Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 352133 - net-analyzer/snort-2.9.0.3 on hardened amd64
Summary: net-analyzer/snort-2.9.0.3 on hardened amd64
Status: RESOLVED INVALID
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Patrick Lauer
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2011-01-19 15:10 UTC by Dan Candea
Modified: 2011-01-27 12:57 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Dan Candea 2011-01-19 15:10:46 UTC 
PAX: From xxxxxx: execution attempt in: <anonymous mapping>, 331cd17000-331dba6000 331cd17000
PAX: terminating task: /usr/bin/snort(snort):5788, uid/euid: 0/0, PC: 000000331d8caf90, SP: 000003ba6f74a138
PAX: bytes at PC: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
PAX: bytes at SP-8: 000000331db06670 0000034cc840e16d 0000000000000000 000000331db06770 000003ba6f74a190 0000034cc840e08a 000000331db067d0 000000331ca8bf46 000000051db06810 000003ba6f74a1c0 0000000000000000 
grsec: From 62.231.86.211: denied resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 for /usr/bin/snort[snort:5788] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:12140] uid/euid:0/0 gid/egid:0/0
Comment 1 Wormo (RETIRED) gentoo-dev 2011-01-24 07:03:59 UTC 
I take it you already know how to use paxctl to disable protections on snort as needed, but you are reporting violation in case somebody is up to fixing snort?
Comment 2 Dan Candea 2011-01-24 09:42:37 UTC 
(In reply to comment #1)
> I take it you already know how to use paxctl to disable protections on snort as
> needed, but you are reporting violation in case somebody is up to fixing snort?
> 

yes, with MPROTECT disabled is working.
Comment 3 Jason Wallace 2011-01-26 00:39:58 UTC 
I do not know a lot about PAX, but this looks like an issue that would need to be reported upstream to the Sourcefire folks.

Am I correct in assuming this isn't something I can address in the ebuild?
Comment 4 Dan Candea 2011-01-26 08:51:32 UTC 
it could be done in the ebuild , on postinstall command paxctl -m /usr/bin/snort disables mprotect, but I'm not sure this is the solution, but just a workaround.
Comment 5 Jason Wallace 2011-01-26 13:38:27 UTC 
Yea I don't think that is a "fix" and it would require artificially DEPEND'ing on pax-utils in the ebuild, which is really an option. 

Can you post the output from "emerge --info" and "emerge -vp snort" to this bug?

I'll open a bug upstream with the SF folks and point them to this bug posting.
Comment 6 Jason Wallace 2011-01-26 13:39:28 UTC 
The above should say "which is really NOT an option."

(In reply to comment #5)
> Yea I don't think that is a "fix" and it would require artificially DEPEND'ing
> on pax-utils in the ebuild, which is really an option. 
> 
> Can you post the output from "emerge --info" and "emerge -vp snort" to this
> bug?
> 
> I'll open a bug upstream with the SF folks and point them to this bug posting.
>
Comment 7 Dan Candea 2011-01-26 13:41:16 UTC 
Portage 2.1.8.3 (hardened/linux/amd64/no-multilib, gcc-4.3.4, glibc-2.11.2-r3, 2.6.32-hardened-r9-oxxie x86_64)
=================================================================
System uname: Linux-2.6.32-hardened-r9-oxxie-x86_64-Intel-R-_Pentium-R-_D_CPU_3.40GHz-with-gentoo-1.12.13
Timestamp of tree: Sat, 22 Jan 2011 21:45:01 +0000
ccache version 2.4 [enabled]
app-shells/bash:     4.0_p35
dev-lang/python:     2.6.4
dev-util/ccache:     2.4-r7
sys-apps/baselayout: 1.12.13
sys-apps/sandbox:    1.6-r2
sys-devel/autoconf:  2.63-r1
sys-devel/automake:  1.9.6-r2, 1.10.2, 1.11.1
sys-devel/binutils:  2.20.1-r1
sys-devel/gcc:       4.3.4
sys-devel/gcc-config: 1.4.1
sys-devel/libtool:   2.2.6b
sys-devel/make:      3.81
virtual/os-headers:  2.6.27-r2
ACCEPT_KEYWORDS="amd64"
ACCEPT_LICENSE="* -@EULA"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=nocona -O2 -pipe -fomit-frame-pointer -msse3"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /var/bind"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/udev/rules.d"
CXXFLAGS="-march=nocona -O2 -pipe -fomit-frame-pointer -msse3"
DISTDIR="/usr/portage/distfiles"
FEATURES="assume-digests ccache distlocks fixpackages news parallel-fetch protect-owned sandbox sfperms strict unmerge-logs unmerge-orphans userfetch"
GENTOO_MIRRORS="http://distfiles.gentoo.org"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
MAKEOPTS="-j3"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage"
USE="X509 acl acpi amd64 apache2 avi bzip2 cairo cdr clamav clamd cracklib crypt cxx dbus dcc directfb diskio dovecot-sasl dvd dvdread extensions fam fbcon ftp gdbm gpm hal hardened hpn iconv imap ipv6 justify libg++ maildir mime mmx modules mppe-mppc mudflap mysql mzscheme ncurses nls nptl nptlonly openmp opensslcrypt pam pdflib pic postfix python pyzor razor readline sendfile session sguil shaper sharedmem snmp sse sse2 ssl subject-rewrite sysfs tools udev unicode urandom xml zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" PHP_TARGETS="php5-3" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="fbdev glint intel mach64 mga neomagic nouveau nv r128 radeon savage sis tdfx trident vesa via vmware voodoo" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" 
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LANG, LC_ALL, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS


emerge -vp snort

These are the packages that would be merged, in order:

Calculating dependencies... done!
[ebuild   R   ] net-analyzer/snort-2.9.0.3  USE="active-response decoder-preprocessor-rules dynamicplugin flexresp3 ipv6 linux-smp-stats mysql perfprofiling react threads zlib -aruba -debug -gre -inline-init-failopen -mpls -normalizer* -odbc -postgres -ppm -prelude -reload-error-restart (-selinux) -static -targetbased" 0 kB

Total: 1 package (1 reinstall), Size of downloads: 0 kB
Comment 8 Dan Candea 2011-01-27 12:57:55 UTC 
can't reproduce the problem to produce a core dump