CVE-2009-3641: DoS while printing specially-crafted IPv6 packet using the -v option

Debian Bug report logs - #553584
CVE-2009-3641: DoS while printing specially-crafted IPv6 packet using the -v option

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Giuseppe Iuculano <iuculano@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: CVE-2009-3641: DoS while printing specially-crafted IPv6 packet using the -v option

Date: Sun, 01 Nov 2009 10:41:20 +0100

Package: snort
Severity: grave
Tags: security

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for snort.

CVE-2009-3641[0]:
| Snort before 2.8.5.1, when the -v option is enabled, allows remote
| attackers to cause a denial of service (application crash) via a
| crafted IPv6 packet that uses the (1) TCP or (2) ICMP protocol.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3641
    http://security-tracker.debian.org/tracker/CVE-2009-3641


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkrtV7wACgkQNxpp46476apJ9ACfVHrzxEV9NLxvj2EgQCqjOEt7
hlQAnjEbN3S6I6qrDwJ00vFr7L8JtE2C
=Ozi9
-----END PGP SIGNATURE-----

Message #12 received at 553584@bugs.debian.org (full text, mbox, reply):

From: Javier Fernández-Sanguino Peña <jfs@computer.org>

To: Giuseppe Iuculano <iuculano@debian.org>, 553584@bugs.debian.org

Subject: Re: Bug#553584: CVE-2009-3641: DoS while printing specially-crafted IPv6 packet using the -v option

Date: Tue, 12 Jan 2010 00:15:28 +0100

[Message part 1 (text/plain, inline)]

On Sun, Nov 01, 2009 at 10:41:20AM +0100, Giuseppe Iuculano wrote:
> Hi,
> the following CVE (Common Vulnerabilities & Exposures) id was
> published for snort.
> 
> CVE-2009-3641[0]:
> | Snort before 2.8.5.1, when the -v option is enabled, allows remote
> | attackers to cause a denial of service (application crash) via a
> | crafted IPv6 packet that uses the (1) TCP or (2) ICMP protocol.

On review, the Snort packages provided by Debian are *not* vulnerable to this
bug. We do not enable IPv6 support in Snort, as we don't compile it with
Ipv6 support (--enable-ipv6 flag). The DoS can only be exploited if IPv6
support has been compiled in (and even so, in a non-standard configuration
that Snort packages do not use).

Consequently, I'm downgrading the severity of the bug and will fix it with
the next upstream release I package (2.8.5.x) once I fix the building issues
I have with this next release.

As this bug is not relevant to us (it exists in the source code but it is not
exploitable) I'm not inclined to digging up the patch from the sources (the
Snort team merged the fix with a new upstream release, they did not produce a
separate patch) and fixing the stable and oldstable releases. If the Security
Teams believes this merits a DSA for stable and oldstable, I will work on it
for fixing the released versions through a specific patch.

Regards,

Javier

[1] http://seclists.org/fulldisclosure/2009/Oct/299

[signature.asc (application/pgp-signature, inline)]

Message #17 received at 553584@bugs.debian.org (full text, mbox, reply):

From: Michael Gilbert <michael.s.gilbert@gmail.com>

To: 564248@bugs.debian.org, 553584@bugs.debian.org

Cc: team@security.debian.org

Subject: Re: Bug#564248: RM: snort/2.8.4.1-6

Date: Mon, 11 Jan 2010 18:45:50 -0500

On Tue, 12 Jan 2010 00:11:15 +0100, Javier Fernández-Sanguino Peña
wrote:
> severity 553584 minor
> retitle CVE-2009-3641: Possible DoS using specially-crafted IPv6 packets if package is recompiled with IPv6 support 
> thanks
> 
> 
> On Fri, Jan 08, 2010 at 08:42:21PM +0100, Raphael Hertzog wrote:
> > Hi,
> > 
> > On Fri, 08 Jan 2010, Moritz Muehlenhoff wrote:
> > > Please remove snort from testing. It has an open security bug, which hasn't
> > > been acknowledged since more than two months.
> > 
> > I'm a bit worried that we remove (popular) software from testing instead
> > of fixing the underlying problem.
> 
> On review. The Snort packages provided by Debian are *not* vulnerable to this
> bug. We do not enable IPv6 support in Snort, as we don't compile with
> --enable-ipv6 (!)
> 
> Did somebody from the Security Team actually read the full disclosure report
> [1] and test wether the vulnerability was actually there?
> 
> I'm downgrading the severity of the bug and will fix it with the next
> upstream release.
> 
> Security Team, please let me know if you consider this bug merits a DSA for
> stable and oldstable, (I don't think it does as they are not affected unless
> the package is recompiled.

It is often the case that the security team does not have the manpower
and time to fully triage issues when they come in since the volume is
just so high; so the issues are handed off to the maintainer (such as
in this case).

I have recently implemented new functionality in the security tracker
to better handle such partially triaged issues.  However, that info is
not automatically conveyed by the current bug reporting utilities.  It
is at present the responsibility of the reporter to explain to the
maintainer what has and has not been done, which was not done in this
case.

Perhaps in the future I will have some time to improve the automated
tools so that they include notes based on tracker status (since humans
have a tendency to make mistakes, which isn't a bad thing, its just a
fact of life).  This would ensure that sufficient status information is
included in these reports.

Mike

Message #28 received at 553584-close@bugs.debian.org (full text, mbox, reply):

From: Javier Fernandez-Sanguino Pen~a <jfs@debian.org>

To: 553584-close@bugs.debian.org

Subject: Bug#553584: fixed in snort 2.9.2-1

Date: Fri, 13 Jan 2012 22:49:57 +0000

Source: snort
Source-Version: 2.9.2-1

We believe that the bug you reported is fixed in the latest version of
snort, which is due to be installed in the Debian FTP archive:

snort-common-libraries_2.9.2-1_i386.deb
  to main/s/snort/snort-common-libraries_2.9.2-1_i386.deb
snort-common_2.9.2-1_all.deb
  to main/s/snort/snort-common_2.9.2-1_all.deb
snort-doc_2.9.2-1_all.deb
  to main/s/snort/snort-doc_2.9.2-1_all.deb
snort-mysql_2.9.2-1_i386.deb
  to main/s/snort/snort-mysql_2.9.2-1_i386.deb
snort-pgsql_2.9.2-1_i386.deb
  to main/s/snort/snort-pgsql_2.9.2-1_i386.deb
snort-rules-default_2.9.2-1_all.deb
  to main/s/snort/snort-rules-default_2.9.2-1_all.deb
snort_2.9.2-1.debian.tar.gz
  to main/s/snort/snort_2.9.2-1.debian.tar.gz
snort_2.9.2-1.dsc
  to main/s/snort/snort_2.9.2-1.dsc
snort_2.9.2-1_i386.deb
  to main/s/snort/snort_2.9.2-1_i386.deb
snort_2.9.2.orig.tar.gz
  to main/s/snort/snort_2.9.2.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 553584@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Javier Fernandez-Sanguino Pen~a <jfs@debian.org> (supplier of updated snort package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 13 Jan 2012 21:54:25 +0100
Source: snort
Binary: snort snort-common snort-doc snort-mysql snort-pgsql snort-rules-default snort-common-libraries
Architecture: source i386 all
Version: 2.9.2-1
Distribution: unstable
Urgency: low
Maintainer: Javier Fernandez-Sanguino Pen~a <jfs@debian.org>
Changed-By: Javier Fernandez-Sanguino Pen~a <jfs@debian.org>
Description: 
 snort      - flexible Network Intrusion Detection System
 snort-common - flexible Network Intrusion Detection System [common files]
 snort-common-libraries - flexible Network Intrusion Detection System ruleset
 snort-doc  - Documentation for the Snort IDS [documentation]
 snort-mysql - flexible Network Intrusion Detection System [MySQL]
 snort-pgsql - flexible Network Intrusion Detection System [PostgreSQL]
 snort-rules-default - flexible Network Intrusion Detection System ruleset
Closes: 553584 577033 590061 631854 634660 638678 646547 654239
Changes: 
 snort (2.9.2-1) unstable; urgency=low
 .
   [ Andrew Pollock ]
   * New upstream release, upload to unstable
      - Fixes CVE-2009-3641: DoS while printing specially-crafted IPv6 packet
        using the -v option (Closes: 553584)
      - The package no longer build-depends on iptables-dev and the negated list
        of architectures is no longer used (Closes: 634660)
   * Switch to dpkg-source 3.0 (quilt) format
   * Port across all changes from Snort 2.8.5.2-5 and later in unstable
   * debian/snort.postinst: create the directory that the checksum for
     snort.debian.conf will be created in if it doesn't already exist
   * debian/rules: tell dh_makeshlibs to not call ldconfig in the
     preinst/postinst of snort-common-libraries
   * debian/rules: don't install README.WIN32 into snort-doc
 .
   [ Javier Fernandez-Sanguino Peña ]
   * debian/rules:
      - Set enable-zlib when configuring all packages to force it to be
        enabled as this is required by the http_inspect preprocessor which
        is enabled by default (Closes: #631854)
      - Included (commented) the patch provided by Clint Byrum and included in
        Ubuntu to prevent snort from FTFS with libmysqlclient-dev which will be
        multiarch in the future. The patch uses mysql_config to find libraries
        to fix FTBFS with multiarch libmysqlclient. Not enabled since the
        version of libmysqlclient in unstable currently does not support the
        --variable=pkglibdir option
   * debian/snort{,-inline}.config: Use LC_ALL=C when calling ifconfig to make
     the postinst work when ifconfig's output is internationalised (Closes: 577033)
   * debian/control: Fix link in the rules package, point to
     http://www.snort.org/snort-rules/ (Closes: 646547)
   * debian/my/snort-stat: Modify so that alerts with Priority but without classification
     are analysed when parsing syslog information. Also set the class to 'Undefined'
     instead of leaving it empty. (Closes: 590061)
   * po-debconf translation updates:
     - Danish, provided by Joe Dalton (Closes: 638678)
     - Dutch, provided by Jeroen Schot (Closes: 654239)
Checksums-Sha1: 
 89780edd8c99e6973cdf78505fa77198eac7f233 1637 snort_2.9.2-1.dsc
 b903e6e71b0bbf58703d9b1d8d9253807b9656f8 6467539 snort_2.9.2.orig.tar.gz
 8c3f0a3a568d0b30832ce5a00a83ea385ce8dda7 1585674 snort_2.9.2-1.debian.tar.gz
 c911e033f2dcf0b584a5e8fce05b910875df62aa 852698 snort_2.9.2-1_i386.deb
 e90c2fc2d794372c6c65cf2dcf4e269c18ddb477 865820 snort-mysql_2.9.2-1_i386.deb
 ee7e2caa33718fc97458cb9eec846ffb69d83656 864830 snort-pgsql_2.9.2-1_i386.deb
 6f30f0236cba5c110b07b4efc00175ca70295a6d 526228 snort-common-libraries_2.9.2-1_i386.deb
 f6128a9f262725a489502016a91770042e9fc8d8 203212 snort-common_2.9.2-1_all.deb
 1e685b0c36256dfb733248cf80b516c0e352538a 2651816 snort-doc_2.9.2-1_all.deb
 b3b1a1c8dd9343fac524132bc4419b18ded51c01 336784 snort-rules-default_2.9.2-1_all.deb
Checksums-Sha256: 
 62d2a553af2a8ada98afb34862907af2bae414929d2bef7b1fe733822536897b 1637 snort_2.9.2-1.dsc
 04d375b627dd256d6257f2cbe5a770e4552e3f35d5e2100b97f75426b600d8cb 6467539 snort_2.9.2.orig.tar.gz
 35a93ebc65d35884a69c2833bdce9696a63f045591aff865aca5e583449846ab 1585674 snort_2.9.2-1.debian.tar.gz
 28dd310da56c32351ae7d98d25de28d06591b1b722aaa239c7825b884a9e3ebd 852698 snort_2.9.2-1_i386.deb
 6972b90de3700c9a67b9186f7a09723a4279546f04d978328185dbe32186f761 865820 snort-mysql_2.9.2-1_i386.deb
 5abdf3e1d45c2512a72a72f3f3ba12ecaf021a3edea2b4d5abd67ec9c30da3fa 864830 snort-pgsql_2.9.2-1_i386.deb
 06647ab8d0d8bbfbf26640208340b0bcd33f39b40ef1f0c50cdc2bc09807998f 526228 snort-common-libraries_2.9.2-1_i386.deb
 886f9ada2c5989886ab493d4f9e3f128fcb659fceb0c29803c8d228d89bdc57d 203212 snort-common_2.9.2-1_all.deb
 dc3c0e7f0a3f69a895e00c62cac738e844575d3796c4b143247d18e5aded3627 2651816 snort-doc_2.9.2-1_all.deb
 12a6e898cb2400d7d9ae753964b7a9c7bef6df3bc96e902a1720b2bcf3fb68b5 336784 snort-rules-default_2.9.2-1_all.deb
Files: 
 a58a7d2f68f3f312ed35d4014922e8e6 1637 net optional snort_2.9.2-1.dsc
 22fa07ba915535b151329056439ae194 6467539 net optional snort_2.9.2.orig.tar.gz
 fdd814c1bd0e59d60e92c39152ec6797 1585674 net optional snort_2.9.2-1.debian.tar.gz
 979f6cdbd827dcfcdfd1742a97c4cb0b 852698 net optional snort_2.9.2-1_i386.deb
 e8188104dc02a61ff41bed90935452ef 865820 net extra snort-mysql_2.9.2-1_i386.deb
 5931410c6ea48ec466c2672f2203130b 864830 net optional snort-pgsql_2.9.2-1_i386.deb
 3ad8b8706977727b07896796a53c6e54 526228 net optional snort-common-libraries_2.9.2-1_i386.deb
 d873b287f00157943daa9b3900f74817 203212 net optional snort-common_2.9.2-1_all.deb
 ae1ef5ebe85148becfa7c095921f7572 2651816 doc optional snort-doc_2.9.2-1_all.deb
 fe26fe28fdd9d5cd6c5192c74c206e1b 336784 net optional snort-rules-default_2.9.2-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iD8DBQFPELH7sandgtyBSwkRAvr0AJ44h/GSFFSKdVvIDIxkKPCCLJoHcQCcDV3o
yGRXgPxO0RhggUMn1oUkdO0=
=82XC
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.