Conectiva Information for VU#139129

Heap overflow in Snort "stream4" preprocessor

Status

Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Vendor References

None

Addendum

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
CONECTIVA LINUX SECURITY ANNOUNCEMENT
- --------------------------------------------------------------------------

PACKAGE   : snort
SUMMARY   : Vulnerability in the stream4 preprocessor
DATE      : 2003-05-06 21:44:00
ID        : CLA-2003:642
RELEVANT
RELEASES  : 8, 9

- -------------------------------------------------------------------------

DESCRIPTION
Snort is an Open Source Network Intrusion Detection System (NIDS).


Core Security has discovered[1] a remotely exploitable integer
overflow vulnerability in Snort. It resides in the stream4
preprocessor, which is responsible for normalizing TCP traffic before
its analysis by the rules processor.


A remote attacker able to insert specially crafted TCP traffic in the
network being monitored by snort may crash the sensor or execute
arbitrary code in its context, which is run by the root user.


The Common Vulnerabilities and Exposures (CVE) project has assigned
the name CAN-2003-0209 to this issue[2].


Since the stream4 preprocessor is present only in snort versions >=
1.8, users of Conectiva Linux versions 6.0 and 7.0 are not vulnerable
to this attack.


Additionally, a preventive fix for a possible problem with the use of
the memcpy() function in the frag2 preprocessor code was added[3].


IMPORTANT: Please note that this update includes snort 1.9.1. The
snort version originally distributed with Conectiva Linux 8 was
1.8.4b1 (already updated to 1.9.1 in the last snort security[4]
announcement). Since several components have changed in snort 1.9.1,
the old snort.conf file and the alerts database need some small
changes in order to work with this new version. Instructions about
how to smoothly upgrade from 1.8.4b1 are available in the package
documentation and in our last snort security announcement[4],
released on 04/04/2003.



SOLUTION
All snort users should upgrade.



REFERENCES:
1.http://www.coresecurity.com/common/showdoc.php?idx=313&idxseccion=10
2.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0209
3.http://sourceforge.net/mailarchive/message.php?msg_id=4457321
4.http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000613



UPDATED PACKAGES
ftp://atualizacoes.conectiva.com.br/8/RPMS/snort-1.9.1-1U80_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/SRPMS/snort-1.9.1-1U80_3cl.src.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/snort-1.9.1-27951U90_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/SRPMS/snort-1.9.1-27951U90_2cl.src.rpm


ADDITIONAL INSTRUCTIONS
The apt tool can be used to perform RPM packages upgrades:


- run:                 apt-get update
- after that, execute: apt-get upgrade


Detailed instructions reagarding the use of apt and upgrade examples
can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en


- -------------------------------------------------------------------------
All packages are signed with Conectiva's GPG key. The key and instructions
on how to import it can be found at
http://distro.conectiva.com.br/seguranca/chave/?idioma=en
Instructions on how to check the signatures of the RPM packages can be
found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en

- -------------------------------------------------------------------------
All our advisories and generic update instructions can be viewed at
http://distro.conectiva.com.br/atualizacoes/?idioma=en

- -------------------------------------------------------------------------
Copyright (c) 2003 Conectiva Inc.
http://www.conectiva.com

- -------------------------------------------------------------------------
subscribe: conectiva-updates-subscribe@papaleguas.conectiva.com.br
unsubscribe: conectiva-updates-unsubscribe@papaleguas.conectiva.com.br
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE+uFdH42jd0JmAcZARArwgAKDE+fRKY03JkA3kDE3az3gEcUm5LgCg3KLt
llQNn3eE5epnkGnwvflmFL0=
=1oGg
-----END PGP SIGNATURE-----

If you have feedback, comments, or additional information about this vulnerability, please send us email.