcad9d586329961efed36cf7c3b26ad8c27ddd64

It was released in version 1.16.2, already in Kinetic.

Changed in unbound (Ubuntu):
status: New → Fix Released
Changed in unbound (Ubuntu Jammy):
status: New → Triaged
tags: added: server-todo
Revision history for this message
Lena Voytek (lvoytek) wrote :

I'll get this fix added to 22.04

Changed in unbound (Ubuntu Jammy):
assignee: nobody → Lena Voytek (lvoytek)
status: Triaged → In Progress
Revision history for this message
Lena Voytek (lvoytek) wrote :

I added the fix to a ppa and confirmed that the commit fixes the issue with a few additional modifications. If you would like to test it you can run the following commands in 22.04:

sudo add-apt-repository ppa:lvoytek/unbound-fix-checkconf-jammy
sudo apt update
sudo apt upgrade

I used the following test to confirm the fix:

# lxc launch images:ubuntu/jammy test-unbound
# lxc exec test-unbound bash

# apt update && apt dist-upgrade -y
# apt install unbound -y

# echo "
server:
  interface: lo" >> /etc/unbound/unbound.conf

# unbound-checkconf

- results in error: unbound-checkconf[871:0] fatal error: cannot parse interface specified as 'lo'

# lxc launch images:ubuntu/jammy test-unbound-fixed
# lxc exec test-unbound-fixed bash

# apt update && apt dist-upgrade -y
# apt install unbound software-properties-common -y

# add-apt-repository ppa:lvoytek/unbound-fix-checkconf-jammy
# apt update && apt upgrade -y

# echo "
server:
  interface: lo" >> /etc/unbound/unbound.conf

# unbound-checkconf

Revision history for this message
trya uuum (tryauuum) wrote :

can confirm that "unbound-checkconf" indeed no longer complains

# unbound-checkconf
unbound-checkconf: no errors in /etc/unbound/unbound.conf
# echo $?
0

Revision history for this message
Lena Voytek (lvoytek) wrote :

Thanks for the confirmation, hopefully the fix can be fully added to 22.04 soon.

description: updated
Lena Voytek (lvoytek)
description: updated
Bryce Harrington (bryce)
Changed in unbound (Ubuntu Jammy):
status: In Progress → Fix Committed
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Changing jammy status to "in progress" because the upload wasn't accepted yet.

Changed in unbound (Ubuntu Jammy):
status: Fix Committed → In Progress
Revision history for this message
Timo Aaltonen (tjaalton) wrote : Please test proposed package

Hello trya, or anyone else affected,

Accepted unbound into jammy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/unbound/1.13.1-1ubuntu5.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-jammy to verification-done-jammy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-jammy. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in unbound (Ubuntu Jammy):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-jammy
Revision history for this message
Lena Voytek (lvoytek) wrote :

I was able to verify this with the following commands:

# lxc launch images:ubuntu/jammy test-unbound
# lxc exec test-unbound bash

# cat <<EOF >/etc/apt/sources.list.d/ubuntu-$(lsb_release -cs)-proposed.list
# Enable Ubuntu proposed archive
deb http://archive.ubuntu.com/ubuntu/ $(lsb_release -cs)-proposed restricted main multiverse universe
EOF

# apt update && apt dist-upgrade -y
# apt install unbound -y

# echo "
server:
  interface: lo" >> /etc/unbound/unbound.conf

# unbound-checkconf

unbound-checkconf: no errors in /etc/unbound/unbound.conf

tags: added: verification-done-jammy
removed: verification-needed-jammy
Lena Voytek (lvoytek)
tags: added: verification-done
removed: verification-needed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package unbound - 1.13.1-1ubuntu5.2

---------------
unbound (1.13.1-1ubuntu5.2) jammy; urgency=medium

  * Resolve interfaces using existing interface names with unbound-checkconf
    (LP: #1988055):
    - d/p/fix-checkconf-interface-name-error.patch: Resolve known interface
      names correctly when using unbound-checkconf
    - d/p/resolve-control-interface-names.patch: Resolve interface names on
      control-interface so unbound-checkconf can work correctly when checking
      names of known interfaces

 -- Lena Voytek <email address hidden> Wed, 07 Sep 2022 10:52:50 -0700

Changed in unbound (Ubuntu Jammy):
status: Fix Committed → Fix Released
Revision history for this message
Łukasz Zemczak (sil2100) wrote : Update Released

The verification of the Stable Release Update for unbound has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.