Bug#954716: buster-pu: package suricata/1:4.1.2-2
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
Dear release team,
I would like to propose an update for the version of suricata in buster
(4.1.2-2). It addresses a problem with dropping privileges when started
wn a particular runmode, which would otherwise fail in this version.
Upstream has merged this patch already [1] and it has been included in
the current version in unstable (5.0.2) [2] which the original patch author
backported to 4.1.2 to allow fixing it in buster as well.
The correponding bug in Debian is #951181 [3] -- it has the required
severity of important and describes the issue in more detail.
I have also attached a debdiff of the proposed changes to the source
package. It buildis fine in a buster chroot and all autopkgtests succeed
with no issues in a buster LXC container.
Please let me know what the next steps would be. Thanks!
Best regards
Sascha Steinbiss
[1] https://github.com/OISF/suricata/commit/1262ecbde0c2130f3fd4ca336cd2646828de9391
[2] https://suricata-ids.org/2020/02/13/suricata-5-0-2-released/
[3] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=951181
diff -Nru suricata-4.1.2/debian/changelog suricata-4.1.2/debian/changelog
--- suricata-4.1.2/debian/changelog 2019-01-09 12:53:47.000000000 +0100
+++ suricata-4.1.2/debian/changelog 2020-03-22 12:07:13.000000000 +0100
@@ -1,3 +1,10 @@
+suricata (1:4.1.2-2+deb10u1) buster; urgency=medium
+
+ * Include patch for issue fixed upstream, see bug report below.
+ Closes: #951181
+
+ -- Sascha Steinbiss <satta@debian.org> Sun, 22 Mar 2020 12:07:13 +0100
+
suricata (1:4.1.2-2) unstable; urgency=medium
* Upload to unstable.
diff -Nru suricata-4.1.2/debian/patches/backport-1262ecb-init-fix-dropping-privileges-in-nflog-runmode.patch suricata-4.1.2/debian/patches/backport-1262ecb-init-fix-dropping-privileges-in-nflog-runmode.patch
--- suricata-4.1.2/debian/patches/backport-1262ecb-init-fix-dropping-privileges-in-nflog-runmode.patch 1970-01-01 01:00:00.000000000 +0100
+++ suricata-4.1.2/debian/patches/backport-1262ecb-init-fix-dropping-privileges-in-nflog-runmode.patch 2020-03-22 12:06:40.000000000 +0100
@@ -0,0 +1,37 @@
+From: Timo Sigurdsson <public_timo.s@silentcreek.de>
+Date: Tue, 11 Feb 2020 23:29:06 +0100
+Subject: [PATCH] init: Fix dropping privileges in nflog runmode
+
+Using the run-as configuration option with the nflog capture method
+results in the following error during the startup of suricata:
+[ERRCODE: SC_ERR_NFLOG_BIND(248)] - nflog_bind_pf() for AF_INET failed
+
+This is because SCDropMainThreadCaps does not have any capabilities
+defined for the nflog runmode (unlike other runmodes). Therefore, apply
+the same capabilities to the nflog runmode that are already defined for
+the nfqueue runmode. This has been confirmed to allow suricata start
+and drop its privileges in the nflog runmode.
+
+Fixes redmine issue #3265.
+
+Backport of commit 1262ecb upstream to suricata 4.1.2 (Debian Buster).
+
+Signed-off-by: Timo Sigurdsson <public_timo.s@silentcreek.de>
+---
+ src/util-privs.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/src/util-privs.c
++++ b/src/util-privs.c
+@@ -75,9 +75,10 @@
+ CAP_NET_ADMIN, CAP_NET_RAW, CAP_SYS_NICE,
+ -1);
+ break;
++ case RUNMODE_NFLOG:
+ case RUNMODE_NFQ:
+ capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED,
+- CAP_NET_ADMIN, /* needed for nfqueue inline mode */
++ CAP_NET_ADMIN, /* needed for nflog and nfqueue inline mode */
+ CAP_SYS_NICE,
+ -1);
+ break;
diff -Nru suricata-4.1.2/debian/patches/series suricata-4.1.2/debian/patches/series
--- suricata-4.1.2/debian/patches/series 2019-01-09 12:19:12.000000000 +0100
+++ suricata-4.1.2/debian/patches/series 2020-03-22 12:06:05.000000000 +0100
@@ -4,3 +4,4 @@
no-use-gnu.patch
suricata-common-last.patch
fix-repeated-builds.patch
+backport-1262ecb-init-fix-dropping-privileges-in-nflog-runmode.patch
Reply to: