Your message dated Tue, 20 Jul 2021 19:23:32 +0200
with message-id
<CAM8zJQtJm5o=t3r91fre7x9xqxpmf5qi6y+bujtgjkddj2_...@mail.gmail.com>
and subject line Re: Bug#991270: unblock: suricata/6.0.1-3
has caused the Debian Bug report #991270,
regarding unblock: suricata/6.0.1-3
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
991270: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=991270
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: unblock
Please unblock package suricata
This minimal patch that I added fixes CVE-2021-35063 by backporting the
corresponding fix commit from upstream [1]. By doing so it addresses
#990835.
I have added a debdiff to this bugreport that illustrates the
situation. I could upload to unstable anytime. Please let me know if the
fix is appropriate and I will initiate an upload if confirmed.
Thanks
Sascha
[1]
https://github.com/OISF/suricata/commit/556570f7dd7f21f11cffda5ebcb72738a29cbb90
unblock suricata/6.0.1-3
diff -Nru suricata-6.0.1/debian/changelog suricata-6.0.1/debian/changelog
--- suricata-6.0.1/debian/changelog 2020-12-11 09:35:57.000000000 +0100
+++ suricata-6.0.1/debian/changelog 2021-07-19 13:26:22.000000000 +0200
@@ -1,3 +1,10 @@
+suricata (1:6.0.1-3) unstable; urgency=medium
+
+ * Address CVE-2021-35063 by backporting upstream fix.
+ Closes: #990835
+
+ -- Sascha Steinbiss <[email protected]> Mon, 19 Jul 2021 13:26:22 +0200
+
suricata (1:6.0.1-2) unstable; urgency=medium
* Also specify explicit separate '-latomic' reference on mipsel.
diff -Nru suricata-6.0.1/debian/patches/series
suricata-6.0.1/debian/patches/series
--- suricata-6.0.1/debian/patches/series 2020-12-09 23:02:55.000000000
+0100
+++ suricata-6.0.1/debian/patches/series 2021-07-19 13:26:22.000000000
+0200
@@ -9,3 +9,4 @@
remove-conflicting-python-file.patch
avoid-to-include-if_tunnel-h.patch
llc.patch
+stream-no-reject-bad-ack.patch
diff -Nru suricata-6.0.1/debian/patches/stream-no-reject-bad-ack.patch
suricata-6.0.1/debian/patches/stream-no-reject-bad-ack.patch
--- suricata-6.0.1/debian/patches/stream-no-reject-bad-ack.patch
1970-01-01 01:00:00.000000000 +0100
+++ suricata-6.0.1/debian/patches/stream-no-reject-bad-ack.patch
2021-07-19 13:26:22.000000000 +0200
@@ -0,0 +1,30 @@
+From 556570f7dd7f21f11cffda5ebcb72738a29cbb90 Mon Sep 17 00:00:00 2001
+From: Eric Leblond <[email protected]>
+Date: Fri, 28 May 2021 12:19:38 +0200
+Subject: [PATCH] stream/tcp: don't reject on bad ack
+
+Not using a packet for the streaming analysis when a non zero
+ACK value and ACK bit was unset was leading to evasion as it was
+possible to start a session with a SYN packet with a non zero ACK
+value to see the full TCP stream to escape all stream and application
+layer detection.
+
+This addresses CVE-2021-35063.
+
+Fixes: fa692df37 ("stream: reject broken ACK packets")
+
+Ticket: #4504.
+---
+ src/stream-tcp.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/src/stream-tcp.c
++++ b/src/stream-tcp.c
+@@ -4789,7 +4789,6 @@
+ /* broken TCP
http://ask.wireshark.org/questions/3183/acknowledgment-number-broken-tcp-the-acknowledge-field-is-nonzero-while-the-ack-flag-is-not-set
*/
+ if (!(p->tcph->th_flags & TH_ACK) && TCP_GET_ACK(p) != 0) {
+ StreamTcpSetEvent(p, STREAM_PKT_BROKEN_ACK);
+- goto error;
+ }
+
+ /* If we are on IPS mode, and got a drop action triggered from
--- End Message ---
--- Begin Message ---
Unblocked.
--- End Message ---
