Your message dated Sat, 11 Apr 2009 16:47:43 +0000
with message-id <[email protected]>
and subject line Bug#503992: fixed in snort 2.7.0-20.4
has caused the Debian Bug report #503992,
regarding snort: Segfaults some time after startup, suspect some packet
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
503992: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=503992
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: snort
Version: 2.7.0-20
Severity: important
Snort segfaults some time after startup, as witnessed by syslog:
Oct 30 07:58:30 treize kernel: [2835892.216074] snort[7047]: segfault at c ip
b7b66443 sp bf90d57c error 4 in libc-2.7.so[b7af0000+155000]
Oct 30 09:51:54 treize kernel: [2842695.784249] snort[13280]: segfault at 69 ip
b7c2c41b sp bfed249c error 4 in libc-2.7.so[b7bb6000+155000]
I attached a gdb to my snort instance on eth0 (internet), it segfaulted
after about 5 minutes.
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xb7b288c0 (LWP 14885)]
0xb7b9f443 in strlen () from /lib/i686/cmov/libc.so.6
(gdb) bt
#0 0xb7b9f443 in strlen () from /lib/i686/cmov/libc.so.6
#1 0xb7b6c1ac in vfprintf () from /lib/i686/cmov/libc.so.6
#2 0xb7b903b4 in vsnprintf () from /lib/i686/cmov/libc.so.6
#3 0x08063194 in ?? ()
#4 0xbfa44213 in ?? ()
#5 0x00000400 in ?? ()
#6 0x080d0070 in ?? ()
#7 0xbfa44624 in ?? ()
#8 0x00000000 in ?? ()
This type of segfaults has seemed to happen quite regularly since
october 27th. It looks like it happens more often when processing
bittorrent traffic.
I upgraded snort on october 23th:
[UPGRADE] snort 2.7.0-19 -> 2.7.0-20
[UPGRADE] snort-common 2.7.0-19 -> 2.7.0-20
[UPGRADE] snort-common-libraries 2.7.0-19 -> 2.7.0-20
[UPGRADE] snort-rules-default 2.7.0-19 -> 2.7.0-20
I don't remember this happening before.
I have no pcap trace.
I can search the logs, but I don't know what to look for. I can
investigate more if needed.
Thanks a lot for your help.
-- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.26-1-686 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages snort depends on:
ii adduser 3.110 add and remove users and groups
ii debconf [debconf-2.0] 1.5.24 Debian configuration management sy
ii libc6 2.7-15 GNU C Library: Shared libraries
ii libgcrypt11 1.4.1-1 LGPL Crypto library - runtime libr
ii libgnutls26 2.4.2-1 the GNU TLS library - runtime libr
ii libgpg-error0 1.4-2 library for common error values an
ii libltdl3 1.5.26-4 A system independent dlopen wrappe
ii libpcap0.8 0.9.8-5 system interface for user-level pa
ii libpcre3 7.8-2 Perl 5 Compatible Regular Expressi
ii libprelude2 0.9.18.1-1 Hybrid Intrusion Detection System
ii libtasn1-3 1.5-1 Manage ASN.1 structures (runtime)
ii logrotate 3.7.1-5 Log rotation utility
ii snort-common 2.7.0-20 flexible Network Intrusion Detecti
ii snort-common-libraries 2.7.0-20 flexible Network Intrusion Detecti
ii snort-rules-default 2.7.0-20 flexible Network Intrusion Detecti
ii sysklogd [system-log-d 1.5-5 System Logging Daemon
ii zlib1g 1:1.2.3.3.dfsg-12 compression library - runtime
Versions of packages snort recommends:
ii iproute 20080725-2 networking and traffic control too
Versions of packages snort suggests:
pn snort-doc <none> (no description available)
-- debconf information:
* snort/startup: boot
snort/please_restart_manually:
* snort/stats_treshold: 1
* snort/address_range: any
* snort/options:
snort/invalid_interface:
* snort/interface: eth0 eth1
* snort/stats_rcpt: root
* snort/send_stats: true
snort/config_parameters:
* snort/config_error:
* snort/reverse_order: false
* snort/disable_promiscuous: false
--- End Message ---
--- Begin Message ---
Source: snort
Source-Version: 2.7.0-20.4
We believe that the bug you reported is fixed in the latest version of
snort, which is due to be installed in the Debian FTP archive:
snort-common-libraries_2.7.0-20.4_i386.deb
to pool/main/s/snort/snort-common-libraries_2.7.0-20.4_i386.deb
snort-common_2.7.0-20.4_all.deb
to pool/main/s/snort/snort-common_2.7.0-20.4_all.deb
snort-doc_2.7.0-20.4_all.deb
to pool/main/s/snort/snort-doc_2.7.0-20.4_all.deb
snort-mysql_2.7.0-20.4_i386.deb
to pool/main/s/snort/snort-mysql_2.7.0-20.4_i386.deb
snort-pgsql_2.7.0-20.4_i386.deb
to pool/main/s/snort/snort-pgsql_2.7.0-20.4_i386.deb
snort-rules-default_2.7.0-20.4_all.deb
to pool/main/s/snort/snort-rules-default_2.7.0-20.4_all.deb
snort_2.7.0-20.4.diff.gz
to pool/main/s/snort/snort_2.7.0-20.4.diff.gz
snort_2.7.0-20.4.dsc
to pool/main/s/snort/snort_2.7.0-20.4.dsc
snort_2.7.0-20.4_i386.deb
to pool/main/s/snort/snort_2.7.0-20.4_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Javier Fernandez-Sanguino Pen~a <[email protected]> (supplier of updated snort
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sun, 22 Mar 2009 00:16:44 +0100
Source: snort
Binary: snort snort-common snort-doc snort-mysql snort-pgsql
snort-rules-default snort-common-libraries
Architecture: source i386 all
Version: 2.7.0-20.4
Distribution: stable
Urgency: high
Maintainer: Javier Fernandez-Sanguino Pen~a <[email protected]>
Changed-By: Javier Fernandez-Sanguino Pen~a <[email protected]>
Description:
snort - flexible Network Intrusion Detection System
snort-common - flexible Network Intrusion Detection System [common files]
snort-common-libraries - flexible Network Intrusion Detection System ruleset
snort-doc - Documentation for the Snort IDS [documentation]
snort-mysql - flexible Network Intrusion Detection System [MySQL]
snort-pgsql - flexible Network Intrusion Detection System [PostgreSQL]
snort-rules-default - flexible Network Intrusion Detection System ruleset
Closes: 503992
Changes:
snort (2.7.0-20.4) stable; urgency=high
.
* Fix error in call to LogMessage (missing parameters) which caused a
segfault when fragmented packages were received. This bug was introduced in
the patch to fix CVE-2008-1804. Urgency set to 'high' as in some
circunstances it makes Snort fail to start on startup or die after
working for only a few minutes. Also, this could be used as a DoS
attack against an IDS sensor rendering it useless. (Closes: #503992)
Checksums-Sha1:
ce6f21a883cc4ddf8150b6a3ec9f90f4c8715ef9 1400 snort_2.7.0-20.4.dsc
49de34081f5c1c4359fd133fc3f4e6432e83d06d 3905896 snort_2.7.0.orig.tar.gz
8f277ab6576e994f9ecdcac1ba50131e21df1228 1600286 snort_2.7.0-20.4.diff.gz
0d9065d32a89cb91cfc9bc9da99ebff510cbe913 463592 snort_2.7.0-20.4_i386.deb
05306537eff106c82fc418e1515d48165c94ac5d 474504 snort-mysql_2.7.0-20.4_i386.deb
08123055c336a13ae2b205207ba7595f290375b6 474306 snort-pgsql_2.7.0-20.4_i386.deb
ebe67c951e87db2d6cd84174d13a0a76ed82797f 244674
snort-common-libraries_2.7.0-20.4_i386.deb
e3134802cf4eb382ba9570c940dcb23966cc3abc 147488 snort-common_2.7.0-20.4_all.deb
0b793a8c6f8323b05f78c96f51b3d0379a7b0e41 2303916 snort-doc_2.7.0-20.4_all.deb
98a7638a5e1d016d4698ae2780c1ec8a3e7559a0 402292
snort-rules-default_2.7.0-20.4_all.deb
Checksums-Sha256:
159a887a5cb36f10f96ec75b661ed0b11126c441ac7a4a358a8587548aaaeea5 1400
snort_2.7.0-20.4.dsc
77260162ce98fa6684699465f8f3a8f6b90decc475f51903d2f558e92056ce9d 3905896
snort_2.7.0.orig.tar.gz
8fe0f515c0d380c2ad0831e3c00648e50c41b00695526e95ec6fa1f67ecf8913 1600286
snort_2.7.0-20.4.diff.gz
e2402cb58156d450119d8e542db9bf3cb9a39c04950d79ca33f91ec32bbdbd46 463592
snort_2.7.0-20.4_i386.deb
4fe4ade341771bfa87c96240067c72daa85cd6fc805e14938870e7f4755cba7d 474504
snort-mysql_2.7.0-20.4_i386.deb
4cb9fb0590e84c86d0b8c0938cc407a7fcb1dbe2b3f1f49bac7a59ee923340f2 474306
snort-pgsql_2.7.0-20.4_i386.deb
241790bb770637e4f9791aa7d4126d7178600d2e05eee1ae8c1ede413fd3b649 244674
snort-common-libraries_2.7.0-20.4_i386.deb
7dde6985735ee750e655e8d26350b498abac8f8dd683a7bffce74a0c9bf8c513 147488
snort-common_2.7.0-20.4_all.deb
b08f847b4741caf486798682aa734f2999caf1f3cd222282f948294b5fb1e77c 2303916
snort-doc_2.7.0-20.4_all.deb
152c71e2da87d00e5f12f85496632b2d3369dddfd6813f8d6cf0fcb79dec29b2 402292
snort-rules-default_2.7.0-20.4_all.deb
Files:
606f3c39ff67ac75c60747105a9c9cc9 1400 net optional snort_2.7.0-20.4.dsc
f4f11f793599750614ee5c477744e648 3905896 net optional snort_2.7.0.orig.tar.gz
e512633a5ef47926a5f1ad9dea27db0e 1600286 net optional snort_2.7.0-20.4.diff.gz
c1b3a381a244d946ef774ae2c23d5cca 463592 net optional snort_2.7.0-20.4_i386.deb
515e1ec33087fdea198fb506d7416d74 474504 net extra
snort-mysql_2.7.0-20.4_i386.deb
2f9aec20901f26bcbcb329c5937b85e1 474306 net optional
snort-pgsql_2.7.0-20.4_i386.deb
44b020c6af8b4a5af4665fc2e719e264 244674 net optional
snort-common-libraries_2.7.0-20.4_i386.deb
471b487c65dafbc9a466d02b3b12dec3 147488 net optional
snort-common_2.7.0-20.4_all.deb
66f7bb6108356fda7648fbe9f013bfbd 2303916 doc optional
snort-doc_2.7.0-20.4_all.deb
623e47ca21640e155d12f32a6bcc8280 402292 net optional
snort-rules-default_2.7.0-20.4_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFJxs3ysandgtyBSwkRAh0kAJ4vZjhHjcR190fkAczYi7iLSsMVcQCfUrp2
THmHDILTdkEW7Yv8iFu4sx4=
=xQb3
-----END PGP SIGNATURE-----
--- End Message ---
