* [Buildroot] [PATCH v2, 1/1] package/suricata: security bump to version 6.0.14
@ 2023-09-28 16:51 Fabrice Fontaine
2023-09-28 21:04 ` Yann E. MORIN
2023-10-01 18:28 ` Peter Korsgaard
0 siblings, 2 replies; 3+ messages in thread
From: Fabrice Fontaine @ 2023-09-28 16:51 UTC (permalink / raw)
To: buildroot; +Cc: Fabrice Fontaine
- Fix CVE-2023-35852: In Suricata before 6.0.13 (when there is an
adversary who controls an external source of rules), a dataset
filename, that comes from a rule, may trigger absolute or relative
directory traversal, and lead to write access to a local filesystem.
This is addressed in 6.0.13 by requiring allow-absolute-filenames and
allow-write (in the datasets rules configuration section) if an
installation requires traversal/writing in this situation.
- Fix CVE-2023-35853: In Suricata before 6.0.13, an adversary who
controls an external source of Lua rules may be able to execute Lua
code. This is addressed in 6.0.13 by disabling Lua unless allow-rules
is true in the security lua configuration section.
- Drop first patch (not needed since
https://github.com/OISF/suricata/commit/c8a3aa608eaae1acbaf33dba8a7c1a3cbfeb4285)
https://github.com/OISF/suricata/blob/suricata-6.0.14/ChangeLog
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
Changes v1 -> v2 (after review of Peter Korsgaard):
- Do not wrongly delete second patch
.checkpackageignore | 3 +-
...ow-the-user-to-override-RUST_TARGET.patch} | 0
...ure-proper-shabang-on-python-scripts.patch | 47 -------------------
package/suricata/suricata.hash | 2 +-
package/suricata/suricata.mk | 5 +-
5 files changed, 4 insertions(+), 53 deletions(-)
rename package/suricata/{0002-configure.ac-allow-the-user-to-override-RUST_TARGET.patch => 0001-configure.ac-allow-the-user-to-override-RUST_TARGET.patch} (100%)
delete mode 100644 package/suricata/0001-python-ensure-proper-shabang-on-python-scripts.patch
diff --git a/.checkpackageignore b/.checkpackageignore
index ecb8609ee9..0c7fae9409 100644
--- a/.checkpackageignore
+++ b/.checkpackageignore
@@ -1355,8 +1355,7 @@ package/statserial/0001-ncurses-link.patch Upstream
package/stunnel/S50stunnel Indent Shellcheck Variables
package/sudo/0001-configure.ac-fix-openssl-static-build.patch Upstream
package/supervisor/S99supervisord Variables
-package/suricata/0001-python-ensure-proper-shabang-on-python-scripts.patch Upstream
-package/suricata/0002-configure.ac-allow-the-user-to-override-RUST_TARGET.patch Upstream
+package/suricata/0001-configure.ac-allow-the-user-to-override-RUST_TARGET.patch Upstream
package/suricata/S99suricata Shellcheck
package/swupdate/swupdate.sh Shellcheck
package/sylpheed/0001-harden-link-checker-before-accepting-click.patch Upstream
diff --git a/package/suricata/0002-configure.ac-allow-the-user-to-override-RUST_TARGET.patch b/package/suricata/0001-configure.ac-allow-the-user-to-override-RUST_TARGET.patch
similarity index 100%
rename from package/suricata/0002-configure.ac-allow-the-user-to-override-RUST_TARGET.patch
rename to package/suricata/0001-configure.ac-allow-the-user-to-override-RUST_TARGET.patch
diff --git a/package/suricata/0001-python-ensure-proper-shabang-on-python-scripts.patch b/package/suricata/0001-python-ensure-proper-shabang-on-python-scripts.patch
deleted file mode 100644
index 424b30d317..0000000000
--- a/package/suricata/0001-python-ensure-proper-shabang-on-python-scripts.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-From 44fe2328b715db25134ee095526d2fa47e6cd834 Mon Sep 17 00:00:00 2001
-From: "Yann E. MORIN" <yann.morin.1998@free.fr>
-Date: Wed, 1 Jan 2020 15:25:57 +0100
-Subject: [PATCH] python: ensure proper shabang on python scripts
-
-When instlling python scripts, distutils would use the python used to
-run setup.py as shabang for the scripts it installs.
-
-However, when cross-compiling, this is most often not correct.
-
-Instead, using '/usr/bin/env python' is guaranteed to find the proper
-python in the PATH, so we need to instruct setyup.py to use that as the
-executable.
-
-[yann.morin.1998@free.fr:
- - author did not provide their SoB, but it's simple enough to
- not require it for once
- - provide proper commit log
-]
-Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
-[Fabrice: update for 6.0.0]
-Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
----
- python/Makefile.am | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/python/Makefile.am b/python/Makefile.am
-index 59d195f29..a41604f72 100644
---- a/python/Makefile.am
-+++ b/python/Makefile.am
-@@ -6,11 +6,11 @@ EXTRA_DIST = setup.py \
- if HAVE_PYTHON_DISTUTILS
- all-local:
- cd $(srcdir) && \
-- $(HAVE_PYTHON) setup.py build --build-base "$(abs_builddir)"
-+ $(HAVE_PYTHON) setup.py build -e "/usr/bin/env python" --build-base "$(abs_builddir)"
-
- install-exec-local:
- cd $(srcdir) && \
-- $(HAVE_PYTHON) setup.py build --build-base "$(abs_builddir)" \
-+ $(HAVE_PYTHON) setup.py build -e "/usr/bin/env python" --build-base "$(abs_builddir)" \
- install --prefix $(DESTDIR)$(prefix)
-
- uninstall-local:
---
-2.20.1
-
diff --git a/package/suricata/suricata.hash b/package/suricata/suricata.hash
index 38ab5e9cd3..49341984a2 100644
--- a/package/suricata/suricata.hash
+++ b/package/suricata/suricata.hash
@@ -1,5 +1,5 @@
# Locally computed:
-sha256 00173634fa76aee636e38a90b1c02616c903e42173107d47b4114960b5fbe839 suricata-6.0.6.tar.gz
+sha256 cfa93de900d0fd8ba67c79fddec58fb7afb8f6c45b0773040035a15407b796ce suricata-6.0.14.tar.gz
# Hash for license files:
sha256 8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643 COPYING
diff --git a/package/suricata/suricata.mk b/package/suricata/suricata.mk
index 72b72cc94d..2aa5a0c5ed 100644
--- a/package/suricata/suricata.mk
+++ b/package/suricata/suricata.mk
@@ -4,13 +4,12 @@
#
################################################################################
-SURICATA_VERSION = 6.0.6
+SURICATA_VERSION = 6.0.14
SURICATA_SITE = https://www.openinfosecfoundation.org/download
SURICATA_LICENSE = GPL-2.0
SURICATA_LICENSE_FILES = COPYING LICENSE
SURICATA_CPE_ID_VENDOR = oisf
-# 0001-python-ensure-proper-shabang-on-python-scripts.patch
-# 0002-configure.ac-allow-the-user-to-override-RUST_TARGET.patch
+# 0001-configure.ac-allow-the-user-to-override-RUST_TARGET.patch
SURICATA_AUTORECONF = YES
SURICATA_DEPENDENCIES = \
--
2.40.1
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [Buildroot] [PATCH v2, 1/1] package/suricata: security bump to version 6.0.14
2023-09-28 16:51 [Buildroot] [PATCH v2, 1/1] package/suricata: security bump to version 6.0.14 Fabrice Fontaine
@ 2023-09-28 21:04 ` Yann E. MORIN
2023-10-01 18:28 ` Peter Korsgaard
1 sibling, 0 replies; 3+ messages in thread
From: Yann E. MORIN @ 2023-09-28 21:04 UTC (permalink / raw)
To: Fabrice Fontaine; +Cc: buildroot
Fabrice, All,
On 2023-09-28 18:51 +0200, Fabrice Fontaine spake thusly:
> - Fix CVE-2023-35852: In Suricata before 6.0.13 (when there is an
> adversary who controls an external source of rules), a dataset
> filename, that comes from a rule, may trigger absolute or relative
> directory traversal, and lead to write access to a local filesystem.
> This is addressed in 6.0.13 by requiring allow-absolute-filenames and
> allow-write (in the datasets rules configuration section) if an
> installation requires traversal/writing in this situation.
> - Fix CVE-2023-35853: In Suricata before 6.0.13, an adversary who
> controls an external source of Lua rules may be able to execute Lua
> code. This is addressed in 6.0.13 by disabling Lua unless allow-rules
> is true in the security lua configuration section.
> - Drop first patch (not needed since
> https://github.com/OISF/suricata/commit/c8a3aa608eaae1acbaf33dba8a7c1a3cbfeb4285)
>
> https://github.com/OISF/suricata/blob/suricata-6.0.14/ChangeLog
>
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Applied to master, thanks.
Regards,
Yann E. MORIN.
> ---
> Changes v1 -> v2 (after review of Peter Korsgaard):
> - Do not wrongly delete second patch
>
> .checkpackageignore | 3 +-
> ...ow-the-user-to-override-RUST_TARGET.patch} | 0
> ...ure-proper-shabang-on-python-scripts.patch | 47 -------------------
> package/suricata/suricata.hash | 2 +-
> package/suricata/suricata.mk | 5 +-
> 5 files changed, 4 insertions(+), 53 deletions(-)
> rename package/suricata/{0002-configure.ac-allow-the-user-to-override-RUST_TARGET.patch => 0001-configure.ac-allow-the-user-to-override-RUST_TARGET.patch} (100%)
> delete mode 100644 package/suricata/0001-python-ensure-proper-shabang-on-python-scripts.patch
>
> diff --git a/.checkpackageignore b/.checkpackageignore
> index ecb8609ee9..0c7fae9409 100644
> --- a/.checkpackageignore
> +++ b/.checkpackageignore
> @@ -1355,8 +1355,7 @@ package/statserial/0001-ncurses-link.patch Upstream
> package/stunnel/S50stunnel Indent Shellcheck Variables
> package/sudo/0001-configure.ac-fix-openssl-static-build.patch Upstream
> package/supervisor/S99supervisord Variables
> -package/suricata/0001-python-ensure-proper-shabang-on-python-scripts.patch Upstream
> -package/suricata/0002-configure.ac-allow-the-user-to-override-RUST_TARGET.patch Upstream
> +package/suricata/0001-configure.ac-allow-the-user-to-override-RUST_TARGET.patch Upstream
> package/suricata/S99suricata Shellcheck
> package/swupdate/swupdate.sh Shellcheck
> package/sylpheed/0001-harden-link-checker-before-accepting-click.patch Upstream
> diff --git a/package/suricata/0002-configure.ac-allow-the-user-to-override-RUST_TARGET.patch b/package/suricata/0001-configure.ac-allow-the-user-to-override-RUST_TARGET.patch
> similarity index 100%
> rename from package/suricata/0002-configure.ac-allow-the-user-to-override-RUST_TARGET.patch
> rename to package/suricata/0001-configure.ac-allow-the-user-to-override-RUST_TARGET.patch
> diff --git a/package/suricata/0001-python-ensure-proper-shabang-on-python-scripts.patch b/package/suricata/0001-python-ensure-proper-shabang-on-python-scripts.patch
> deleted file mode 100644
> index 424b30d317..0000000000
> --- a/package/suricata/0001-python-ensure-proper-shabang-on-python-scripts.patch
> +++ /dev/null
> @@ -1,47 +0,0 @@
> -From 44fe2328b715db25134ee095526d2fa47e6cd834 Mon Sep 17 00:00:00 2001
> -From: "Yann E. MORIN" <yann.morin.1998@free.fr>
> -Date: Wed, 1 Jan 2020 15:25:57 +0100
> -Subject: [PATCH] python: ensure proper shabang on python scripts
> -
> -When instlling python scripts, distutils would use the python used to
> -run setup.py as shabang for the scripts it installs.
> -
> -However, when cross-compiling, this is most often not correct.
> -
> -Instead, using '/usr/bin/env python' is guaranteed to find the proper
> -python in the PATH, so we need to instruct setyup.py to use that as the
> -executable.
> -
> -[yann.morin.1998@free.fr:
> - - author did not provide their SoB, but it's simple enough to
> - not require it for once
> - - provide proper commit log
> -]
> -Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
> -[Fabrice: update for 6.0.0]
> -Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
> ----
> - python/Makefile.am | 4 ++--
> - 1 file changed, 2 insertions(+), 2 deletions(-)
> -
> -diff --git a/python/Makefile.am b/python/Makefile.am
> -index 59d195f29..a41604f72 100644
> ---- a/python/Makefile.am
> -+++ b/python/Makefile.am
> -@@ -6,11 +6,11 @@ EXTRA_DIST = setup.py \
> - if HAVE_PYTHON_DISTUTILS
> - all-local:
> - cd $(srcdir) && \
> -- $(HAVE_PYTHON) setup.py build --build-base "$(abs_builddir)"
> -+ $(HAVE_PYTHON) setup.py build -e "/usr/bin/env python" --build-base "$(abs_builddir)"
> -
> - install-exec-local:
> - cd $(srcdir) && \
> -- $(HAVE_PYTHON) setup.py build --build-base "$(abs_builddir)" \
> -+ $(HAVE_PYTHON) setup.py build -e "/usr/bin/env python" --build-base "$(abs_builddir)" \
> - install --prefix $(DESTDIR)$(prefix)
> -
> - uninstall-local:
> ---
> -2.20.1
> -
> diff --git a/package/suricata/suricata.hash b/package/suricata/suricata.hash
> index 38ab5e9cd3..49341984a2 100644
> --- a/package/suricata/suricata.hash
> +++ b/package/suricata/suricata.hash
> @@ -1,5 +1,5 @@
> # Locally computed:
> -sha256 00173634fa76aee636e38a90b1c02616c903e42173107d47b4114960b5fbe839 suricata-6.0.6.tar.gz
> +sha256 cfa93de900d0fd8ba67c79fddec58fb7afb8f6c45b0773040035a15407b796ce suricata-6.0.14.tar.gz
>
> # Hash for license files:
> sha256 8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643 COPYING
> diff --git a/package/suricata/suricata.mk b/package/suricata/suricata.mk
> index 72b72cc94d..2aa5a0c5ed 100644
> --- a/package/suricata/suricata.mk
> +++ b/package/suricata/suricata.mk
> @@ -4,13 +4,12 @@
> #
> ################################################################################
>
> -SURICATA_VERSION = 6.0.6
> +SURICATA_VERSION = 6.0.14
> SURICATA_SITE = https://www.openinfosecfoundation.org/download
> SURICATA_LICENSE = GPL-2.0
> SURICATA_LICENSE_FILES = COPYING LICENSE
> SURICATA_CPE_ID_VENDOR = oisf
> -# 0001-python-ensure-proper-shabang-on-python-scripts.patch
> -# 0002-configure.ac-allow-the-user-to-override-RUST_TARGET.patch
> +# 0001-configure.ac-allow-the-user-to-override-RUST_TARGET.patch
> SURICATA_AUTORECONF = YES
>
> SURICATA_DEPENDENCIES = \
> --
> 2.40.1
>
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
--
.-----------------.--------------------.------------------.--------------------.
| Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ |
| +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [Buildroot] [PATCH v2, 1/1] package/suricata: security bump to version 6.0.14
2023-09-28 16:51 [Buildroot] [PATCH v2, 1/1] package/suricata: security bump to version 6.0.14 Fabrice Fontaine
2023-09-28 21:04 ` Yann E. MORIN
@ 2023-10-01 18:28 ` Peter Korsgaard
1 sibling, 0 replies; 3+ messages in thread
From: Peter Korsgaard @ 2023-10-01 18:28 UTC (permalink / raw)
To: Fabrice Fontaine; +Cc: buildroot
>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:
> - Fix CVE-2023-35852: In Suricata before 6.0.13 (when there is an
> adversary who controls an external source of rules), a dataset
> filename, that comes from a rule, may trigger absolute or relative
> directory traversal, and lead to write access to a local filesystem.
> This is addressed in 6.0.13 by requiring allow-absolute-filenames and
> allow-write (in the datasets rules configuration section) if an
> installation requires traversal/writing in this situation.
> - Fix CVE-2023-35853: In Suricata before 6.0.13, an adversary who
> controls an external source of Lua rules may be able to execute Lua
> code. This is addressed in 6.0.13 by disabling Lua unless allow-rules
> is true in the security lua configuration section.
> - Drop first patch (not needed since
> https://github.com/OISF/suricata/commit/c8a3aa608eaae1acbaf33dba8a7c1a3cbfeb4285)
> https://github.com/OISF/suricata/blob/suricata-6.0.14/ChangeLog
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
> ---
> Changes v1 -> v2 (after review of Peter Korsgaard):
> - Do not wrongly delete second patch
Committed to 2023.02.x and 2023.08.x, thanks.
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2023-10-01 18:28 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-09-28 16:51 [Buildroot] [PATCH v2, 1/1] package/suricata: security bump to version 6.0.14 Fabrice Fontaine
2023-09-28 21:04 ` Yann E. MORIN
2023-10-01 18:28 ` Peter Korsgaard
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox