Version in base suite: 0.9.14-1

Base version: python-dnslib_0.9.14-1
Target version: python-dnslib_0.9.14-1+deb11u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/p/python-dnslib/python-dnslib_0.9.14-1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/p/python-dnslib/python-dnslib_0.9.14-1+deb11u1.dsc

 changelog                                     |    6 ++++++
 patches/0002-Validate-TXID-in-client.py.patch |   24 ++++++++++++++++++++++++
 patches/series                                |    1 +
 3 files changed, 31 insertions(+)

diff -Nru python-dnslib-0.9.14/debian/changelog python-dnslib-0.9.14/debian/changelog
--- python-dnslib-0.9.14/debian/changelog	2020-06-10 04:51:44.000000000 +0000
+++ python-dnslib-0.9.14/debian/changelog	2024-02-13 00:43:55.000000000 +0000
@@ -1,3 +1,9 @@
+python-dnslib (0.9.14-1+deb11u1) bullseye; urgency=medium
+
+  * Add d/p/0002-Validate-TXID-in-client.py.patch to address CVE-2022-22846
+
+ -- Scott Kitterman <scott@kitterman.com>  Mon, 12 Feb 2024 19:43:55 -0500
+
 python-dnslib (0.9.14-1) unstable; urgency=medium
 
   * New upstream release
diff -Nru python-dnslib-0.9.14/debian/patches/0002-Validate-TXID-in-client.py.patch python-dnslib-0.9.14/debian/patches/0002-Validate-TXID-in-client.py.patch
--- python-dnslib-0.9.14/debian/patches/0002-Validate-TXID-in-client.py.patch	1970-01-01 00:00:00.000000000 +0000
+++ python-dnslib-0.9.14/debian/patches/0002-Validate-TXID-in-client.py.patch	2024-02-13 00:42:50.000000000 +0000
@@ -0,0 +1,24 @@
+From: Scott Kitterman <scott@kitterman.com>
+Date: Sat, 12 Feb 2024 19:41:26 -0500
+Subject: Validate TXID in client.py
+Fixes CVE-2022-22846
+Origin: backport, https://github.com/paulc/dnslib/commit/76e8677699ed098387d502c57980f58da642aeba
+
+---
+ dnslib/client.py | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/dnslib/client.py b/dnslib/client.py
+index 628ea81..09572b6 100644
+--- a/dnslib/client.py
++++ b/dnslib/client.py
+@@ -76,6 +76,9 @@ if __name__ == '__main__':
+         a_pkt = q.send(address,port,tcp=args.tcp)
+         a = DNSRecord.parse(a_pkt)
+ 
++        if q.header.id != a.header.id:
++            raise DNSError('Response transaction id does not match query transaction id')
++
+         if a.header.tc and args.noretry == False:
+             # Truncated - retry in TCP mode
+             a_pkt = q.send(address,port,tcp=True)
diff -Nru python-dnslib-0.9.14/debian/patches/series python-dnslib-0.9.14/debian/patches/series
--- python-dnslib-0.9.14/debian/patches/series	2020-06-10 04:50:31.000000000 +0000
+++ python-dnslib-0.9.14/debian/patches/series	2024-02-13 00:43:55.000000000 +0000
@@ -1 +1,2 @@
 0001-Only-run-tests-for-python3.patch
+0002-Validate-TXID-in-client.py.patch