rpms/snort/devel snort-2.4.4-demarc-patch.diff, NONE, 1.1 snort.spec, 1.9, 1.10
Dennis Gilmore (ausil)
fedora-extras-commits at redhat.com
Fri Jun 2 15:25:20 UTC 2006
Author: ausil
Update of /cvs/extras/rpms/snort/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv2304
Modified Files:
snort.spec
Added Files:
snort-2.4.4-demarc-patch.diff
Log Message:
fix CVE-2006-2769 and bug #190102
snort-2.4.4-demarc-patch.diff:
--- NEW FILE snort-2.4.4-demarc-patch.diff ---
diff -Nuar snort-2.4.4/src/preprocessors/HttpInspect/client/hi_client.c snort-2.4.4-demarc/src/preprocessors/HttpInspect/client/hi_client.c
--- snort-2.4.4/src/preprocessors/HttpInspect/client/hi_client.c 2005-03-16 13:52:18.000000000 -0800
+++ snort-2.4.4-demarc/src/preprocessors/HttpInspect/client/hi_client.c 2006-05-30 22:54:44.000000000 -0700
@@ -40,6 +40,7 @@
#define URI_END 1
#define NO_URI -1
+#define CR_IN_URI 18
#define INVALID_HEX_VAL -1
/**
@@ -455,6 +456,11 @@
return URI_END;
}
+ if(isspace(**ptr) )
+ {
+ return CR_IN_URI;
+ }
+
return NO_URI;
}
@@ -1345,8 +1351,21 @@
*/
break;
}
+ else if(iRet == CR_IN_URI)
+ {
+ if(hi_eo_generate_event(Session,ServerConf->non_std_cr.alert))
+ {
+ hi_eo_client_event_log(Session,ServerConf->non_std_cr.alert,
+ NULL, NULL);
+ }
+ break;
+ }
+
+
+
else /* NO_URI */
{
+
/*
** Check for chunk encoding, because the delimiter can
** also be a space, which would look like a pipeline request
diff -Nuar snort-2.4.4/src/preprocessors/HttpInspect/event_output/hi_eo_log.c snort-2.4.4-demarc/src/preprocessors/HttpInspect/event_output/hi_eo_log.c
--- snort-2.4.4/src/preprocessors/HttpInspect/event_output/hi_eo_log.c 2004-03-11 14:25:53.000000000 -0800
+++ snort-2.4.4-demarc/src/preprocessors/HttpInspect/event_output/hi_eo_log.c 2006-05-30 10:27:49.000000000 -0700
@@ -64,7 +64,9 @@
{HI_EO_CLIENT_PROXY_USE, HI_EO_LOW_PRIORITY,
HI_EO_CLIENT_PROXY_USE_STR },
{HI_EO_CLIENT_WEBROOT_DIR, HI_EO_HIGH_PRIORITY,
- HI_EO_CLIENT_WEBROOT_DIR_STR }
+ HI_EO_CLIENT_WEBROOT_DIR_STR },
+ { HI_EO_CLIENT_CR_IN_URI, HI_EO_MED_PRIORITY,
+ HI_EO_CLIENT_CR_IN_URI_STR },
};
static HI_EVENT_INFO anom_server_event_info[HI_EO_ANOM_SERVER_EVENT_NUM] = {
diff -Nuar snort-2.4.4/src/preprocessors/HttpInspect/include/hi_eo_events.h snort-2.4.4-demarc/src/preprocessors/HttpInspect/include/hi_eo_events.h
--- snort-2.4.4/src/preprocessors/HttpInspect/include/hi_eo_events.h 2004-03-11 14:25:53.000000000 -0800
+++ snort-2.4.4-demarc/src/preprocessors/HttpInspect/include/hi_eo_events.h 2006-05-25 13:01:08.000000000 -0700
@@ -24,13 +24,14 @@
#define HI_EO_CLIENT_LARGE_CHUNK 15 /* done */
#define HI_EO_CLIENT_PROXY_USE 16 /* done */
#define HI_EO_CLIENT_WEBROOT_DIR 17 /* done */
+#define HI_EO_CLIENT_CR_IN_URI 18 /* done */
/*
** IMPORTANT:
** Every time you add a client event, this number must be
** incremented.
*/
-#define HI_EO_CLIENT_EVENT_NUM 18
+#define HI_EO_CLIENT_EVENT_NUM 19
/*
** These defines are the alert names for each event
@@ -71,6 +72,8 @@
"(http_inspect) UNAUTHORIZED PROXY USE DETECTED"
#define HI_EO_CLIENT_WEBROOT_DIR_STR \
"(http_inspect) WEBROOT DIRECTORY TRAVERSAL"
+#define HI_EO_CLIENT_CR_IN_URI_STR \
+ "(http_inspect) NON-STD CARRIAGE RETURN IN URI"
/*
** Anomalous Server Events
diff -Nuar snort-2.4.4/src/preprocessors/HttpInspect/include/hi_ui_config.h snort-2.4.4-demarc/src/preprocessors/HttpInspect/include/hi_ui_config.h
--- snort-2.4.4/src/preprocessors/HttpInspect/include/hi_ui_config.h 2005-03-16 13:52:18.000000000 -0800
+++ snort-2.4.4-demarc/src/preprocessors/HttpInspect/include/hi_ui_config.h 2006-05-30 09:44:18.000000000 -0700
@@ -113,6 +113,7 @@
HTTPINSPECT_CONF_OPT webroot;
HTTPINSPECT_CONF_OPT apache_whitespace;
HTTPINSPECT_CONF_OPT iis_delimiter;
+ HTTPINSPECT_CONF_OPT non_std_cr;
} HTTPINSPECT_CONF;
diff -Nuar snort-2.4.4/src/preprocessors/HttpInspect/user_interface/hi_ui_config.c snort-2.4.4-demarc/src/preprocessors/HttpInspect/user_interface/hi_ui_config.c
--- snort-2.4.4/src/preprocessors/HttpInspect/user_interface/hi_ui_config.c 2005-03-16 13:52:19.000000000 -0800
+++ snort-2.4.4-demarc/src/preprocessors/HttpInspect/user_interface/hi_ui_config.c 2006-05-30 23:00:25.000000000 -0700
@@ -117,6 +117,9 @@
GlobalConf->global_server.non_strict = 1;
+ GlobalConf->global_server.non_std_cr.on = 1;
+ GlobalConf->global_server.non_std_cr.alert = 1;
+
return HI_SUCCESS;
}
@@ -209,6 +212,9 @@
ServerConf->tab_uri_delimiter = 1;
+ ServerConf->non_std_cr.on = 1;
+ ServerConf->non_std_cr.alert = 1;
+
return HI_SUCCESS;
}
@@ -279,6 +285,9 @@
ServerConf->non_strict = 1;
+ ServerConf->non_std_cr.on = 1;
+ ServerConf->non_std_cr.alert = 1;
+
return HI_SUCCESS;
}
@@ -349,6 +358,9 @@
ServerConf->tab_uri_delimiter = 1;
+ ServerConf->non_std_cr.on = 1;
+ ServerConf->non_std_cr.alert = 1;
+
return HI_SUCCESS;
}
diff -Nuar snort-2.4.4/src/preprocessors/snort_httpinspect.c snort-2.4.4-demarc/src/preprocessors/snort_httpinspect.c
--- snort-2.4.4/src/preprocessors/snort_httpinspect.c 2005-08-23 08:52:19.000000000 -0700
+++ snort-2.4.4-demarc/src/preprocessors/snort_httpinspect.c 2006-05-30 10:33:54.000000000 -0700
@@ -134,6 +134,7 @@
#define GLOBAL_ALERT "no_alerts"
#define WEBROOT "webroot"
#define TAB_URI_DELIMITER "tab_uri_delimiter"
+#define NON_STD_CR "non_std_cr"
/*
** Alert subkeywords
@@ -1449,6 +1450,15 @@
return iRet;
}
}
+ else if(!strcmp(NON_STD_CR, pcToken))
+ {
+ ConfOpt = &ServerConf->non_std_cr;
+ if((iRet = ProcessConfOpt(ConfOpt, NON_STD_CR,
+ ErrorString, ErrStrLen)))
+ {
+ return iRet;
+ }
+ }
else if(!strcmp(IIS_BACKSLASH, pcToken))
{
ConfOpt = &ServerConf->iis_backslash;
@@ -1583,6 +1593,7 @@
PrintConfOpt(&ServerConf->webroot, "Web Root Traversal");
PrintConfOpt(&ServerConf->apache_whitespace, "Apache WhiteSpace");
PrintConfOpt(&ServerConf->iis_delimiter, "IIS Delimiter");
+ PrintConfOpt(&ServerConf->non_std_cr, "Non-Std Carriage Return");
if(ServerConf->iis_unicode_map_filename)
{
Index: snort.spec
===================================================================
RCS file: /cvs/extras/rpms/snort/devel/snort.spec,v
retrieving revision 1.9
retrieving revision 1.10
diff -u -r1.9 -r1.10
--- snort.spec 31 Mar 2006 12:57:48 -0000 1.9
+++ snort.spec 2 Jun 2006 15:25:20 -0000 1.10
@@ -1,13 +1,14 @@
Summary: Intrusion detection system
Name: snort
Version: 2.4.4
-Release: 3%{?dist}
+Release: 4%{?dist}
License: GPL
Group: Applications/Internet
Source0: http://www.snort.org/dl/current/snort-%{version}.tar.gz
Source1: snortd
Source2: README.fedora
-Patch: snort-2.4.3-configure64.patch
+Patch0: snort-2.4.3-configure64.patch
+Patch1: snort-2.4.4-demarc-patch.diff
Url: http://www.snort.org
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
Prefix: /usr
@@ -149,7 +150,7 @@
%prep
%setup -q
%patch0 -p1 -b .config
-
+%patch1 -p1 -b .uricontent
cp %{SOURCE2} doc/
%build
@@ -353,7 +354,7 @@
%post snmp+flexresp
-if [ -L %{_sbindir}/snort ] || [ ! -e %{_sbindir}/snort ] ; then ln -sf %{_sbindir}/snort-sfnmp+flexresp %{_sbindir}/snort; fi
+if [ -L %{_sbindir}/snort ] || [ ! -e %{_sbindir}/snort ] ; then ln -sf %{_sbindir}/snort-snmp+flexresp %{_sbindir}/snort; fi
%post bloat
@@ -397,6 +398,11 @@
%changelog
+* Fri Jun 02 2006 Dennis Gilmore <dennis at ausil.us> - 2.4.4-4
+- fix CVE-2006-2769
+ Snort URIContent Rules Detection Evasion Vulnerability
+- fix bug #190102
+
* Fri Mar 31 2006 Dennis Gilmore <dennis at ausil.us> - 2.4.4-3
- make initscript not a config file
- own /etc/snort
More information about the fedora-extras-commits
mailing list