Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package suricata This minimal patch that I added fixes CVE-2021-35063 by backporting the corresponding fix commit from upstream [1]. By doing so it addresses #990835. I have added a debdiff to this bugreport that illustrates the situation. I could upload to unstable anytime. Please let me know if the fix is appropriate and I will initiate an upload if confirmed. Thanks Sascha [1] https://github.com/OISF/suricata/commit/556570f7dd7f21f11cffda5ebcb72738a29cbb90 unblock suricata/6.0.1-3
diff -Nru suricata-6.0.1/debian/changelog suricata-6.0.1/debian/changelog --- suricata-6.0.1/debian/changelog 2020-12-11 09:35:57.000000000 +0100 +++ suricata-6.0.1/debian/changelog 2021-07-19 13:26:22.000000000 +0200 @@ -1,3 +1,10 @@ +suricata (1:6.0.1-3) unstable; urgency=medium + + * Address CVE-2021-35063 by backporting upstream fix. + Closes: #990835 + + -- Sascha Steinbiss <sa...@debian.org> Mon, 19 Jul 2021 13:26:22 +0200 + suricata (1:6.0.1-2) unstable; urgency=medium * Also specify explicit separate '-latomic' reference on mipsel. diff -Nru suricata-6.0.1/debian/patches/series suricata-6.0.1/debian/patches/series --- suricata-6.0.1/debian/patches/series 2020-12-09 23:02:55.000000000 +0100 +++ suricata-6.0.1/debian/patches/series 2021-07-19 13:26:22.000000000 +0200 @@ -9,3 +9,4 @@ remove-conflicting-python-file.patch avoid-to-include-if_tunnel-h.patch llc.patch +stream-no-reject-bad-ack.patch diff -Nru suricata-6.0.1/debian/patches/stream-no-reject-bad-ack.patch suricata-6.0.1/debian/patches/stream-no-reject-bad-ack.patch --- suricata-6.0.1/debian/patches/stream-no-reject-bad-ack.patch 1970-01-01 01:00:00.000000000 +0100 +++ suricata-6.0.1/debian/patches/stream-no-reject-bad-ack.patch 2021-07-19 13:26:22.000000000 +0200 @@ -0,0 +1,30 @@ +From 556570f7dd7f21f11cffda5ebcb72738a29cbb90 Mon Sep 17 00:00:00 2001 +From: Eric Leblond <e...@stamus-networks.com> +Date: Fri, 28 May 2021 12:19:38 +0200 +Subject: [PATCH] stream/tcp: don't reject on bad ack + +Not using a packet for the streaming analysis when a non zero +ACK value and ACK bit was unset was leading to evasion as it was +possible to start a session with a SYN packet with a non zero ACK +value to see the full TCP stream to escape all stream and application +layer detection. + +This addresses CVE-2021-35063. + +Fixes: fa692df37 ("stream: reject broken ACK packets") + +Ticket: #4504. +--- + src/stream-tcp.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/src/stream-tcp.c ++++ b/src/stream-tcp.c +@@ -4789,7 +4789,6 @@ + /* broken TCP http://ask.wireshark.org/questions/3183/acknowledgment-number-broken-tcp-the-acknowledge-field-is-nonzero-while-the-ack-flag-is-not-set */ + if (!(p->tcph->th_flags & TH_ACK) && TCP_GET_ACK(p) != 0) { + StreamTcpSetEvent(p, STREAM_PKT_BROKEN_ACK); +- goto error; + } + + /* If we are on IPS mode, and got a drop action triggered from