Summary: | Snort Security Vulnerability - Remotely exploitable buffer overflow in 1.8.x, 1.9.x, and 2.0 < RC1 | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Bug Hunter <tidoineurope> |
Component: | Current packages | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | blocker | CC: | stian |
Priority: | Highest | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.coresecurity.com/common/showdoc.php?idx=313&idxseccion=10 | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Attachments: |
Snort 2.0.0 ebuild
Alpha patch for 2.0.0 |
Description
Bug Hunter
2003-04-15 16:50:59 UTC
The ideal fix to this and bug #18737 is to upgrade to Snort v. 2.0 released yesterday (04/14/2004) Created attachment 10799 [details]
Snort 2.0.0 ebuild
This ebuild addresses the changes in 2.0.0
Created attachment 10800 [details] Alpha patch for 2.0.0 This is my attempt at making a patch for Alpha - but i have no way to test it (at the moment) i also would worry about these instances of u_int: grep u_int spp_http_decode.c >static u_int unidecode(char *in, u_int len, u_int * overlong_flag); > u_int16_t psize; /* payload size */ > u_int overlong_flag; > url = (u_int8_t *) UriBufs[0].uri; > psize = (u_int16_t) (p->dsize); > /* UriBufs[0].http_version = (u_int8_t *) index; */ >static u_int unidecode(char *in, u_int len, u_int * overlong_flag) fyi from the CERT advisory <http://www.cert.org/advisories/CA-2003-13.html>: Disable affected preprocessor modules Sites that are unable to immediately upgrade affected Snort sensors may prevent exploitation of this vulnerability by commenting out the affected preprocessor modules in the "snort.conf" configuration file. To prevent exploitation of VU#139129, comment out the following line: preprocessor stream4_reassemble To prevent exploitation of VU#916785, comment out the following line: preprocessor rpc_decode: 111 32771 After commenting out the affected modules, send a SIGHUP signal to the affected Snort process to update the configuration. Note that disabling these modules may have adverse affects on a sensor's ability to correctly process RPC record fragments and TCP packet fragments. In particular, disabling the "stream4" preprocessor module will prevent the Snort sensor from detecting a variety of IDS evasion attacks. *** Bug 18737 has been marked as a duplicate of this bug. *** glsa sent |