Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 161632 - net-analyzer/snort < Rule Matching Backtrack DoS (CVE-2006-6931)
Summary: net-analyzer/snort < Rule Matching Backtrack DoS (CVE-2006-6931)
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [glsa]
Depends on:
Reported: 2007-01-11 21:27 UTC by Executioner
Modified: 2007-02-13 23:55 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

multilib strict fix for amd64's pleasure (snort-,446 bytes, patch)
2007-02-03 21:25 UTC, Alexis Ballier
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Executioner 2007-01-11 21:27:28 UTC
Randy Smith, Christian Estan, and Somesh Jha have reported a vulnerability in Snort, which potentially can be exploited by malicious people to cause a DoS (Denial of Service).

The problem is that the rule matching algorithm of Snort can be exploited to perform numerous time-consuming operations, which may lead to a decreased or zero detection rate via a specially crafted packet.

The vulnerability is reported in version 2.4.3. Other versions may also be affected.

Reproducible: Didn't try
Comment 1 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-01-13 23:25:33 UTC
Fixed in 2.6.1 and the 2.6.1.x tree

But the 2.6.1 version introduced another (weaker) vulnerability, see bug 161750
Comment 2 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-01-14 00:08:24 UTC
CCing netmon should help.

(In reply to comment #1)
> Fixed in 2.6.1 and the 2.6.1.x tree

sorry, my bad: there are several fixes.
All known vulnerabilities are fixed in >=

netmon team, please bump, thanks.

netmon, in the same time, if you could make use of the GRE support with --enable--gre and a "gre" USE-flag, *and* add the GRE vulnerability backport patch [1], this will be perfect , thanks :)


Comment 3 Matthias Geerdsen (RETIRED) gentoo-dev 2007-01-26 12:42:20 UTC is in the tree

arches pls test and mark stable
Comment 4 Markus Meier gentoo-dev 2007-01-26 20:40:47 UTC
1. emerges on x86
2. passes collision test
3. works

Portage 2.1.1-r2 (default-linux/x86/2006.1/desktop, gcc-4.1.1, glibc-2.4-r4, i686)
System uname: i686 AMD Athlon(TM) XP1800+
Gentoo Base System version 1.12.6
Last Sync: Thu, 25 Jan 2007 19:00:01 +0000
ccache version 2.4 [enabled]
app-admin/eselect-compiler: [Not Present]
dev-java/java-config: 1.3.7, 2.0.31
dev-lang/python:     2.3.5-r3, 2.4.3-r4
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     2.4-r6
dev-util/confcache:  [Not Present]
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.61
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.14
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.17-r2
CFLAGS="-O2 -march=i686 -fomit-frame-pointer -pipe"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c"
CXXFLAGS="-O2 -march=i686 -fomit-frame-pointer -pipe"
FEATURES="autoconfig ccache collision-protect distlocks fixpackages metadata-transfer parallel-fetch sandbox sfperms strict test userfetch userpriv usersandbox"
LINGUAS="en de en_GB"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'"
USE="x86 3dnow 3dnowext X a52 aac alsa apache2 berkdb bitmap-fonts bzip2 cairo cdr cli cracklib crypt cups dbus divx4linux dlloader dri dts dvd dvdr dvdread eds elibc_glibc emboss exif fam ffmpeg firefox fortran gdbm gif gnome gphoto2 gpm gstreamer gtk hal iconv input_devices_keyboard input_devices_mouse ipv6 isdnlog java jpeg kde kernel_linux ldap libg++ linguas_de linguas_en linguas_en_GB mad mikmod mmx mmxext mono mp3 mpeg ncurses network nls nptl nptlonly ogg opengl oss pam pcre perl png ppds pppd python qt qt3 qt4 quicktime readline reflection samba sdl seamonkey session spell spl ssl svg tcpd test tetex tiff truetype truetype-fonts type1-fonts udev unicode usb userland_GNU vcd video_cards_none video_cards_nv vorbis win32codecs xine xinerama xml xorg xprint xv xvid zlib"
Comment 5 Markus Rothe (RETIRED) gentoo-dev 2007-01-27 10:25:46 UTC
ppc64 stable
Comment 6 Raúl Porcel (RETIRED) gentoo-dev 2007-01-27 13:52:32 UTC
x86 stable
Comment 7 Steve Dibb (RETIRED) gentoo-dev 2007-01-31 17:04:48 UTC
Can an amd64 dev look at this one, I got a multilib-strict failure on mine.
Comment 8 Tobias Scherbaum (RETIRED) gentoo-dev 2007-01-31 19:01:54 UTC
ppc stable
Comment 9 Alexis Ballier gentoo-dev 2007-02-03 21:25:54 UTC
Created attachment 109042 [details, diff]
multilib strict fix for amd64's pleasure

here is a patch that should fix multilib strict checks needed for amd64
Comment 10 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-02-10 19:01:55 UTC
ping amd64
Comment 11 Simon Stelling (RETIRED) gentoo-dev 2007-02-11 12:45:03 UTC
Thanks Alexis for the patch, amd64 is stable
Comment 12 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-02-11 12:57:30 UTC

i vote  yes due to a DoS on an IDS.
Comment 13 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-02-12 22:33:43 UTC
i'm actually the only active member of the security team, so i can't apply the policy telling that 2 positive votes include a GLSA. 

Let's have one btw :)
Comment 14 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-02-13 23:55:48 UTC
GLSA 200702-03, thanks to everybody.