#995975 UDP socket from DNS keeps listening on 0.0.0.0

Package:
libevent-extra-2.1-7
Source:
libevent
Description:
Asynchronous event notification library (extra)
Submitter:
Richard Lewis
Date:
2021-10-12 21:30:06 UTC
Severity:
important
#995975#5
Date:
2021-10-09 09:54:08 UTC
From:
To:
Dear Maintainer,

Thanks for maintaining apt-cacher-ng,

I set "BindAddress: localhost" in /etc/apt-cacher-ng/acng.conf

when i restart the service it is indeed listening on 127.0.0.1:3142 (for tcp)
But when apt-cacher starts doing something (I use it via sbuild) it also starts
listening on 0.0.0.0 + a random port for udp. I would expect 127.0.0.1:41044 only in:

ss -tunlp|grep apt
udp   UNCONN 0      0             0.0.0.0:41044      0.0.0.0:*    users:(("apt-cacher-ng",pid=2584993,fd=11))
tcp   LISTEN 0      250         127.0.0.1:3142       0.0.0.0:*    users:(("apt-cacher-ng",pid=2584993,fd=10))

Is there some other setting not documented in acng.conf?


isnt this a security risk? (It gets flagged by the tiger package as such - now I do know that
in fact it may be a low risk and that it is easily mitigated via firewall rules, but i dont want
apt-cacher-ng listening on any external ip, especially when the config explicitly tells it not to.)

this did not happen in the 'buster' version, so is a regression in the new stable release

I also wonder why the default setting is so permissive - surely the biggest use-case is for building on
a localhost via sbuild or similar, and people who want to provide a cache to other machines would be able
to change the default. (but any default is fine as long as it can be changed - but the above shows the
change isnt working)

Thanks for considering to fix this

#995975#10
Date:
2021-10-09 13:59:09 UTC
From:
To:
Control: severity 995975 important
Control: 995975 notreproducible

I smell a source of confusion here. Please read that file from the start.

# IMPORTANT NOTE:
#
# THIS FILE IS MAYBE JUST ONE OF MANY CONFIGURATION FILES IN THIS DIRECTORY.
# SETTINGS MADE IN OTHER FILES CAN OVERRIDE VALUES THAT YOU CHANGE HERE. GO
# LOOK FOR OTHER CONFIGURATION FILES! CHECK THE MANUAL AND INSTALLATION NOTES
# (like README.Debian) FOR MORE DETAILS!

So, please do a "grep -i bindaddr /etc/apt-cacher-ng/*.conf" and report
what's there.

Maybe there is some debconf issue, since this value would keep updating
/etc/apt-cacher-ng/zz_debconf.conf on every update. OTOH, this:

... should also disable the assignment of BindAddress directory.

Please post zz_debconf.conf of whatever was identified by grep.

That does not make sense. First, apt-cacher is not apt-cacher-ng (its a
different package). Second: no listening ports are bound after the
startup in apt-cacher-ng.

I cannot see 0.0.0.0:3142 here, and especially not in TCP context. What do you mean?
The UDP socket is probably the DNS resolver.

What exactly is the security risk? The default setting? Well, you
install a network daemon, wouldn't a normal user expect it to listen on
the network??

But they can change the default on installation or via debconf.

dpkg-reconfigure -plow apt-cacher-ng

Not sure what to fix yet.

Best regards,
Eduard.

#995975#15
Date:
2021-10-12 21:27:42 UTC
From:
To:
Hallo,
* Richard Lewis [Sat, Oct 09 2021, 03:45:03PM]:

Okay so far.

It's most likely a dangling UDP socket from the evdns resolver library.
I have seen them before and they were one of the reasons why I switched
DNS resolution to libc-ares now (another reason is the SRV record
support).

I am not sure whether this is a security risk, though. The resolver
expects a response from the peer somehow. If you expect it to be extra
paranoid and listen only on a specific interface for its client
activities, that would be probably huge implementational effort for very
little security gain.

Yes, I was refering to DNS resolver CODE in the application.

So, reassigning this to libevent now. The issue is reproducible in a
quick test in a container, and it disappears in the Sid version (which
using c-ares resolver instead of evdns).

Best regards,
Eduard.