Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 686428 (CVE-2019-10050, CVE-2019-10053) - net-analyzer/suricata: multiple vulnerabilities
Summary: net-analyzer/suricata: multiple vulnerabilities
Status: IN_PROGRESS
Alias: CVE-2019-10050, CVE-2019-10053
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Low trivial (vote)
Deadline: 2019-12-31
Assignee: Gentoo Security
URL: https://suricata-ids.org/2019/04/30/s...
Whiteboard: ~3 [ebuild]
Keywords: PMASKED
: 694350 (view as bug list)
Depends on:
Blocks:
 
Reported: 2019-05-21 01:10 UTC by D'juan McDonald (domhnall)
Modified: 2019-12-18 22:40 UTC (History)
5 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
suricata latest stable 4.1.6 (suricata.tar.gz,4.71 KB, application/x-gzip)
2019-12-16 22:10 UTC, Vieri
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description D'juan McDonald (domhnall) 2019-05-21 01:10:12 UTC
Bug #2883: ssh: heap buffer overflow

    Bug #2884: mpls: heapbuffer overflow in file decode-mpls.c

    Bug #2887: decode-ethernet: heapbuffer overflow in file decode-ethernet.c

    Bug #2894: smb 1 create andx request does not parse the filename correctly

    Bug #2903: mpls: cast of misaligned data leads to undefined behavior

    Bug #2943: rust/nfs: integer underflow


(https://nvd.nist.gov/vuln/detail/CVE-2019-10053):
An issue was discovered in Suricata 4.1.x before 4.1.4. If the input of the function SSHParseBanner is composed only of a \n character, then the program runs into a heap-based buffer over-read. This occurs because the erroneous search for \r results in an integer underflow.


(https://nvd.nist.gov/vuln/detail/CVE-2019-10050):
A buffer over-read issue was discovered in Suricata 4.1.x before 4.1.4. If the input of the decode-mpls.c function DecodeMPLS is composed only of a packet of source address and destination address plus the correct type field and the right number for shim, an attacker can manipulate the control flow, such that the condition to leave the loop is true. After leaving the loop, the network packet has a length of 2 bytes. There is no validation of this length. Later on, the code tries to read at an empty position, leading to a crash.


Gentoo Security Padawan
(domhnall)
Comment 1 D'juan McDonald (domhnall) 2019-05-21 01:30:02 UTC
ssh: heap buffer overflow
https://redmine.openinfosecfoundation.org/issues/2883

mpls: heapbuffer overflow in file decode-mpls.c
https://redmine.openinfosecfoundation.org/issues/2884

decode-ethernet: heapbuffer overflow in file decode-ethernet.c
https://redmine.openinfosecfoundation.org/issues/2887

smb 1 create andx request does not parse the filename correctly
https://redmine.openinfosecfoundation.org/issues/2894

mpls: cast of misaligned data leads to undefined behavior
https://redmine.openinfosecfoundation.org/issues/2903

rust/nfs: integer underflow
https://redmine.openinfosecfoundation.org/issues/2943
Comment 2 D'juan McDonald (domhnall) 2019-05-21 07:14:03 UTC
(https://lists.openinfosecfoundation.org/pipermail/oisf-announce/2019-May/000474.html): Thu May 9 09:09:33 UTC 2019

Hi all,

Suricata 4.0.x is now end of life. This means no further 4.0.x releases
will be make. Please make sure you update your sensors to the 4.1 branch.

We've also updated our deprecated features page here
https://suricata-ids.org/about/deprecation-policy/

Filestore v1 has been added to list. It will be removed in about a year.
The old text drop.log will be removed at the same time.

Regards,
Victor

-- 
Victor Julien
Suricata Lead Developer
suricata-ids.org
Comment 3 Jeroen Roovers gentoo-dev 2019-09-14 10:57:02 UTC
*** Bug 694350 has been marked as a duplicate of this bug. ***
Comment 4 Larry the Git Cow gentoo-dev 2019-12-01 20:19:53 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ff68b17b8a390b596900f49b8bb3a73ecaf7ea9c

commit ff68b17b8a390b596900f49b8bb3a73ecaf7ea9c
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2019-12-01 20:13:33 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2019-12-01 20:19:39 +0000

    package.mask: Last rite net-analyzer/suricata
    
    Bug: https://bugs.gentoo.org/686428
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 profiles/package.mask | 7 +++++++
 1 file changed, 7 insertions(+)
Comment 5 James 2019-12-03 19:20:48 UTC
Im confused. My system just posted this message upon a routine update:

"The following installed packages are masked:
- net-analyzer/suricata-4.0.4::gentoo (masked by: package.mask)
/usr/portage/profiles/package.mask:
# Michał Górny <mgorny@gentoo.org> (2019-12-01)
# Multiple unresolved vulnerabilities.  The current Gentoo version
# has reached EOL upstream.  The package hasn't been bumped since
# mid-2018.
# Removal in 30 days.  Bug #686428. "


OK, so I went to the Suricata homepage, it looks active and very innovative:

https://suricata-ids.org/category/news/

With release 5.0.

So is the problem we (gentoo) do not have a maintainer ?

net-analyzer/suricata [gentoo]
Maintainer:  slis@gentoo.org
Upstream:    None specified
Homepage:    https://suricata-ids.org/
Location:    /usr/portage/net-analyzer/suricata
Keywords:    4.0.4:0: ~amd64 ~x86
License:     GPL-2


If that is the case, I'm  willing to help and eventually take it 
over.


James
Comment 6 Christian Samsel 2019-12-03 21:38:45 UTC
(In reply to James from comment #5)
> Im confused. My system just posted this message upon a routine update:
> 
> "The following installed packages are masked:
> - net-analyzer/suricata-4.0.4::gentoo (masked by: package.mask)
> /usr/portage/profiles/package.mask:
> # Michał Górny <mgorny@gentoo.org> (2019-12-01)
> # Multiple unresolved vulnerabilities.  The current Gentoo version
> # has reached EOL upstream.  The package hasn't been bumped since
> # mid-2018.
> # Removal in 30 days.  Bug #686428. "
> 
> 
> OK, so I went to the Suricata homepage, it looks active and very innovative:
> 
> https://suricata-ids.org/category/news/
> 
> With release 5.0.
> 
> So is the problem we (gentoo) do not have a maintainer ?
> 
> net-analyzer/suricata [gentoo]
> Maintainer:  slis@gentoo.org
> Upstream:    None specified
> Homepage:    https://suricata-ids.org/
> Location:    /usr/portage/net-analyzer/suricata
> Keywords:    4.0.4:0: ~amd64 ~x86
> License:     GPL-2
> 
> 
> If that is the case, I'm  willing to help and eventually take it 
> over.
> 
> 
> James
Hi,
I think that's correct. I asked for a bump to 4.1.4 a month or so back with a mention of the CVEs - instead suricata was masked. 
I'd be happy if someone would maintain suricata as I'm using it in production.
BTW: the ebuild bump from 4.0.4 to 4.1.4 was trivial - not sure about 5.0
Comment 7 Marek Szuba gentoo-dev 2019-12-04 10:30:52 UTC
(In reply to Christian Samsel from comment #6)

> I'd be happy if someone would maintain suricata as I'm using it in
> production.

I need it too but a spare pair of hands is always appreciated - so how about I add both you and myself as new maintainers?
Comment 8 Denis Kaganovich 2019-12-04 20:22:19 UTC
I use suricata in production too, while I have 4.1.5 simple re-bumped from 4.0.4 (removed patches, renamed files/* scripts) with simple renamed net-libs/libhtp-0.5.31.ebuild. But I use/test only nfqueue mode...
Comment 9 Denis Kaganovich 2019-12-04 21:13:15 UTC
PS Rescue operation: fastbump 5.0 & save libhtp-0.5.31 into overlay ("raw").
5.0 added rust (cargo) in DEPEND and changed install. Now look into /usr/share/suricata (this is upstream behaviour, not mine). Fast tested only with USE="detection logrotate nfqueue rules".

https://github.com/mahatma-kaganovich/raw/tree/master/net-analyzer/suricata
https://github.com/mahatma-kaganovich/raw/tree/master/net-libs/libhtp
Comment 10 Larry the Git Cow gentoo-dev 2019-12-16 18:14:34 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f3fe5e0ccbcf0af56e2d7e0c2c6231a2026df2f9

commit f3fe5e0ccbcf0af56e2d7e0c2c6231a2026df2f9
Author:     Marek Szuba <marecki@gentoo.org>
AuthorDate: 2019-12-16 18:10:25 +0000
Commit:     Marek Szuba <marecki@gentoo.org>
CommitDate: 2019-12-16 18:10:25 +0000

    net-analyzer/suricata: remove vulnerable 4.0.4
    
    Bug: https://bugs.gentoo.org/690196
    Bug: https://bugs.gentoo.org/686428
    Package-Manager: Portage-2.3.79, Repoman-2.3.16
    Signed-off-by: Marek Szuba <marecki@gentoo.org>

 net-analyzer/suricata/Manifest                     |   1 -
 .../files/suricata-4.0.4_configure-lua-flags.patch |  16 --
 .../suricata/files/suricata-4.0.4_sockios.patch    |  13 --
 .../{suricata-4.0.4-conf => suricata-5.0.0-conf}   |   0
 .../{suricata-4.0.4-init => suricata-5.0.0-init}   |   0
 net-analyzer/suricata/suricata-4.0.4.ebuild        | 171 ---------------------
 net-analyzer/suricata/suricata-5.0.0.ebuild        |   4 +-
 7 files changed, 2 insertions(+), 203 deletions(-)
Comment 11 Marek Szuba gentoo-dev 2019-12-16 18:37:46 UTC
Okay, 5.0.0 is now in the tree. There are still some minor issues to be resolved (systemd unit doesn't work out of the box because it specifies neither the interface(s) to listen on nor a mode of operation; FEATURES=test still doesn't pull in Coccinelle in spite of src_config attempting to enable its use; Python code is not byte-compiled; everything still uses /var/run instead of /run) but in general it seems usable. Will keep on working on this in the near future.
Comment 12 Vieri 2019-12-16 22:10:00 UTC
Created attachment 599916 [details]
suricata latest stable 4.1.6

Ebuild and files for Suricata 4.x stable branch.

Hi,

Please, pretty please, do not remove this package from the tree.

Fortunately, I found this bug report with a linked GIT PR.
I would have made my own PR, but I think it's best if there's just one.

I'm using Suricata 4.1.6, and I'm attaching my custom ebuild and files. I believe 4.x should be in the tree before 5.x because it should have less bugs.
Having both the latest 4.x and 5.x would be great, of course.

Please feel free to import whatever may be useful from my attached files to your GIT PR.

Thanks
Comment 13 Vieri 2019-12-17 08:59:54 UTC
Please take a look at:

https://bugs.gentoo.org/703184

https://bugs.gentoo.org/703178
Comment 14 Vieri 2019-12-17 09:07:37 UTC
Is suricata-5.0.0_configure-lua-flags.patch still necessary?

Replacing /var/run with /run in the init script is trivial.

Possible bashisms in suricata init script.