[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#991270: marked as done (unblock: suricata/6.0.1-3)

Your message dated Tue, 20 Jul 2021 19:23:32 +0200
with message-id <CAM8zJQtJm5o=t3r91FRe7x9xQXPmF5qi6Y+BujtGJKddJ2_aNA@mail.gmail.com>
and subject line Re: Bug#991270: unblock: suricata/6.0.1-3
has caused the Debian Bug report #991270,
regarding unblock: suricata/6.0.1-3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
991270: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=991270
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package suricata

This minimal patch that I added fixes CVE-2021-35063 by backporting the
corresponding fix commit from upstream [1]. By doing so it addresses
#990835.

I have added a debdiff to this bugreport that illustrates the
situation. I could upload to unstable anytime. Please let me know if the
fix is appropriate and I will initiate an upload if confirmed.

Thanks
Sascha

[1] https://github.com/OISF/suricata/commit/556570f7dd7f21f11cffda5ebcb72738a29cbb90 

unblock suricata/6.0.1-3

diff -Nru suricata-6.0.1/debian/changelog suricata-6.0.1/debian/changelog
--- suricata-6.0.1/debian/changelog	2020-12-11 09:35:57.000000000 +0100
+++ suricata-6.0.1/debian/changelog	2021-07-19 13:26:22.000000000 +0200
@@ -1,3 +1,10 @@
+suricata (1:6.0.1-3) unstable; urgency=medium
+
+  * Address CVE-2021-35063 by backporting upstream fix.
+    Closes: #990835
+
+ -- Sascha Steinbiss <satta@debian.org>  Mon, 19 Jul 2021 13:26:22 +0200
+
 suricata (1:6.0.1-2) unstable; urgency=medium
 
   * Also specify explicit separate '-latomic' reference on mipsel.
diff -Nru suricata-6.0.1/debian/patches/series suricata-6.0.1/debian/patches/series
--- suricata-6.0.1/debian/patches/series	2020-12-09 23:02:55.000000000 +0100
+++ suricata-6.0.1/debian/patches/series	2021-07-19 13:26:22.000000000 +0200
@@ -9,3 +9,4 @@
 remove-conflicting-python-file.patch
 avoid-to-include-if_tunnel-h.patch
 llc.patch
+stream-no-reject-bad-ack.patch
diff -Nru suricata-6.0.1/debian/patches/stream-no-reject-bad-ack.patch suricata-6.0.1/debian/patches/stream-no-reject-bad-ack.patch
--- suricata-6.0.1/debian/patches/stream-no-reject-bad-ack.patch	1970-01-01 01:00:00.000000000 +0100
+++ suricata-6.0.1/debian/patches/stream-no-reject-bad-ack.patch	2021-07-19 13:26:22.000000000 +0200
@@ -0,0 +1,30 @@
+From 556570f7dd7f21f11cffda5ebcb72738a29cbb90 Mon Sep 17 00:00:00 2001
+From: Eric Leblond <el@stamus-networks.com>
+Date: Fri, 28 May 2021 12:19:38 +0200
+Subject: [PATCH] stream/tcp: don't reject on bad ack
+
+Not using a packet for the streaming analysis when a non zero
+ACK value and ACK bit was unset was leading to evasion as it was
+possible to start a session with a SYN packet with a non zero ACK
+value to see the full TCP stream to escape all stream and application
+layer detection.
+
+This addresses CVE-2021-35063.
+
+Fixes: fa692df37 ("stream: reject broken ACK packets")
+
+Ticket: #4504.
+---
+ src/stream-tcp.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/src/stream-tcp.c
++++ b/src/stream-tcp.c
+@@ -4789,7 +4789,6 @@
+     /* broken TCP http://ask.wireshark.org/questions/3183/acknowledgment-number-broken-tcp-the-acknowledge-field-is-nonzero-while-the-ack-flag-is-not-set */
+     if (!(p->tcph->th_flags & TH_ACK) && TCP_GET_ACK(p) != 0) {
+         StreamTcpSetEvent(p, STREAM_PKT_BROKEN_ACK);
+-        goto error;
+     }
+ 
+     /* If we are on IPS mode, and got a drop action triggered from

--- End Message ---
--- Begin Message --- 
Unblocked.

--- End Message ---
Reply to: