Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock
Please unblock package suricata
This minimal patch that I added fixes CVE-2021-35063 by backporting the
corresponding fix commit from upstream [1]. By doing so it addresses
#990835.
I have added a debdiff to this bugreport that illustrates the
situation. I could upload to unstable anytime. Please let me know if the
fix is appropriate and I will initiate an upload if confirmed.
Thanks
Sascha
[1]
https://github.com/OISF/suricata/commit/556570f7dd7f21f11cffda5ebcb72738a29cbb90
unblock suricata/6.0.1-3
diff -Nru suricata-6.0.1/debian/changelog suricata-6.0.1/debian/changelog
--- suricata-6.0.1/debian/changelog 2020-12-11 09:35:57.000000000 +0100
+++ suricata-6.0.1/debian/changelog 2021-07-19 13:26:22.000000000 +0200
@@ -1,3 +1,10 @@
+suricata (1:6.0.1-3) unstable; urgency=medium
+
+ * Address CVE-2021-35063 by backporting upstream fix.
+ Closes: #990835
+
+ -- Sascha Steinbiss <sa...@debian.org> Mon, 19 Jul 2021 13:26:22 +0200
+
suricata (1:6.0.1-2) unstable; urgency=medium
* Also specify explicit separate '-latomic' reference on mipsel.
diff -Nru suricata-6.0.1/debian/patches/series
suricata-6.0.1/debian/patches/series
--- suricata-6.0.1/debian/patches/series 2020-12-09 23:02:55.000000000
+0100
+++ suricata-6.0.1/debian/patches/series 2021-07-19 13:26:22.000000000
+0200
@@ -9,3 +9,4 @@
remove-conflicting-python-file.patch
avoid-to-include-if_tunnel-h.patch
llc.patch
+stream-no-reject-bad-ack.patch
diff -Nru suricata-6.0.1/debian/patches/stream-no-reject-bad-ack.patch
suricata-6.0.1/debian/patches/stream-no-reject-bad-ack.patch
--- suricata-6.0.1/debian/patches/stream-no-reject-bad-ack.patch
1970-01-01 01:00:00.000000000 +0100
+++ suricata-6.0.1/debian/patches/stream-no-reject-bad-ack.patch
2021-07-19 13:26:22.000000000 +0200
@@ -0,0 +1,30 @@
+From 556570f7dd7f21f11cffda5ebcb72738a29cbb90 Mon Sep 17 00:00:00 2001
+From: Eric Leblond <e...@stamus-networks.com>
+Date: Fri, 28 May 2021 12:19:38 +0200
+Subject: [PATCH] stream/tcp: don't reject on bad ack
+
+Not using a packet for the streaming analysis when a non zero
+ACK value and ACK bit was unset was leading to evasion as it was
+possible to start a session with a SYN packet with a non zero ACK
+value to see the full TCP stream to escape all stream and application
+layer detection.
+
+This addresses CVE-2021-35063.
+
+Fixes: fa692df37 ("stream: reject broken ACK packets")
+
+Ticket: #4504.
+---
+ src/stream-tcp.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/src/stream-tcp.c
++++ b/src/stream-tcp.c
+@@ -4789,7 +4789,6 @@
+ /* broken TCP
http://ask.wireshark.org/questions/3183/acknowledgment-number-broken-tcp-the-acknowledge-field-is-nonzero-while-the-ack-flag-is-not-set
*/
+ if (!(p->tcph->th_flags & TH_ACK) && TCP_GET_ACK(p) != 0) {
+ StreamTcpSetEvent(p, STREAM_PKT_BROKEN_ACK);
+- goto error;
+ }
+
+ /* If we are on IPS mode, and got a drop action triggered from
