Bug #2883: ssh: heap buffer overflow Bug #2884: mpls: heapbuffer overflow in file decode-mpls.c Bug #2887: decode-ethernet: heapbuffer overflow in file decode-ethernet.c Bug #2894: smb 1 create andx request does not parse the filename correctly Bug #2903: mpls: cast of misaligned data leads to undefined behavior Bug #2943: rust/nfs: integer underflow (https://nvd.nist.gov/vuln/detail/CVE-2019-10053): An issue was discovered in Suricata 4.1.x before 4.1.4. If the input of the function SSHParseBanner is composed only of a \n character, then the program runs into a heap-based buffer over-read. This occurs because the erroneous search for \r results in an integer underflow. (https://nvd.nist.gov/vuln/detail/CVE-2019-10050): A buffer over-read issue was discovered in Suricata 4.1.x before 4.1.4. If the input of the decode-mpls.c function DecodeMPLS is composed only of a packet of source address and destination address plus the correct type field and the right number for shim, an attacker can manipulate the control flow, such that the condition to leave the loop is true. After leaving the loop, the network packet has a length of 2 bytes. There is no validation of this length. Later on, the code tries to read at an empty position, leading to a crash. Gentoo Security Padawan (domhnall)
ssh: heap buffer overflow https://redmine.openinfosecfoundation.org/issues/2883 mpls: heapbuffer overflow in file decode-mpls.c https://redmine.openinfosecfoundation.org/issues/2884 decode-ethernet: heapbuffer overflow in file decode-ethernet.c https://redmine.openinfosecfoundation.org/issues/2887 smb 1 create andx request does not parse the filename correctly https://redmine.openinfosecfoundation.org/issues/2894 mpls: cast of misaligned data leads to undefined behavior https://redmine.openinfosecfoundation.org/issues/2903 rust/nfs: integer underflow https://redmine.openinfosecfoundation.org/issues/2943
(https://lists.openinfosecfoundation.org/pipermail/oisf-announce/2019-May/000474.html): Thu May 9 09:09:33 UTC 2019 Hi all, Suricata 4.0.x is now end of life. This means no further 4.0.x releases will be make. Please make sure you update your sensors to the 4.1 branch. We've also updated our deprecated features page here https://suricata-ids.org/about/deprecation-policy/ Filestore v1 has been added to list. It will be removed in about a year. The old text drop.log will be removed at the same time. Regards, Victor -- Victor Julien Suricata Lead Developer suricata-ids.org
*** Bug 694350 has been marked as a duplicate of this bug. ***
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ff68b17b8a390b596900f49b8bb3a73ecaf7ea9c commit ff68b17b8a390b596900f49b8bb3a73ecaf7ea9c Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2019-12-01 20:13:33 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2019-12-01 20:19:39 +0000 package.mask: Last rite net-analyzer/suricata Bug: https://bugs.gentoo.org/686428 Signed-off-by: Michał Górny <mgorny@gentoo.org> profiles/package.mask | 7 +++++++ 1 file changed, 7 insertions(+)
Im confused. My system just posted this message upon a routine update: "The following installed packages are masked: - net-analyzer/suricata-4.0.4::gentoo (masked by: package.mask) /usr/portage/profiles/package.mask: # Michał Górny <mgorny@gentoo.org> (2019-12-01) # Multiple unresolved vulnerabilities. The current Gentoo version # has reached EOL upstream. The package hasn't been bumped since # mid-2018. # Removal in 30 days. Bug #686428. " OK, so I went to the Suricata homepage, it looks active and very innovative: https://suricata-ids.org/category/news/ With release 5.0. So is the problem we (gentoo) do not have a maintainer ? net-analyzer/suricata [gentoo] Maintainer: slis@gentoo.org Upstream: None specified Homepage: https://suricata-ids.org/ Location: /usr/portage/net-analyzer/suricata Keywords: 4.0.4:0: ~amd64 ~x86 License: GPL-2 If that is the case, I'm willing to help and eventually take it over. James
(In reply to James from comment #5) > Im confused. My system just posted this message upon a routine update: > > "The following installed packages are masked: > - net-analyzer/suricata-4.0.4::gentoo (masked by: package.mask) > /usr/portage/profiles/package.mask: > # Michał Górny <mgorny@gentoo.org> (2019-12-01) > # Multiple unresolved vulnerabilities. The current Gentoo version > # has reached EOL upstream. The package hasn't been bumped since > # mid-2018. > # Removal in 30 days. Bug #686428. " > > > OK, so I went to the Suricata homepage, it looks active and very innovative: > > https://suricata-ids.org/category/news/ > > With release 5.0. > > So is the problem we (gentoo) do not have a maintainer ? > > net-analyzer/suricata [gentoo] > Maintainer: slis@gentoo.org > Upstream: None specified > Homepage: https://suricata-ids.org/ > Location: /usr/portage/net-analyzer/suricata > Keywords: 4.0.4:0: ~amd64 ~x86 > License: GPL-2 > > > If that is the case, I'm willing to help and eventually take it > over. > > > James Hi, I think that's correct. I asked for a bump to 4.1.4 a month or so back with a mention of the CVEs - instead suricata was masked. I'd be happy if someone would maintain suricata as I'm using it in production. BTW: the ebuild bump from 4.0.4 to 4.1.4 was trivial - not sure about 5.0
(In reply to Christian Samsel from comment #6) > I'd be happy if someone would maintain suricata as I'm using it in > production. I need it too but a spare pair of hands is always appreciated - so how about I add both you and myself as new maintainers?
I use suricata in production too, while I have 4.1.5 simple re-bumped from 4.0.4 (removed patches, renamed files/* scripts) with simple renamed net-libs/libhtp-0.5.31.ebuild. But I use/test only nfqueue mode...
PS Rescue operation: fastbump 5.0 & save libhtp-0.5.31 into overlay ("raw"). 5.0 added rust (cargo) in DEPEND and changed install. Now look into /usr/share/suricata (this is upstream behaviour, not mine). Fast tested only with USE="detection logrotate nfqueue rules". https://github.com/mahatma-kaganovich/raw/tree/master/net-analyzer/suricata https://github.com/mahatma-kaganovich/raw/tree/master/net-libs/libhtp
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f3fe5e0ccbcf0af56e2d7e0c2c6231a2026df2f9 commit f3fe5e0ccbcf0af56e2d7e0c2c6231a2026df2f9 Author: Marek Szuba <marecki@gentoo.org> AuthorDate: 2019-12-16 18:10:25 +0000 Commit: Marek Szuba <marecki@gentoo.org> CommitDate: 2019-12-16 18:10:25 +0000 net-analyzer/suricata: remove vulnerable 4.0.4 Bug: https://bugs.gentoo.org/690196 Bug: https://bugs.gentoo.org/686428 Package-Manager: Portage-2.3.79, Repoman-2.3.16 Signed-off-by: Marek Szuba <marecki@gentoo.org> net-analyzer/suricata/Manifest | 1 - .../files/suricata-4.0.4_configure-lua-flags.patch | 16 -- .../suricata/files/suricata-4.0.4_sockios.patch | 13 -- .../{suricata-4.0.4-conf => suricata-5.0.0-conf} | 0 .../{suricata-4.0.4-init => suricata-5.0.0-init} | 0 net-analyzer/suricata/suricata-4.0.4.ebuild | 171 --------------------- net-analyzer/suricata/suricata-5.0.0.ebuild | 4 +- 7 files changed, 2 insertions(+), 203 deletions(-)
Okay, 5.0.0 is now in the tree. There are still some minor issues to be resolved (systemd unit doesn't work out of the box because it specifies neither the interface(s) to listen on nor a mode of operation; FEATURES=test still doesn't pull in Coccinelle in spite of src_config attempting to enable its use; Python code is not byte-compiled; everything still uses /var/run instead of /run) but in general it seems usable. Will keep on working on this in the near future.
Created attachment 599916 [details] suricata latest stable 4.1.6 Ebuild and files for Suricata 4.x stable branch. Hi, Please, pretty please, do not remove this package from the tree. Fortunately, I found this bug report with a linked GIT PR. I would have made my own PR, but I think it's best if there's just one. I'm using Suricata 4.1.6, and I'm attaching my custom ebuild and files. I believe 4.x should be in the tree before 5.x because it should have less bugs. Having both the latest 4.x and 5.x would be great, of course. Please feel free to import whatever may be useful from my attached files to your GIT PR. Thanks
Please take a look at: https://bugs.gentoo.org/703184 https://bugs.gentoo.org/703178
Is suricata-5.0.0_configure-lua-flags.patch still necessary? Replacing /var/run with /run in the init script is trivial. Possible bashisms in suricata init script.
Reminder to the security team that this can be resolved now.
