Bug#868284: stretch-pu: package suricata/3.2.1-1
Control: tags -1 + pending On Sun, 2017-08-13 at 16:40 +0200, Arturo Borrero Gonzalez wrote: > On 8 August 2017 at 17:39, Adam D. Barratt wrote: > > > > Thanks. Please go ahead, with the tweaks from the earlier discussion - > > i.e. 3.2.1-1+deb9u1, with a changelog distribution of "stretch". > > > > Uploaded, thanks. Flagged for acceptance into p-u. Regards, Adam
Processed: Re: Bug#868284: stretch-pu: package suricata/3.2.1-1
Processing control commands: > tags -1 + pending Bug #868284 [release.debian.org] stretch-pu: package suricata/3.2.1-1 Added tag(s) pending. -- 868284: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=868284 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#868284: stretch-pu: package suricata/3.2.1-1
On 8 August 2017 at 17:39, Adam D. Barratt wrote: > > Thanks. Please go ahead, with the tweaks from the earlier discussion - > i.e. 3.2.1-1+deb9u1, with a changelog distribution of "stretch". > Uploaded, thanks.
Bug#868284: stretch-pu: package suricata/3.2.1-1
Control: tags -1 + confirmed On Mon, 2017-07-31 at 12:07 +0200, Arturo Borrero Gonzalez wrote: > Control: tags -1 - moreinfo > On Tue, 25 Jul 2017 22:54:15 +0200 Arturo Borrero Gonzalez > wrote: > > Currently working on it. > > > > Hi, > > now unstable containst the code, package version 1:4.0.0-1 Thanks. Please go ahead, with the tweaks from the earlier discussion - i.e. 3.2.1-1+deb9u1, with a changelog distribution of "stretch". Regards, Adam
Processed: Re: Bug#868284: stretch-pu: package suricata/3.2.1-1
Processing control commands: > tags -1 + confirmed Bug #868284 [release.debian.org] stretch-pu: package suricata/3.2.1-1 Added tag(s) confirmed. -- 868284: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=868284 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#868284: stretch-pu: package suricata/3.2.1-1
Control: tags -1 - moreinfo On Tue, 25 Jul 2017 22:54:15 +0200 Arturo Borrero Gonzalez wrote: > Currently working on it. > Hi, now unstable containst the code, package version 1:4.0.0-1
Processed: Re: Bug#868284: stretch-pu: package suricata/3.2.1-1
Processing control commands: > tags -1 - moreinfo Bug #868284 [release.debian.org] stretch-pu: package suricata/3.2.1-1 Removed tag(s) moreinfo. -- 868284: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=868284 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#868284: stretch-pu: package suricata/3.2.1-1
On Fri, 14 Jul 2017 10:36:38 +0100 "Adam D. Barratt" wrote: > > I did - the version in unstable certainly doesn't. It does contain code > that looks exactly the same as the vulnerable code in stable, so I > assume the bug also affects that version. > Ok, I cherry-picked the patch and will let you know when this lands in unstable. Currently working on it. Thanks
Bug#868284: stretch-pu: package suricata/3.2.1-1
On 2017-07-14 9:45, Arturo Borrero Gonzalez wrote: Control: tags -1 - moreinfo On 14 July 2017 at 10:31, Adam D. Barratt wrote: I named the new version 3.2.1-2 because by the time I wrote the changelog entry didn't know if the package was to follow security or stable-pu path. Versioning suggestion is welcome. For either security or p-u, it's +debXuY - so in this case 3.2.1-1+deb9u1, with a changelog distribution of "stretch" for stable. I see that unstable has a 4.0 beta - I assume that also includes the patch? Unstable is a different thing. I'm working in another issues there, regarding libhtp (see #783220). So yes, the patch will eventually land in unstable, but it isn't my focus right now. Well, there's a general prerequisite that bugs that affect unstable as well as stable are fixed in unstable first. Both because development happens in unstable but also because it means patches get at least some testing - it's also much much easier to apply a follow-up fix in unstable if there turn out to be issues. I guess last upstream release includes the patch, but I'm not sure because I didn't check. I did - the version in unstable certainly doesn't. It does contain code that looks exactly the same as the vulnerable code in stable, so I assume the bug also affects that version. Regards, Adam
Processed: Re: Bug#868284: stretch-pu: package suricata/3.2.1-1
Processing control commands: > tags -1 - moreinfo Bug #868284 [release.debian.org] stretch-pu: package suricata/3.2.1-1 Removed tag(s) moreinfo. -- 868284: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=868284 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#868284: stretch-pu: package suricata/3.2.1-1
Control: tags -1 - moreinfo
On 14 July 2017 at 10:31, Adam D. Barratt wrote:
> Control: tags -1 + moreinfo
>
> On 2017-07-14 8:39, Arturo Borrero Gonzalez wrote:
>>
>> We have in stretch suricata 3.2.1-1 and I would like to cherry-pick a
>> patch [0]
>> in top of that. The patch has been backported from 3.2.3.
>>
>> The change to the package is rather simple, check this git branch [1] and
>> the
>> 2 small changes since tag debian/3.2.1-1.
>>
>> The package builds just fine. Would you like me to include debdiff?
>
>
> Always, please.
>
Ok, find it attached.
I named the new version 3.2.1-2 because by the time I wrote the
changelog entry didn't know
if the package was to follow security or stable-pu path.
Versioning suggestion is welcome.
> I see that unstable has a 4.0 beta - I assume that also includes the patch?
>
Unstable is a different thing. I'm working in another issues there,
regarding libhtp (see #783220).
So yes, the patch will eventually land in unstable, but it isn't my
focus right now.
I guess last upstream release includes the patch, but I'm not sure
because I didn't check.
diff -Nru suricata-3.2.1/debian/changelog suricata-3.2.1/debian/changelog
--- suricata-3.2.1/debian/changelog 2017-03-16 09:04:03.0 +0100
+++ suricata-3.2.1/debian/changelog 2017-07-14 09:01:03.0 +0200
@@ -1,3 +1,9 @@
+suricata (3.2.1-2) UNRELEASED; urgency=medium
+
+ * [c1260ec] suricata: add patch "asn1/der: limit recursion"
+
+ -- Arturo Borrero Gonzalez Fri, 14 Jul 2017 09:01:03
+0200
+
suricata (3.2.1-1) unstable; urgency=medium
[ Arturo Borrero Gonzalez ]
diff -Nru suricata-3.2.1/debian/patches/0001-asn1-der-stack-overflow.patch
suricata-3.2.1/debian/patches/0001-asn1-der-stack-overflow.patch
--- suricata-3.2.1/debian/patches/0001-asn1-der-stack-overflow.patch
1970-01-01 01:00:00.0 +0100
+++ suricata-3.2.1/debian/patches/0001-asn1-der-stack-overflow.patch
2017-07-14 09:01:03.0 +0200
@@ -0,0 +1,29 @@
+From 53d8e2983162a99d1946ae27283ef1d1871fb5a1 Mon Sep 17 00:00:00 2001
+From: Victor Julien
+Date: Mon, 10 Jul 2017 10:15:54 +0200
+Subject: [PATCH] der/asn1: limit recursion
+
+Limit the number of recursive calls in the DER/ASN.1 decoder to avoid
+stack overflows.
+
+Found using AFL.
+---
+ src/util-decode-der.c | 5 +
+ 1 file changed, 5 insertions(+)
+
+diff --git a/src/util-decode-der.c b/src/util-decode-der.c
+index d3fb3237f3..3153361d7b 100644
+--- a/src/util-decode-der.c
b/src/util-decode-der.c
+@@ -139,6 +139,11 @@ static Asn1Generic * DecodeAsn1DerGeneric(const unsigned
char *buffer,
+ Asn1Generic *child;
+ uint8_t el_type;
+
++/* refuse excessive recursion */
++if (unlikely(depth == 255)) {
++return NULL;
++}
++
+ el.cls = (d_ptr[0] & 0xc0) >> 6;
+ el.pc = (d_ptr[0] & 0x20) >> 5;
+ el.tag = (d_ptr[0] & 0x1f);
diff -Nru suricata-3.2.1/debian/patches/series
suricata-3.2.1/debian/patches/series
--- suricata-3.2.1/debian/patches/series2017-03-16 09:03:50.0
+0100
+++ suricata-3.2.1/debian/patches/series2017-07-14 09:01:03.0
+0200
@@ -1,2 +1,3 @@
+0001-asn1-der-stack-overflow.patch
reproducible.patch
debian-default-cfg.patch
Processed: Re: Bug#868284: stretch-pu: package suricata/3.2.1-1
Processing control commands: > tags -1 + moreinfo Bug #868284 [release.debian.org] stretch-pu: package suricata/3.2.1-1 Added tag(s) moreinfo. -- 868284: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=868284 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#868284: stretch-pu: package suricata/3.2.1-1
Control: tags -1 + moreinfo On 2017-07-14 8:39, Arturo Borrero Gonzalez wrote: We have in stretch suricata 3.2.1-1 and I would like to cherry-pick a patch [0] in top of that. The patch has been backported from 3.2.3. The change to the package is rather simple, check this git branch [1] and the 2 small changes since tag debian/3.2.1-1. The package builds just fine. Would you like me to include debdiff? Always, please. I see that unstable has a 4.0 beta - I assume that also includes the patch? Regards, Adam
Bug#868284: stretch-pu: package suricata/3.2.1-1
Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu Dear release team, thanks for your work in the Debian project, it's really appreciated. We have in stretch suricata 3.2.1-1 and I would like to cherry-pick a patch [0] in top of that. The patch has been backported from 3.2.3. The change to the package is rather simple, check this git branch [1] and the 2 small changes since tag debian/3.2.1-1. The package builds just fine. Would you like me to include debdiff? thanks, best regards. [0] https://anonscm.debian.org/cgit/pkg-suricata/pkg-suricata.git/commit/?h=debian/stretch&id=c1260ec1b1ad80e6f9a28c4f97a5813a2829e24e [1] https://anonscm.debian.org/cgit/pkg-suricata/pkg-suricata.git/log/?h=debian/stretch -- System Information: Debian Release: buster/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-2-amd64 (SMP w/2 CPU cores) Locale: LANG=es_ES.utf8, LC_CTYPE=es_ES.utf8 (charmap=UTF-8), LANGUAGE=es_ES.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
