TUCoPS :: Linux :: Debian :: dsa-297.htm

snort - integer overflow, buffer overflow

Debian Security Advisory

DSA-297-1 snort -- integer overflow, buffer overflow

Date Reported:
01 May 2003
Affected Packages:
snort
Vulnerable:
Yes
Security database references:
In the Bugtraq database (at SecurityFocus): BugTraq ID 7178, BugTraq ID 6963.
In Mitre's CVE dictionary: CAN-2003-0033, CAN-2003-0209.
CERT's vulnerabilities, advisories and incident notes: VU#139129, VU#916785.
More information:

Two vulnerabilities have been discovered in Snort, a popular network intrusion detection system. Snort comes with modules and plugins that perform a variety of functions such as protocol analysis. The following issues have been identified:

Heap overflow in Snort "stream4" preprocessor
(VU#139129, CAN-2003-0209, Bugtraq Id 7178)
Researchers at CORE Security Technologies have discovered a remotely exploitable integer overflow that results in overwriting the heap in the "stream4" preprocessor module. This module allows Snort to reassemble TCP packet fragments for further analysis. An attacker could insert arbitrary code that would be executed as the user running Snort, probably root.
Buffer overflow in Snort RPC preprocessor
(VU#916785, CAN-2003-0033, Bugtraq Id 6963)
Researchers at Internet Security Systems X-Force have discovered a remotely exploitable buffer overflow in the Snort RPC preprocessor module. Snort incorrectly checks the lengths of what is being normalized against the current packet size. An attacker could exploit this to execute arbitrary code under the privileges of the Snort process, probably root.

For the stable distribution (woody) these problems have been fixed in version 1.8.4beta1-3.1.

The old stable distribution (potato) is not affected by these problems since it doesn't contain the problematic code.

For the unstable distribution (sid) these problems have been fixed in version 2.0.0-1.

We recommend that you upgrade your snort package immediately.

You are also advised to upgrade to the most recent version of Snort, since Snort, as any intrusion detection system, is rather useless if it is based on old and out-dated data and not kept up to date. Such installations would be unable to detect intrusions using modern methods. The current version of Snort is 2.0.0, while the version in the stable distribution (1.8) is quite old and the one in the old stable distribution is beyond hope.

Since Debian does not update arbitrary packages in stable releases, even Snort is not going to see updates other than to fix security problems, you are advised to upgrade to the most recent version from third party sources.

The Debian maintainer for Snort provides backported up-to-date packages for woody (stable) and potato (oldstable) for cases where you cannot upgrade your entire system. These packages are untested, though and only exist for the i386 architecture:

deb     http://people.debian.org/~ssmeenk/snort-stable-i386/ ./
deb-src http://people.debian.org/~ssmeenk/snort-stable-i386/ ./

deb     http://people.debian.org/~ssmeenk/snort-oldstable-i386/ ./
deb-src http://people.debian.org/~ssmeenk/snort-oldstable-i386/ ./
Fixed in:

Debian GNU/Linux 3.0 (woody)

Source:
http://security.debian.org/pool/updates/main/s/snort/snort_1.8.4beta1-3.1.dsc
http://security.debian.org/pool/updates/main/s/snort/snort_1.8.4beta1-3.1.diff.gz
http://security.debian.org/pool/updates/main/s/snort/snort_1.8.4beta1.orig.tar.gz
Architecture-independent component:
http://security.debian.org/pool/updates/main/s/snort/snort-doc_1.8.4beta1-3.1_all.deb
http://security.debian.org/pool/updates/main/s/snort/snort-rules-default_1.8.4beta1-3.1_all.deb
Alpha:
http://security.debian.org/pool/updates/main/s/snort/snort_1.8.4beta1-3.1_alpha.deb
http://security.debian.org/pool/updates/main/s/snort/snort-common_1.8.4beta1-3.1_alpha.deb
http://security.debian.org/pool/updates/main/s/snort/snort-mysql_1.8.4beta1-3.1_alpha.deb
ARM:
http://security.debian.org/pool/updates/main/s/snort/snort_1.8.4beta1-3.1_arm.deb
http://security.debian.org/pool/updates/main/s/snort/snort-common_1.8.4beta1-3.1_arm.deb
http://security.debian.org/pool/updates/main/s/snort/snort-mysql_1.8.4beta1-3.1_arm.deb
Intel IA-32:
http://security.debian.org/pool/updates/main/s/snort/snort_1.8.4beta1-3.1_i386.deb
http://security.debian.org/pool/updates/main/s/snort/snort-common_1.8.4beta1-3.1_i386.deb
http://security.debian.org/pool/updates/main/s/snort/snort-mysql_1.8.4beta1-3.1_i386.deb
Intel IA-64:
http://security.debian.org/pool/updates/main/s/snort/snort_1.8.4beta1-3.1_ia64.deb
http://security.debian.org/pool/updates/main/s/snort/snort-common_1.8.4beta1-3.1_ia64.deb
http://security.debian.org/pool/updates/main/s/snort/snort-mysql_1.8.4beta1-3.1_ia64.deb
HPPA:
http://security.debian.org/pool/updates/main/s/snort/snort_1.8.4beta1-3.1_hppa.deb
http://security.debian.org/pool/updates/main/s/snort/snort-common_1.8.4beta1-3.1_hppa.deb
http://security.debian.org/pool/updates/main/s/snort/snort-mysql_1.8.4beta1-3.1_hppa.deb
Motorola 680x0:
http://security.debian.org/pool/updates/main/s/snort/snort_1.8.4beta1-3.1_m68k.deb
http://security.debian.org/pool/updates/main/s/snort/snort-common_1.8.4beta1-3.1_m68k.deb
http://security.debian.org/pool/updates/main/s/snort/snort-mysql_1.8.4beta1-3.1_m68k.deb
Big endian MIPS:
http://security.debian.org/pool/updates/main/s/snort/snort_1.8.4beta1-3.1_mips.deb
http://security.debian.org/pool/updates/main/s/snort/snort-common_1.8.4beta1-3.1_mips.deb
http://security.debian.org/pool/updates/main/s/snort/snort-mysql_1.8.4beta1-3.1_mips.deb
Little endian MIPS:
http://security.debian.org/pool/updates/main/s/snort/snort_1.8.4beta1-3.1_mipsel.deb
http://security.debian.org/pool/updates/main/s/snort/snort-common_1.8.4beta1-3.1_mipsel.deb
http://security.debian.org/pool/updates/main/s/snort/snort-mysql_1.8.4beta1-3.1_mipsel.deb
PowerPC:
http://security.debian.org/pool/updates/main/s/snort/snort_1.8.4beta1-3.1_powerpc.deb
http://security.debian.org/pool/updates/main/s/snort/snort-common_1.8.4beta1-3.1_powerpc.deb
http://security.debian.org/pool/updates/main/s/snort/snort-mysql_1.8.4beta1-3.1_powerpc.deb
IBM S/390:
http://security.debian.org/pool/updates/main/s/snort/snort_1.8.4beta1-3.1_s390.deb
http://security.debian.org/pool/updates/main/s/snort/snort-common_1.8.4beta1-3.1_s390.deb
http://security.debian.org/pool/updates/main/s/snort/snort-mysql_1.8.4beta1-3.1_s390.deb
Sun Sparc:
http://security.debian.org/pool/updates/main/s/snort/snort_1.8.4beta1-3.1_sparc.deb
http://security.debian.org/pool/updates/main/s/snort/snort-common_1.8.4beta1-3.1_sparc.deb
http://security.debian.org/pool/updates/main/s/snort/snort-mysql_1.8.4beta1-3.1_sparc.deb

MD5 checksums of the listed files are available in the original advisory.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH