From patchwork Sun Nov 23 23:44:41 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Scott Murray X-Patchwork-Id: 75271 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2242BCFD31D for ; Sun, 23 Nov 2025 23:45:23 +0000 (UTC) Received: from mail-qk1-f178.google.com (mail-qk1-f178.google.com [209.85.222.178]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.4855.1763941518758196806 for ; Sun, 23 Nov 2025 15:45:18 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@konsulko.com header.s=google header.b=S02BF/zG; spf=pass (domain: konsulko.com, ip: 209.85.222.178, mailfrom: scott.murray@konsulko.com) Received: by mail-qk1-f178.google.com with SMTP id af79cd13be357-8b2d32b9777so508967085a.2 for ; Sun, 23 Nov 2025 15:45:18 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=konsulko.com; s=google; t=1763941517; x=1764546317; darn=lists.yoctoproject.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=bBPQlmkBpXKTXHb5vXmxwi4XpQdZ1MmJ0RQhTipRiI4=; b=S02BF/zGhRNctiwLukB5Vgg14qj/bUtqXVaZeU4WOQFoJTnRmEzy/bK5bxYf3sAIkL A9tw4Qaw6F5nFT/M04/+Nn9kwR9MJcUrKzrdSrk/Z28s/L+KKqxH2NiLuR0NZwJdXNVR ryMVN9VqHXn/N1fCtTE6IokdnfHzG9qsX3rCU= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1763941517; x=1764546317; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=bBPQlmkBpXKTXHb5vXmxwi4XpQdZ1MmJ0RQhTipRiI4=; b=t1oJ9/LFBhxFLkjqFkIChC3sQeZ5dQBxM/pNFWeOFD70JRLDVfFkhnu4mH/fIihmN+ r+mYJxMjQQaydM97LYMRCnfpdP2AeKIea2FS2JMQH6FfaHjmS1JOiT82e7CtIZJgh9Zj OF2I7xRak3KQsejKhlddFudC8NwtQMxc7Eid3SmFPAam11a5qbbQ3F0PFLmA9VYOs0oX mWQN1x0xAcXMzkMZXmX+rc88glaR/7s09eoXXTUVEgN/T0gNxj55ySzSaBUl2WnlR4XE YIMlTCjA/iriZpU1uzT9PbMwtUzf580RolvzC20vRnRmhN3k/1GQQSwWYuE70nqwOIaC DQmw== X-Gm-Message-State: AOJu0Yz1h4S011ErGDXNHPnr+nm3B3gY+ypiJX/4JnBmAE/ViENp9Upq sZ/S7syMeeCkM3oRiSZvNwi50VR9HSjD6h+lBUOU1kkz2QlC/qLdpyBdeopeLL/vU27K6/PfAmW 19z76 X-Gm-Gg: ASbGncsxwoEjyOpuIALBEpeeCGCTH8OkZvebfYhPZFu3xDr/Fw+42wBNopimMo4+uW7 dQpnHi+Bu/+gbKHEb9BfdSsJv/qslHT6fdP6o//xt/6Bwzl6qMu+YAvAuD3ZASyzZCpaSwMFaxy mDB0qcZAoEm3N63xq888VmHAh38jd1c5nHAJH4N1SgpoDA5UxpbIyBK+4xxhnXxzRRBoBBQez6c hFM/+feU4733MetYYODCFZs1Vlt2hlfRdYmSxrzpkqQndsiMkFtqzT+cniu1cKPrUbKtw/Wd3/P usUHX+Ujz7hJMWm6HczSr7jlKj9ZYNrQFDYOIIAw1JYVNJhtlim9XOZi8W4j7E2qnF/fBhBnbMW 3pd55/wKyZz/ntGW1SHzDCZGGXy9WqTZbuloKxcKaGJWGGnNguXQQ53wfWKz/d0KSfbE9Udc07w ZKG8StHYxaXjq6VBw2czuL4deP+1AU2nmOuK6gSpHwBCLluekMQ13Npm9LORRhNtc= X-Google-Smtp-Source: AGHT+IGfgk3iALZ5hAiTC7wiS8yCkLsiSze41E4PE8bW+LhNN+JCmfDAJBTtKT5g9kWSsix1C/r/Ow== X-Received: by 2002:a05:620a:460d:b0:8b0:f8c4:a5fe with SMTP id af79cd13be357-8b33d5f2646mr1231197585a.89.1763941517272; Sun, 23 Nov 2025 15:45:17 -0800 (PST) Received: from ghidorah.spiteful.org (107-179-213-3.cpe.teksavvy.com. [107.179.213.3]) by smtp.gmail.com with ESMTPSA id af79cd13be357-8b32932db59sm843706585a.1.2025.11.23.15.45.16 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 23 Nov 2025 15:45:16 -0800 (PST) From: Scott Murray To: yocto-patches@lists.yoctoproject.org Subject: [meta-security][scarthgap][PATCH 01/32] Update maintainers Date: Sun, 23 Nov 2025 18:44:41 -0500 Message-ID: X-Mailer: git-send-email 2.51.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 23 Nov 2025 23:45:23 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto-patches/message/2659 Add Marta and myself as maintainers for meta-security and the other embedded layers that Armin had been maintaining. To avoid Armin getting bugged about individual recipes, set the RECIPE_MAINTAINER variables to myself. (backport from master) Signed-off-by: Scott Murray Signed-off-by: Richard Purdie --- README.md | 4 +- .../include/maintainers-meta-security.inc | 72 +++++++++---------- meta-hardening/README.md | 4 +- meta-integrity/README.md | 4 +- meta-parsec/README.md | 1 - meta-tpm/README.md | 4 +- .../distro/include/maintainers-meta-tpm.inc | 33 +++++---- 7 files changed, 64 insertions(+), 58 deletions(-) diff --git a/README.md b/README.md index 3e092a9..c657d15 100644 --- a/README.md +++ b/README.md @@ -83,7 +83,9 @@ Now you can just do 'git send-email origin/master' to send all local patches. For pull requests, please use create-pull-request and send-pull-request. -Maintainers: Armin Kuster +Maintainers: +Scott Murray +Marta Rybczynska License diff --git a/conf/distro/include/maintainers-meta-security.inc b/conf/distro/include/maintainers-meta-security.inc index f623d70..c052695 100644 --- a/conf/distro/include/maintainers-meta-security.inc +++ b/conf/distro/include/maintainers-meta-security.inc @@ -19,39 +19,39 @@ # RECIPE_MAINTAINER:pn- = "Full Name " # # Please keep this list in alphabetical order. -RECIPE_MAINTAINER:pn-aircrack-ng = "Armin Kuster " -RECIPE_MAINTAINER:pn-apparmor = "Armin Kuster " -RECIPE_MAINTAINER:pn-bastille = "Armin Kuster " -RECIPE_MAINTAINER:pn-buck-security = "Armin Kuster " -RECIPE_MAINTAINER:pn-ccs-tools = "Armin Kuster " -RECIPE_MAINTAINER:pn-checksec = "Armin Kuster " -RECIPE_MAINTAINER:pn-checksecurity = "Armin Kuster " -RECIPE_MAINTAINER:pn-clamav = "Armin Kuster " -RECIPE_MAINTAINER:pn-ding-libs = "Armin Kuster " -RECIPE_MAINTAINER:pn-ecryptfs-utils = "Armin Kuster " -RECIPE_MAINTAINER:pn-fscryptctl = "Armin Kuster " -RECIPE_MAINTAINER:pn-google-authenticator-libpam = "Armin Kuster " -RECIPE_MAINTAINER:pn-hash-perl = "Armin Kuster " -RECIPE_MAINTAINER:pn-isic = "Armin Kuster " -RECIPE_MAINTAINER:pn-keyutils = "Armin Kuster " -RECIPE_MAINTAINER:pn-libaes-siv = "Armin Kuster " -RECIPE_MAINTAINER:pn-libgssglue = "Armin Kuster " -RECIPE_MAINTAINER:pn-libhtp = "Armin Kuster " -RECIPE_MAINTAINER:pn-libmhash = "Armin Kuster " -RECIPE_MAINTAINER:pn-libmspack = "Armin Kuster " -RECIPE_MAINTAINER:pn-lib-perl = "Armin Kuster " -RECIPE_MAINTAINER:pn-libseccomp = "Armin Kuster " -RECIPE_MAINTAINER:pn-libwhisker2-perl = "Armin Kuster " -RECIPE_MAINTAINER:pn-ncrack = "Armin Kuster " -RECIPE_MAINTAINER:pn-nikto = "Armin Kuster " -RECIPE_MAINTAINER:pn-paxctl = "Armin Kuster " -RECIPE_MAINTAINER:pn-python3-fail2ban = "Armin Kuster " -RECIPE_MAINTAINER:pn-python3-scapy = "Armin Kuster " -RECIPE_MAINTAINER:pn-python-fail2ban = "Armin Kuster " -RECIPE_MAINTAINER:pn-python-scapy = "Armin Kuster " -RECIPE_MAINTAINER:pn-redhat-security = "Armin Kuster " -RECIPE_MAINTAINER:pn-samhain = "Armin Kuster " -RECIPE_MAINTAINER:pn-smack = "Armin Kuster " -RECIPE_MAINTAINER:pn-sssd = "Armin Kuster " -RECIPE_MAINTAINER:pn-suricata = "Armin Kuster " -RECIPE_MAINTAINER:pn-tripwire = "Armin Kuster " +RECIPE_MAINTAINER:pn-aircrack-ng = "Scott Murray " +RECIPE_MAINTAINER:pn-apparmor = "Scott Murray " +RECIPE_MAINTAINER:pn-bastille = "Scott Murray " +RECIPE_MAINTAINER:pn-buck-security = "Scott Murray " +RECIPE_MAINTAINER:pn-ccs-tools = "Scott Murray " +RECIPE_MAINTAINER:pn-checksec = "Scott Murray " +RECIPE_MAINTAINER:pn-checksecurity = "Scott Murray " +RECIPE_MAINTAINER:pn-clamav = "Scott Murray " +RECIPE_MAINTAINER:pn-ding-libs = "Scott Murray " +RECIPE_MAINTAINER:pn-ecryptfs-utils = "Scott Murray " +RECIPE_MAINTAINER:pn-fscryptctl = "Scott Murray " +RECIPE_MAINTAINER:pn-google-authenticator-libpam = "Scott Murray " +RECIPE_MAINTAINER:pn-hash-perl = "Scott Murray " +RECIPE_MAINTAINER:pn-isic = "Scott Murray " +RECIPE_MAINTAINER:pn-keyutils = "Scott Murray " +RECIPE_MAINTAINER:pn-libaes-siv = "Scott Murray " +RECIPE_MAINTAINER:pn-libgssglue = "Scott Murray " +RECIPE_MAINTAINER:pn-libhtp = "Scott Murray " +RECIPE_MAINTAINER:pn-libmhash = "Scott Murray " +RECIPE_MAINTAINER:pn-libmspack = "Scott Murray " +RECIPE_MAINTAINER:pn-lib-perl = "Scott Murray " +RECIPE_MAINTAINER:pn-libseccomp = "Scott Murray " +RECIPE_MAINTAINER:pn-libwhisker2-perl = "Scott Murray " +RECIPE_MAINTAINER:pn-ncrack = "Scott Murray " +RECIPE_MAINTAINER:pn-nikto = "Scott Murray " +RECIPE_MAINTAINER:pn-paxctl = "Scott Murray " +RECIPE_MAINTAINER:pn-python3-fail2ban = "Scott Murray " +RECIPE_MAINTAINER:pn-python3-scapy = "Scott Murray " +RECIPE_MAINTAINER:pn-python-fail2ban = "Scott Murray " +RECIPE_MAINTAINER:pn-python-scapy = "Scott Murray " +RECIPE_MAINTAINER:pn-redhat-security = "Scott Murray " +RECIPE_MAINTAINER:pn-samhain = "Scott Murray " +RECIPE_MAINTAINER:pn-smack = "Scott Murray " +RECIPE_MAINTAINER:pn-sssd = "Scott Murray " +RECIPE_MAINTAINER:pn-suricata = "Scott Murray " +RECIPE_MAINTAINER:pn-tripwire = "Scott Murray " diff --git a/meta-hardening/README.md b/meta-hardening/README.md index cc39ca4..36f269a 100644 --- a/meta-hardening/README.md +++ b/meta-hardening/README.md @@ -76,7 +76,9 @@ $ git config format.subjectPrefix meta-hardening][PATCH Now you can just do 'git send-email origin/master' to send all local patches. -Maintainers: Armin Kuster +Maintainers: +Scott Murray +Marta Rybczynska License ======= diff --git a/meta-integrity/README.md b/meta-integrity/README.md index c333a9f..191b8e4 100644 --- a/meta-integrity/README.md +++ b/meta-integrity/README.md @@ -45,7 +45,9 @@ yocto-patches@yoctoproject.org mailing list. When submitting patches that way, make sure to copy the maintainer and add a "[meta-integrity]" prefix to the subject of the mails. -Maintainer: Armin Kuster +Maintainers: +Scott Murray +Marta Rybczynska Table of Contents diff --git a/meta-parsec/README.md b/meta-parsec/README.md index 785c932..9dea718 100644 --- a/meta-parsec/README.md +++ b/meta-parsec/README.md @@ -257,7 +257,6 @@ $ git config format.subjectPrefix meta-parsec][PATCH Now you can just do 'git send-email origin/master' to send all local patches. Maintainers: Anton Antonov - Armin Kuster License diff --git a/meta-tpm/README.md b/meta-tpm/README.md index 983c753..523b284 100644 --- a/meta-tpm/README.md +++ b/meta-tpm/README.md @@ -69,7 +69,9 @@ $ git config format.subjectPrefix meta-security][PATCH Now you can just do 'git send-email origin/master' to send all local patches. -Maintainers: Armin Kuster +Maintainers: +Scott Murray +Marta Rybczynska License diff --git a/meta-tpm/conf/distro/include/maintainers-meta-tpm.inc b/meta-tpm/conf/distro/include/maintainers-meta-tpm.inc index e7b216d..829f198 100644 --- a/meta-tpm/conf/distro/include/maintainers-meta-tpm.inc +++ b/meta-tpm/conf/distro/include/maintainers-meta-tpm.inc @@ -19,20 +19,19 @@ # RECIPE_MAINTAINER:pn- = "Full Name " # # Please keep this list in alphabetical order. -RECIPE_MAINTAINER:pn-aircrack-ng = "Armin Kuster " -RECIPE_MAINTAINER:pn-pcr-extend = "Armin Kuster " -RECIPE_MAINTAINER:pn-tpm-quote-tools = "Armin Kuster " -RECIPE_MAINTAINER:pn-libtpm = "Armin Kuster " -RECIPE_MAINTAINER:pn-trousers = "Armin Kuster " -RECIPE_MAINTAINER:pn-swtpm = "Armin Kuster " -RECIPE_MAINTAINER:pn-openssl-tpm-engine = "Armin Kuster " -RECIPE_MAINTAINER:pn-tpm-tools = "Armin Kuster " -RECIPE_MAINTAINER:pn-tpm2-abrmd = "Armin Kuster " -RECIPE_MAINTAINER:pn-tpm2-totp = "Armin Kuster " -RECIPE_MAINTAINER:pn-tpm2-tcti-uefi = "Armin Kuster " -RECIPE_MAINTAINER:pn-tpm2-tss-engine = "Armin Kuster " -RECIPE_MAINTAINER:pn-tpm2-pkcs11 = "Armin Kuster " -RECIPE_MAINTAINER:pn-tpm2-tss = "Armin Kuster " -RECIPE_MAINTAINER:pn-tpm2-tools = "Armin Kuster " -RECIPE_MAINTAINER:pn-ibmswtpm2 = "Armin Kuster " - +RECIPE_MAINTAINER:pn-aircrack-ng = "Scott Murray " +RECIPE_MAINTAINER:pn-pcr-extend = "Scott Murray " +RECIPE_MAINTAINER:pn-tpm-quote-tools = "Scott Murray " +RECIPE_MAINTAINER:pn-libtpms = "Scott Murray " +RECIPE_MAINTAINER:pn-trousers = "Scott Murray " +RECIPE_MAINTAINER:pn-swtpm = "Scott Murray " +RECIPE_MAINTAINER:pn-openssl-tpm-engine = "Scott Murray " +RECIPE_MAINTAINER:pn-tpm-tools = "Scott Murray " +RECIPE_MAINTAINER:pn-tpm2-abrmd = "Scott Murray " +RECIPE_MAINTAINER:pn-tpm2-totp = "Scott Murray " +RECIPE_MAINTAINER:pn-tpm2-tcti-uefi = "Scott Murray " +RECIPE_MAINTAINER:pn-tpm2-tss-engine = "Scott Murray " +RECIPE_MAINTAINER:pn-tpm2-pkcs11 = "Scott Murray " +RECIPE_MAINTAINER:pn-tpm2-tss = "Scott Murray " +RECIPE_MAINTAINER:pn-tpm2-tools = "Scott Murray " +RECIPE_MAINTAINER:pn-ibmswtpm2 = "Scott Murray " From patchwork Sun Nov 23 23:44:42 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Scott Murray X-Patchwork-Id: 75270 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 22537CFD340 for ; Sun, 23 Nov 2025 23:45:23 +0000 (UTC) Received: from mail-qk1-f180.google.com (mail-qk1-f180.google.com [209.85.222.180]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.5032.1763941519401719942 for ; Sun, 23 Nov 2025 15:45:19 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@konsulko.com header.s=google header.b=T8yPjKm/; spf=pass (domain: konsulko.com, ip: 209.85.222.180, mailfrom: scott.murray@konsulko.com) Received: by mail-qk1-f180.google.com with SMTP id af79cd13be357-8b22624bcdaso481155485a.3 for ; Sun, 23 Nov 2025 15:45:19 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=konsulko.com; s=google; t=1763941518; x=1764546318; darn=lists.yoctoproject.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=mNWp6XnQrusZG6GVydXZa3cq7t5bu2DMPu61VXEm+eA=; b=T8yPjKm/r4bjiniw+zj/x33xXfWYvqzplQaoTFS5nF4uYNhiBvPvipPIZ143XElD5s 22+8RtDkIDP1kIm5xMJyEKcNj2DUJiZWgv860k0KhK72+u1H+co/+iZAmU3h8wz44TSo ngkqNBUxIVlCemkiXqxJlntoHmc8P4XPy1Cc8= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1763941518; x=1764546318; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=mNWp6XnQrusZG6GVydXZa3cq7t5bu2DMPu61VXEm+eA=; b=JxT0XLCdFZ3NCoBk9IfNX+jVW4kUTcER1iV03wkgse8iO1Ir3oyOLcZXE+487fMYj5 DtiNkyH5b+4Ru83dWEWpVbl9wK7+GBzAhJYdw4PipJdsIOwKQTfbBicFbsDNCy3SZZqu vNEKXbRm/LzZxE6W9+RPysRlBG+jTGTT5e3IInKByCIQ1oLNUciiaa+uVCqhECdUjCnj xcSsaKrB9O74p28nXOUEbQd5Iwxv1LHfJX+0+7ovl9BiMRU9Giab90SEV9qNq4hVtt47 o6U7mVYOotCVtrRPlxn37MTNG4dv7hS2NQKcJQnjLL83VTbEtJiVJi6Qmbh5/xiZa1Br gwWg== X-Gm-Message-State: AOJu0YyEMOChj+i2+qvbgkBKydmu64HWRWnqQyRemuME/ax1CutHkq12 tCN0jozoVYpE8+acKvwg6nOUKajeLYrjPCa2bsA4wVle2uS4DO1RR/+ohF4Q9Bf1QimUAPd7dud dnowo X-Gm-Gg: ASbGncvaurBN1+CN/BxbRLf4KuLqiSs/wO1Y50OV1NHP4nh3pRyA+w2uirqAcQqHO5h l59VGF/MoISuHxXKn3x3dedse5Sz3PumL2FfxEY5h4Tg96rdc+45d3OweXHUOSObsQyoXS8X0YT /IP5xO2ZB1bhA+bglYZwYUS9x/k5CIbHkwKz0cf8x0XcsnE3IV7u6A8kEwDEUfG6EJAP+YRwi4k oEF3Uyc9+dP7bFp0Z6l0IZPbo2bHKSC8FSnuyXmghr8tXwu3JNK8sxPeqHh8YVqcpQkfmfUDfyE m7x9/UJRajQ/s4zOpTfXk2ZHHhKhrnHRe/4ZqYz6ONLsp2a6xRPyJbxPvYFOhcMBaodRJekTrRa hGI7CknxblnvXOnDUEW5QVT1IfjoMv5xQsBD2i6QCSG+cRqTmAX+A0lL7aP3ByT07Jj7FhUFwT7 +9KWG5nQ3NzvjPYfsIo7e/aLewaqqfvJfCWl1yw8zqX1R6JF97/Rf9+1wyciqHx/M= X-Google-Smtp-Source: AGHT+IEj2ZBBG9sgoR6Dfxevruy14EWAgArE1mLaWMXjVhe9cDP72jb7IHuCmQfMNXnhBE04Z7t47Q== X-Received: by 2002:a05:620a:4623:b0:8b1:ed55:e4f0 with SMTP id af79cd13be357-8b33d22542cmr1371955285a.39.1763941518036; Sun, 23 Nov 2025 15:45:18 -0800 (PST) Received: from ghidorah.spiteful.org (107-179-213-3.cpe.teksavvy.com. [107.179.213.3]) by smtp.gmail.com with ESMTPSA id af79cd13be357-8b32932db59sm843706585a.1.2025.11.23.15.45.17 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 23 Nov 2025 15:45:17 -0800 (PST) From: Scott Murray To: yocto-patches@lists.yoctoproject.org Subject: [meta-security][scarthgap][PATCH 02/32] CI: update build for new CI Date: Sun, 23 Nov 2025 18:44:42 -0500 Message-ID: X-Mailer: git-send-email 2.51.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 23 Nov 2025 23:45:23 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto-patches/message/2660 From: Marta Rybczynska Update for Ubuntu 24.04 runners: - use venv for installing kas - add missing directories - assume that python3 and pip are installed. Other changes: - add logging of jobs to files - build parsec images where appropriate Signed-off-by: Marta Rybczynska (squashed and updated with missing master version changes) Signed-off-by: Scott Murray --- .gitlab-ci.yml | 47 +++++++++++++++++++++++++++-------------------- 1 file changed, 27 insertions(+), 20 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 1e82a87..5e15221 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -1,10 +1,13 @@ .before-my-script: &before-my-script - echo "$ERR_REPORT_USERNAME" > ~/.oe-send-error - echo "$ERR_REPORT_EMAIL" >> ~/.oe-send-error + - echo "$CI_PROJECT_DIR" >> ~/.ci_project_dir - export PATH=~/.local/bin:$PATH - - wget https://bootstrap.pypa.io/get-pip.py - - python3 get-pip.py + - python3 -m venv ~/kas_env/ + - source ~/kas_env/bin/activate - python3 -m pip install kas + - mkdir -p $CI_PROJECT_DIR/build/tmp/log/error-report/ + - mkdir -p $CI_PROJECT_DIR/log/ .after-my-script: &after-my-script - cd $CI_PROJECT_DIR/poky @@ -26,6 +29,10 @@ stages: stage: base after_script: - *after-my-script + artifacts: + paths: + - $CI_PROJECT_DIR/log/* + when: always .parsec: before_script: @@ -51,77 +58,77 @@ stages: qemux86: extends: .base script: - - kas shell kas/$CI_JOB_NAME.yml -c "bitbake -k security-build-image integrity-image-minimal" - - kas build --target harden-image-minimal kas/$CI_JOB_NAME-harden.yml + - kas shell kas/$CI_JOB_NAME.yml -c "bitbake -k security-build-image integrity-image-minimal" 2>&1 | tee $CI_PROJECT_DIR/log/qemux86_security_image.txt + - kas build --target harden-image-minimal kas/$CI_JOB_NAME-harden.yml 2>&1 | tee $CI_PROJECT_DIR/log/qemux86_harden_image.txt qemux86-musl: extends: .musl needs: ['qemux86'] script: - - kas build --target security-build-image kas/$CI_JOB_NAME.yml + - kas build --target security-build-image kas/$CI_JOB_NAME.yml 2>&1 | tee $CI_PROJECT_DIR/log/qemux86_musl_security_image.txt qemux86-parsec: extends: .parsec needs: ['qemux86'] script: - - kas build --target security-build-image kas/$CI_JOB_NAME.yml + - kas build --target security-parsec-image kas/$CI_JOB_NAME.yml 2>&1 | tee $CI_PROJECT_DIR/log/qemux86_parsec_security_image.txt qemux86-test: extends: .test needs: ['qemux86'] allow_failure: true script: - - kas build --target security-test-image kas/$CI_JOB_NAME.yml - - kas build -c testimage --target security-test-image kas/$CI_JOB_NAME.yml + - kas build --target security-test-image kas/$CI_JOB_NAME.yml 2>&1 | tee $CI_PROJECT_DIR/log/qemux86_test_security_image.txt + - kas build -c testimage --target security-test-image kas/$CI_JOB_NAME.yml 2>&1 | tee $CI_PROJECT_DIR/log/qemux86_testimage_security_image.txt qemux86-64: extends: .base script: - - kas shell kas/$CI_JOB_NAME.yml -c "bitbake -k security-build-image security-tpm-image security-tpm2-image integrity-image-minimal" - - kas build --target dm-verity-image-initramfs kas/$CI_JOB_NAME-dm-verify.yml - - kas build --target security-build-image kas/$CI_JOB_NAME-alt.yml + - kas shell kas/$CI_JOB_NAME.yml -c "bitbake -k core-image-minimal security-build-image security-tpm-image security-tpm2-image integrity-image-minimal" 2>&1 | tee $CI_PROJECT_DIR/log/qemux86_64_security_image.txt + - kas build --target dm-verity-image-initramfs kas/$CI_JOB_NAME-dm-verify.yml 2>&1 | tee $CI_PROJECT_DIR/log/qemux86_64_dm_verify.txt + - kas build --target security-build-image kas/$CI_JOB_NAME-alt.yml 2>&1 | tee $CI_PROJECT_DIR/log/qemux86_64_security_build_image.txt qemux86-64-parsec: extends: .parsec needs: ['qemux86-64'] script: - - kas build --target security-build-image kas/$CI_JOB_NAME.yml + - kas build --target security-parsec-image kas/$CI_JOB_NAME.yml 2>&1 | tee $CI_PROJECT_DIR/log/qemux86_64_parsec_security_image.txt qemuarm: extends: .base script: - - kas build --target security-build-image kas/$CI_JOB_NAME.yml + - kas build --target security-build-image kas/$CI_JOB_NAME.yml 2>&1 | tee $CI_PROJECT_DIR/log/qemuarm_security_image.txt qemuarm-parsec: extends: .parsec needs: ['qemuarm'] script: - - kas build --target security-build-image kas/$CI_JOB_NAME.yml + - kas build --target security-parsec-image kas/$CI_JOB_NAME.yml 2>&1 | tee $CI_PROJECT_DIR/log/qemuarm_parsec_security_image.txt qemuarm64: extends: .base script: - - kas shell kas/$CI_JOB_NAME.yml -c "bitbake -k security-build-image security-tpm2-image integrity-image-minimal" - - kas build --target security-build-image kas/$CI_JOB_NAME-alt.yml + - kas shell kas/$CI_JOB_NAME.yml -c "bitbake -k security-build-image security-tpm2-image integrity-image-minimal" 2>&1 | tee $CI_PROJECT_DIR/log/qemuarm64_parsec_security_image.txt + - kas build --target security-build-image kas/$CI_JOB_NAME-alt.yml 2>&1 | tee $CI_PROJECT_DIR/log/qemuarm64_build_security_image.txt qemuarm64-musl: extends: .musl needs: ['qemuarm64'] script: - - kas build --target security-build-image kas/$CI_JOB_NAME.yml + - kas build --target security-build-image kas/$CI_JOB_NAME.yml 2>&1 | tee $CI_PROJECT_DIR/log/qemuarm64_musl_security_image.txt qemuarm64-parsec: extends: .parsec needs: ['qemuarm64'] script: - - kas build --target security-build-image kas/$CI_JOB_NAME.yml + - kas build --target security-parsec-image kas/$CI_JOB_NAME.yml 2>&1 | tee $CI_PROJECT_DIR/log/qemuarm64_parsec_security_image.txt qemumips64: extends: .base script: - - kas build --target security-build-image kas/$CI_JOB_NAME.yml + - kas build --target security-build-image kas/$CI_JOB_NAME.yml 2>&1 | tee $CI_PROJECT_DIR/log/qemumips64_security_image.txt qemuriscv64: extends: .base script: - - kas build --target security-build-image kas/$CI_JOB_NAME.yml + - kas build --target security-build-image kas/$CI_JOB_NAME.yml 2>&1 | tee $CI_PROJECT_DIR/log/qemuriscv64_security_image.txt From patchwork Sun Nov 23 23:44:43 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Scott Murray X-Patchwork-Id: 75268 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 128B2CFD313 for ; Sun, 23 Nov 2025 23:45:23 +0000 (UTC) Received: from mail-qk1-f171.google.com (mail-qk1-f171.google.com [209.85.222.171]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.4856.1763941520518892193 for ; Sun, 23 Nov 2025 15:45:20 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@konsulko.com header.s=google header.b=e8yaIRPD; spf=pass (domain: konsulko.com, ip: 209.85.222.171, mailfrom: scott.murray@konsulko.com) Received: by mail-qk1-f171.google.com with SMTP id af79cd13be357-8b220ddc189so448802485a.0 for ; Sun, 23 Nov 2025 15:45:20 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=konsulko.com; s=google; t=1763941519; x=1764546319; darn=lists.yoctoproject.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=jng7qDD82KyMPs+W1S8oGQxE+ROJY7qz8hKhVkA1+FE=; b=e8yaIRPDf1Yb6mLti/VnViuiLVN1q0Ibj+2sW6Mj3c/N3J8NbhMeMBPBTa9J8PSEhY 2MuXCBTxbdj6pm8PqkoJ1sqZ/2b39vepNAODs3sjHbSsrCW2KlSV7N5mEiYTT2/HJN6M +zCmL8WSwd33M70WH+AFhhlGIsjtVigCnUy/A= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1763941519; x=1764546319; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=jng7qDD82KyMPs+W1S8oGQxE+ROJY7qz8hKhVkA1+FE=; b=RcU8BKWqIVlYoA4+vdODh09v6aC/R26/ZdUy1lThUfhegz9l8OkqQkyaCOkcE7uO9u tUQMd8+NF2Ui02VIFeg3XDfywh2X+5WqjHZfFpZIcPpE3JEvLGhiw8vVD55Opj0Tr8G6 jjYIGSUITJbTIRkjTzQyFcQQYcGpUOmodO2DUszMjlQqde/wF3e1o2xh8uf1R11KX3uh ryKF0C6aOdt+94vaO+/LGsFaa5NypOMA+BefuxjTVYiqYGPTApBnzr9eIssN2zH9K6N5 isxf7Ob76wagC2rRX/w2LmDz5fhpaZ41hHD4JoeU3K/f80bpXEJ4ntbAD3XGumQ8jN2t FeOA== X-Gm-Message-State: AOJu0Yw6FPDjj4eSDht4xhydnPjG5bZtYYZmuY1YVVGULMb1dHE5FZo6 FBZVzBZvUqtX4/kKFYZHDQmK6bsnTfg1p/POI0QqZ0JIHtZLvjfhX0EcG7syjMKwhPgHSpdevoW mFEJv X-Gm-Gg: ASbGnctkDmD1hxqUcjZPdETzb/saSBfHzykzv7hSg0MFQTmTdXjqJ7Ix55GDaN/86r2 Vh1wvBBPBp2QKmpmHN9v1byIAzASmtvBeAybqzpIc/h7uzlidi8/dU1txS1q06xsUSJ1l/+BUNS +1bBQ7FOG8+E36E4/tKP3HmAXgt0QL908xdH9muPa6clWj6VYmWydM4F34kcHKWlNz69DBP2mNi XCU9nvuPkkMd6Vz1f6q3UrhRvDZ3Hf/LMdTEbR5/PIHUVE8rkJSwN5ni2QdCXe3YTcjC2/quJ9r Pf6wSULELmS5w0pwzGnIbjgthx2xIJOxrxzqefouKzT4pgld66txUvS+unMfff3lhttJ0lzuTjj CHx4UyGiX9P2rDWyVzsVEWzEv8lZhXhrLk/h7yqQgT2H5iRteackccxWo9yCfKKc3ErHbf8ZQOL sUoIK0BVWJjbzjTGs/axyLrC2DQWCskE92JFedCzD7DgdxLE26anYyZJuuM/fpkwU= X-Google-Smtp-Source: AGHT+IFt8ldvUBPxAluGRQ5TL3MPf3ClTCRcXMZ9go9lfwmr/MVswyq0OrO2hF8CJ/TVdCoLNOxBtA== X-Received: by 2002:a05:620a:4404:b0:8b1:7194:b926 with SMTP id af79cd13be357-8b33d477402mr1185533285a.55.1763941519065; Sun, 23 Nov 2025 15:45:19 -0800 (PST) Received: from ghidorah.spiteful.org (107-179-213-3.cpe.teksavvy.com. [107.179.213.3]) by smtp.gmail.com with ESMTPSA id af79cd13be357-8b32932db59sm843706585a.1.2025.11.23.15.45.18 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 23 Nov 2025 15:45:18 -0800 (PST) From: Scott Murray To: yocto-patches@lists.yoctoproject.org Subject: [meta-security][scarthgap][PATCH 03/32] kas: update configuration Date: Sun, 23 Nov 2025 18:44:43 -0500 Message-ID: X-Mailer: git-send-email 2.51.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 23 Nov 2025 23:45:23 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto-patches/message/2661 From: Marta Rybczynska Changes: - switch to scarthgap - add required usrmerge feature to kas-security-alt configuration - add whitespaces around assignement - add common dldir/sstate - don't build apparmor in musl configus - only enable ptest for the test image Signed-off-by: Marta Rybczynska (squashed and recent master changes backported) Signed-off-by: Scott Murray --- kas/kas-security-alt.yml | 2 +- kas/kas-security-base.yml | 13 +++++++++---- kas/kas-security-parsec.yml | 2 +- kas/qemuarm64-musl.yml | 1 + kas/qemux86-musl.yml | 1 + kas/qemux86-test.yml | 5 +++++ 6 files changed, 18 insertions(+), 6 deletions(-) diff --git a/kas/kas-security-alt.yml b/kas/kas-security-alt.yml index 3ee9808..8f754ac 100644 --- a/kas/kas-security-alt.yml +++ b/kas/kas-security-alt.yml @@ -5,4 +5,4 @@ header: local_conf_header: alt: | - DISTRO_FEATURES:append = " systemd" + INIT_MANAGER = "systemd" diff --git a/kas/kas-security-base.yml b/kas/kas-security-base.yml index fa7915c..ff66889 100644 --- a/kas/kas-security-base.yml +++ b/kas/kas-security-base.yml @@ -13,7 +13,7 @@ repos: poky: url: https://git.yoctoproject.org/git/poky - refspec: master + refspec: scarthgap layers: meta: meta-poky: @@ -21,7 +21,7 @@ repos: meta-openembedded: url: http://git.openembedded.org/meta-openembedded - refspec: master + refspec: scarthgap layers: meta-oe: meta-perl: @@ -36,8 +36,8 @@ local_conf_header: INHERIT += "buildstats buildstats-summary buildhistory" INHERIT += "report-error" IMAGE_CLASSES += "testimage" - BB_NUMBER_THREADS="24" - BB_NUMBER_PARSE_THREADS="12" + BB_NUMBER_THREADS = "24" + BB_NUMBER_PARSE_THREADS = "12" BB_TASK_NICE_LEVEL = '5' BB_TASK_NICE_LEVEL_task-testimage = '0' BB_TASK_IONICE_LEVEL = '2.7' @@ -47,6 +47,7 @@ local_conf_header: PACKAGE_CLASSES = "package_ipk" DISTRO_FEATURES:append = " security pam apparmor smack ima tpm tpm2" + DISTRO_FEATURES:remove = "ptest" MACHINE_FEATURES:append = " tpm tpm2" diskmon: | @@ -60,6 +61,10 @@ local_conf_header: HALT,${SSTATE_DIR},100M,1K \ HALT,/tmp,10M,1K" + dlsstate: | + DL_DIR = "/home/gitlab-runner/build/downloads" + SSTATE_DIR = "/home/gitlab-runner/build/sstate-cache" + bblayers_conf_header: base: | BBPATH = "${TOPDIR}" diff --git a/kas/kas-security-parsec.yml b/kas/kas-security-parsec.yml index 9a009be..cfaa660 100644 --- a/kas/kas-security-parsec.yml +++ b/kas/kas-security-parsec.yml @@ -10,7 +10,7 @@ repos: meta-clang: url: https://github.com/kraj/meta-clang.git - refspec: master + refspec: scarthgap local_conf_header: meta-parsec: | diff --git a/kas/qemuarm64-musl.yml b/kas/qemuarm64-musl.yml index b353eb4..f01f759 100644 --- a/kas/qemuarm64-musl.yml +++ b/kas/qemuarm64-musl.yml @@ -6,5 +6,6 @@ header: local_conf_header: musl: | TCLIBC = "musl" + DISTRO_FEATURES:remove = "apparmor" machine: qemuarm64 diff --git a/kas/qemux86-musl.yml b/kas/qemux86-musl.yml index 61d9572..aa6572c 100644 --- a/kas/qemux86-musl.yml +++ b/kas/qemux86-musl.yml @@ -6,5 +6,6 @@ header: local_conf_header: musl: | TCLIBC = "musl" + DISTRO_FEATURES:remove = "apparmor" machine: qemux86 diff --git a/kas/qemux86-test.yml b/kas/qemux86-test.yml index 83a5353..c4609f9 100644 --- a/kas/qemux86-test.yml +++ b/kas/qemux86-test.yml @@ -3,4 +3,9 @@ header: includes: - kas-security-base.yml +local_conf_header: + ptest: | + DISTRO_FEATURES:append = " ptest" + EXTRA_IMAGE_FEATURES:append = " allow-empty-password allow-root-login empty-root-password" + machine: qemux86 From patchwork Sun Nov 23 23:44:44 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Scott Murray X-Patchwork-Id: 75269 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 12187CFD31E for ; Sun, 23 Nov 2025 23:45:23 +0000 (UTC) Received: from mail-qk1-f171.google.com (mail-qk1-f171.google.com [209.85.222.171]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.4858.1763941521505632063 for ; Sun, 23 Nov 2025 15:45:21 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@konsulko.com header.s=google header.b=V+KciGB7; spf=pass (domain: konsulko.com, ip: 209.85.222.171, mailfrom: scott.murray@konsulko.com) Received: by mail-qk1-f171.google.com with SMTP id af79cd13be357-8b2dcdde65bso560141485a.0 for ; Sun, 23 Nov 2025 15:45:21 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=konsulko.com; s=google; t=1763941520; x=1764546320; darn=lists.yoctoproject.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=Dk0sqIDojMb2T9OfmW4/C/2COwUIzFghRpNrzozFCU4=; b=V+KciGB7q21MDt6SE7gBtPjfBX+qdV1E1pLkLJoM1MAoMxfGtRGbQ39kj6RfhVAIEv uMYOFLCQ5/eg4sCNxgnwki7eqzJqmqbxxiJC/n80qf17WZ0XOssuUX2HkVQAW39wRmoc lRMhA/uuXgYsYmEZ1esPtbuU7AcKQXBihFmsc= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1763941520; x=1764546320; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=Dk0sqIDojMb2T9OfmW4/C/2COwUIzFghRpNrzozFCU4=; b=nhUU47TjZ0W32FRKKOdji6XcfxJobvvA7IFJWWLYrDlqLmKdMD6BjL3+O2j0i5rZ+S cQQAtVySFiD7ALuywtTztgXol7mwxjmjs5HrPHOIaHVINCzRqu90msS33BQNEOhym6EX KZSivyynhbOmQcxjr28no3tIzMBZa9aXFpgaaUmOA2ZzlU6rifFKng/eXlDIMOcc1C7T fU50ePCmqcONltlw2njOqIiNqsQWtbvL6oLAMbtw1UsBi5YhKpYlxf0/LHVGxTO9+Nk9 qS6aj6QEO4y3xyVB2yk8hre1ZMpdFVsQxuNXdDgqzaNRRW/9szgqPfin8Adi62XNfQZB yMMA== X-Gm-Message-State: AOJu0YyhjcgbDDAxdzypfY8Z1nHXc0qWys90VNhQMr1uOCx/oQQhG84p BZ1Lzmvrj9jWn1dYTWwwtuxCpIYGR5poauAeTxBirHXUBA3uSAiclqyalXi0MJNtuk5j2u5iUrc EgXNy X-Gm-Gg: ASbGncuFa3riIh4t+2auzWDLVACrqmVBMeeCr6NcZQwz75gHF20whY1x1MlGL3S5PXb MQn9vBZ1DmWNw8VsTB3U6Kbc91sTpeqxwh0/Jl0yWw858rWD4R2af0CIvIlTTxwA5sa0YM66nus SQyfz+UH894z3OFRQHBhee7nCFNlzPAuH0Khe7IvDRj6kUYFiKtg2XfnimGI22ygdVG3lXcY0nN gzhLtfaSZBl7QJhaGxoUbd6uWwUNkWxEJsl3bOYySO/GGXZkjpy8Rn/85//rIUTY8n4kWJwdCVM wcUAdV2ujnf2VFsGpCWNGxqdU4uNlH3qG+lnL9jNVkOrKNmaAt2lyR+OWybENYN4iorzdhARCtY bThC+et7jkBbbSiFPFIXufT5x5gwHZgqLAJ0mH2q6YYidHGzJrG7uIZUb2XhuknSBxaVzwYNzAe CNf/6CiEIuaUKCwNfMoCdikkhHd9aHWs6OaPbwxWOcEp3+GKGrlSontSVOAuadCXAS8wuNdoQnG Q== X-Google-Smtp-Source: AGHT+IFihaBZCFIsJd6D9UKrCJSvXeCFeciW9xfdJYQD1zmf0x7kCJa+0Z18tqPO99Cb0uwZ72EDIw== X-Received: by 2002:a05:620a:4110:b0:811:3f8a:24a6 with SMTP id af79cd13be357-8b33d4b4e27mr1229307585a.53.1763941520197; Sun, 23 Nov 2025 15:45:20 -0800 (PST) Received: from ghidorah.spiteful.org (107-179-213-3.cpe.teksavvy.com. [107.179.213.3]) by smtp.gmail.com with ESMTPSA id af79cd13be357-8b32932db59sm843706585a.1.2025.11.23.15.45.19 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 23 Nov 2025 15:45:19 -0800 (PST) From: Scott Murray To: yocto-patches@lists.yoctoproject.org Subject: [meta-security][scarthgap][PATCH 04/32] scap-security-guide: fix fetch Date: Sun, 23 Nov 2025 18:44:44 -0500 Message-ID: <7425c3ca03c6dbb21ba02d7a97787709cb51f8ee.1763938436.git.scott.murray@konsulko.com> X-Mailer: git-send-email 2.51.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 23 Nov 2025 23:45:23 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto-patches/message/2662 From: Marta Rybczynska The project does not keep releases in branches, instead they tag them. The stable branch does not contain releases, so we use the revision only. See upstream issue [1] for details. [1] https://github.com/ComplianceAsCode/content/issues/13543 Signed-off-by: Marta Rybczynska --- .../scap-security-guide/scap-security-guide_0.1.71.bb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/recipes-compliance/scap-security-guide/scap-security-guide_0.1.71.bb b/recipes-compliance/scap-security-guide/scap-security-guide_0.1.71.bb index 5e45332..e277ccf 100644 --- a/recipes-compliance/scap-security-guide/scap-security-guide_0.1.71.bb +++ b/recipes-compliance/scap-security-guide/scap-security-guide_0.1.71.bb @@ -7,7 +7,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=9bfa86579213cb4c6adaffface6b2820" LICENSE = "BSD-3-Clause" SRCREV = "459f0abf2ac08d36e5fc4a2619bc75cff7000da9" -SRC_URI = "git://github.com/ComplianceAsCode/content.git;branch=stable;protocol=https \ +SRC_URI = "git://github.com/ComplianceAsCode/content.git;nobranch=1;protocol=https \ file://run_eval.sh \ file://run-ptest \ " From patchwork Sun Nov 23 23:44:45 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Scott Murray X-Patchwork-Id: 75267 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 071B2CFD316 for ; Sun, 23 Nov 2025 23:45:23 +0000 (UTC) Received: from mail-qk1-f174.google.com (mail-qk1-f174.google.com [209.85.222.174]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.5033.1763941522477175299 for ; Sun, 23 Nov 2025 15:45:22 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@konsulko.com header.s=google header.b=bTO4kcoi; spf=pass (domain: konsulko.com, ip: 209.85.222.174, mailfrom: scott.murray@konsulko.com) Received: by mail-qk1-f174.google.com with SMTP id af79cd13be357-8b2ea2b9631so392955285a.3 for ; Sun, 23 Nov 2025 15:45:22 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=konsulko.com; s=google; t=1763941521; x=1764546321; darn=lists.yoctoproject.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=j4RiSP4QvC3mczEa7yTyUdHcrIj19MHCovzOBYYuFHk=; b=bTO4kcoic/VYxGj83Effq6PU+5B5MxV9yHaLDzn81u3Bs8Z3+A2/p7RLnO4tC793yC KmtVArAwHKCkRlpcdmC5creLH1OWYisSQkW2sHEwptK4MBgp3GO97C2arhb7rXtYWpmR PL4RzyBEL1POIezDYu8RnVRnsFSkT2DGzMJhU= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1763941521; x=1764546321; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=j4RiSP4QvC3mczEa7yTyUdHcrIj19MHCovzOBYYuFHk=; b=EY4E/GEZbZiLkDoasbhoaHLqFnGR2nwSJq965HvJOs18GzmqVLeITsRVF+3f0LR1pL a5POko7Blqv33o0GKU3JhbBpAD3gJxR725nCpW3w+GPOJjXFhcvL8RrdsZ7OeKtWSsgF ZOh9oBhO/w2hNA+f2TtA/q1rTSZReTpC6nv1KtZIGz6hYWyK1lEbKjbSZva77vDhCh/e zdCILMZcr4m8LNyKtfhjwo3jRyZXCMDs0A2j2RdVnwpUzSuuCqe/JlH3gbs7YPDk91bp xgPAUIFsWzXbETvZQkgcQdJ1vE4Ub3SO89Ibdcon/Iro0hFAGWOXlAJdPDEQ5OslZFxd IY3Q== X-Gm-Message-State: AOJu0YyBVHqL6S1Q2xHOxUuvfoCHJZV81fIcqRZkfeO8EioBUqry/4eN eOKfRsOpeiKtn2XuBz+S+tfDR8U+JC05CstiCevoS/x55PDpRpASUeR8h/mwhPx2wPX925bpTGZ gDZ/S X-Gm-Gg: ASbGncuZsNG+PFjjNtx/Hih5nxjg6GQQRe7FFqpZ38r4RYSE9eiqr5whXl+cwvI/FFs x1Wkj+zk16thscEoVCT5GoM+R0nvURfKjKBK3PsggHYaeKkLxdW6NVM5NKIRgvfaQ68ooIv64R8 CgZei2sh5fjQjvaO5oxpiR8Nd5KwNfjdOtvFIVLLEPfasPnGiyfFYsZVWTJTjpRBXaz9LyuVGp2 URhwJLcDlQTKwWYCDAuMBGJyKBfhPDU2Ty/00lG+CJRBOBVgvIo/KBy/OV+P+cdEzkJEPnhptPE 9Oe+BjjsYudu0u4BNFB0iSrlUodBYd8qPfpuIhYw0rpHapic/DOp1BvmexxQfXvMiOhhObXrnrD As/P0+dWeqrsAOosJL57bVzdDMLIF1OstLOtsYNqBeQKLoQRu3xD/fXnim1aLVtcWwYnHwqvQCz vjqWsMdfc9g7NqhaIob0sE9QbWGhjkRCGHr3vnvR2qCPQ7jBGBsdRmIy2A8GVEox0= X-Google-Smtp-Source: AGHT+IE4LzjUbWDS1OwL6DnPutJGdg5eoJKF9js5T21GYiPhwVFZqpwH/PssJJC7GyZ2Zwuy0jgFbg== X-Received: by 2002:a05:620a:4509:b0:8b0:f2bd:4762 with SMTP id af79cd13be357-8b33d5d4982mr1316266785a.75.1763941521124; Sun, 23 Nov 2025 15:45:21 -0800 (PST) Received: from ghidorah.spiteful.org (107-179-213-3.cpe.teksavvy.com. [107.179.213.3]) by smtp.gmail.com with ESMTPSA id af79cd13be357-8b32932db59sm843706585a.1.2025.11.23.15.45.20 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 23 Nov 2025 15:45:20 -0800 (PST) From: Scott Murray To: yocto-patches@lists.yoctoproject.org Subject: [meta-security][scarthgap][PATCH 05/32] lynis: update 3.1.1 -> 3.1.4 Date: Sun, 23 Nov 2025 18:44:45 -0500 Message-ID: <010cbaf90ecb86c1530b463b3d3c8e6309535fc3.1763938436.git.scott.murray@konsulko.com> X-Mailer: git-send-email 2.51.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 23 Nov 2025 23:45:22 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto-patches/message/2663 From: Marta Rybczynska Changelog at [1]. [1] https://cisofy.com/changelog/lynis/#314 Signed-off-by: Marta Rybczynska --- recipes-compliance/lynis/{lynis_3.1.1.bb => lynis_3.1.4.bb} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename recipes-compliance/lynis/{lynis_3.1.1.bb => lynis_3.1.4.bb} (93%) diff --git a/recipes-compliance/lynis/lynis_3.1.1.bb b/recipes-compliance/lynis/lynis_3.1.4.bb similarity index 93% rename from recipes-compliance/lynis/lynis_3.1.1.bb rename to recipes-compliance/lynis/lynis_3.1.4.bb index b69f4df..9cce848 100644 --- a/recipes-compliance/lynis/lynis_3.1.1.bb +++ b/recipes-compliance/lynis/lynis_3.1.4.bb @@ -8,7 +8,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=3edd6782854304fd11da4975ab9799c1" SRC_URI = "https://downloads.cisofy.com/lynis/${BPN}-${PV}.tar.gz" -SRC_URI[sha256sum] = "d72f4ee7325816bb8dbfcf31eb104207b9fe58a2493c2a875373746a71284cc3" +SRC_URI[sha256sum] = "c4dbcddd429624d5b2319cd3b19728e18a7885b70b8eb0a9fdd3ca5f0ae28eb6" #UPSTREAM_CHECK = "https://downloads.cisofy.com/lynis" From patchwork Sun Nov 23 23:44:46 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Scott Murray X-Patchwork-Id: 75272 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2710ACFD2F6 for ; Sun, 23 Nov 2025 23:45:33 +0000 (UTC) Received: from mail-qk1-f174.google.com (mail-qk1-f174.google.com [209.85.222.174]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.4859.1763941523500719030 for ; Sun, 23 Nov 2025 15:45:23 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@konsulko.com header.s=google header.b=qz0WOmuq; spf=pass (domain: konsulko.com, ip: 209.85.222.174, mailfrom: scott.murray@konsulko.com) Received: by mail-qk1-f174.google.com with SMTP id af79cd13be357-8b22b1d3e7fso386917285a.3 for ; Sun, 23 Nov 2025 15:45:23 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=konsulko.com; s=google; t=1763941522; x=1764546322; darn=lists.yoctoproject.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=+KqhYTOH+OXlPfOJSQv4qMw2n2i7qpTBcLg0hUDCuAU=; b=qz0WOmuq8pUcIrmVlFqwZLFyeFWcJM8/cALRx4jtYnUigjbi6UPam2iotD5LQ1YPzx uB6yU4yfKbi4S5TeQWfJv1lqLX2UzaT+5vVh/eydCChb5VyqYe3agz//IpO8myNdSliI qYKF4r2/QZM/si6ZUekOrHjcTJ2kBk0/C+ypo= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1763941522; x=1764546322; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=+KqhYTOH+OXlPfOJSQv4qMw2n2i7qpTBcLg0hUDCuAU=; b=J3+aENFUrc4RFrwK2ck7fRGiR81y+8bCM2nD5jTJbYpIyzyIKW55sTIJoTuqwRQORE TwQtLPOiPDI0GnmpWmuYySaXhXnZ7iqidd8ZRqO0RF6kLuqEslziks5AzNvFb0W+coMl ZsNM6bXM2O7fumlvEpl6Ht+sB/pG8AhTOGGTk7rln02hqnUXTzK0elv1H01FcyVsDfAK jwCuJYaJkB0Q3pF5OknVHAtqN4i2uyBxkVXBGPki2M/ylTszfgjNN+KgsqLzfe1sUy3j +xbLagMGltfdmUyAOJsmHbcELGrn6zaqSxsUelVaYDnADJrinv0fAlpJJfwOSJ1CqaQ2 eZGg== X-Gm-Message-State: AOJu0YxHWhN/SGTrnaHG72RlFO4x7G62IKJrV7g0QQonCsUor3W/Mt18 oObnTrWpwg8tEulBKmzymdoyqiDhUhnaibysmGKAS4t7d3+gaQcotsCYsMC9AGheua8+8fciu1T zy8Sn X-Gm-Gg: ASbGncttVau1EuB5ceaeO59EXKcsFYvLTCCIwkM04l8mwtc9Skf8UuH9ZfV7nQNyf5j wGPvmQoanRX39WRlS7MRekihn9nVPTHMy82M7vtjhWpC7j4nm4tpvmZb0X8snMqMA+XnnoLh7rl AbCSmgdmakbjEYGIMPu9/yHllUVPpuVL1faJfJpBd/yN6iJCaSnYb1YobY40eusoD6Z8E3NolHc zpkVKoDo4S4o0CEoQgPj8Huox127/M16HvfuH4bQkowoHHdkFQybG/d3blxISjB6+ltE/OmR6RO VotF/tLcAvoIcTNfU3G1N5w/fi1pANXl8xsLkqJLCkjE15MbVk5FfJd+y6nKUB3irO+8PMM9cKx Vvo2UsblKDK+KXabmM6N0DNL4qa2raPMuB7UphEOPdjCnD/Nnqs9xwZHjU+QysallUK3Ft+x0Gf G0U0b7Hx5uJo04P9yi/HNA2yhWbeliqVH58tEfczzJFLzud/R83rwKg2jXeMnFyd4= X-Google-Smtp-Source: AGHT+IEy3CPPcWkbwpb6YxFfQeuAge/7MltQ08QCooaZMauLuf64Jywkv4Lfm/0vuxcB2ek15Ut3tA== X-Received: by 2002:a05:620a:4005:b0:8a9:eb9d:512b with SMTP id af79cd13be357-8b33d23b370mr1147982085a.6.1763941522107; Sun, 23 Nov 2025 15:45:22 -0800 (PST) Received: from ghidorah.spiteful.org (107-179-213-3.cpe.teksavvy.com. [107.179.213.3]) by smtp.gmail.com with ESMTPSA id af79cd13be357-8b32932db59sm843706585a.1.2025.11.23.15.45.21 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 23 Nov 2025 15:45:21 -0800 (PST) From: Scott Murray To: yocto-patches@lists.yoctoproject.org Subject: [meta-security][scarthgap][PATCH 06/32] chkrootkit: use debian mirror Date: Sun, 23 Nov 2025 18:44:46 -0500 Message-ID: X-Mailer: git-send-email 2.51.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 23 Nov 2025 23:45:33 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto-patches/message/2664 From: Marta Rybczynska Use the debian mirror as the ubuntu one is failing frequently. Signed-off-by: Marta Rybczynska --- recipes-scanners/rootkits/chkrootkit_0.57.bb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/recipes-scanners/rootkits/chkrootkit_0.57.bb b/recipes-scanners/rootkits/chkrootkit_0.57.bb index d35f5f6..c3d2f9b 100644 --- a/recipes-scanners/rootkits/chkrootkit_0.57.bb +++ b/recipes-scanners/rootkits/chkrootkit_0.57.bb @@ -5,7 +5,7 @@ SECTION = "security" LICENSE = "BSD-2-Clause" LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=fdbe53788f7081c63387d8087273f5ff" -SRC_URI = "http://archive.ubuntu.com/ubuntu/pool/universe/c/${BPN}/${BPN}_${PV}.orig.tar.gz \ +SRC_URI = "http://deb.debian.org/debian/pool/main/c/${BPN}/${BPN}_${PV}.orig.tar.gz \ file://musl_fix.patch" SRC_URI[sha256sum] = "06d1faee151aa3e3c0f91ac807ca92e60b75ed1c18268ccef2c45117156d253c" From patchwork Sun Nov 23 23:44:47 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Scott Murray X-Patchwork-Id: 75280 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5A23ECFD341 for ; Sun, 23 Nov 2025 23:45:33 +0000 (UTC) Received: from mail-qk1-f179.google.com (mail-qk1-f179.google.com [209.85.222.179]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.4860.1763941524418046960 for ; Sun, 23 Nov 2025 15:45:24 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@konsulko.com header.s=google header.b=f1QDR6dY; spf=pass (domain: konsulko.com, ip: 209.85.222.179, mailfrom: scott.murray@konsulko.com) Received: by mail-qk1-f179.google.com with SMTP id af79cd13be357-8b21fc25ae1so365865185a.1 for ; Sun, 23 Nov 2025 15:45:24 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=konsulko.com; s=google; t=1763941523; x=1764546323; darn=lists.yoctoproject.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=iDlRUT895lVTddNYJvY1VS9HL4hMYqiOFtMWemS66+k=; b=f1QDR6dY/z5Pul6lWOaPIuK6dUCmVWMBrg7q6oLRDcH7QOk489Diycdsed4l9p7m7q T9SALuqoCwwa3EY/8CwsJJyZ50EDdBGhkyv5ap8CXIwLYoSyBZzxhKYu2E7u+2en3+T/ qk7k52z/zJ/FEcFOnI4pPddPkk+zfAQ1e8s/Q= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1763941523; x=1764546323; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=iDlRUT895lVTddNYJvY1VS9HL4hMYqiOFtMWemS66+k=; b=E8u3/6dr3ZKSgOSOHWNU5VGzeDSrBdi33n4YjkyrPvw4h3jyjEjGG4RZjySRgZ1aFc FwynBidYW8ncnr3TmfBLBUcp06LD5eYS2rc6GTm+DcDRchgUFkby5awc7T2+pMqSnsUk smvqHFFIVKkg/UPBI04s+qxN9EgbPM7Yd9jP+MSzAzY1j0w5mm19DRudeLJ1ffC26I9i TjRUj1ysFGuf92fYKzMykiI2a+6xaT3mwFDoKKTbl9LTZL47hECZ/Oam30ELCycb2g5P Z/+6s22gfgieR8vtrB2+VVD+KFyZs9y0b4fQsAQFR+xettosDLk+4shf7RqsitBBntk0 WarQ== X-Gm-Message-State: AOJu0YzPaZOzwO0Jz77E1thnWvvrEGb3Mf+DataQA7MamtfHECBEZYX1 ar8DaZhwpVH3XVzRA/DYarZY/ndUPNMVjbgNAmjIm0K60c09nxrcJ/vZs5FGFiDbesPuMWv5SxT HT94c X-Gm-Gg: ASbGncuktZgG6ksh5jyiQjHBeUBOpmCIZQ/RYGTjoR5Ctit3ezeZ/9te33CSDv7kp9X XBYas53E7ouYJ7Y5I9bwJxbIk/2qOd3paaIfqELS8y8uT0CO93DjM68Z2QANY9U7wOC7bbYbntS uFlEZ1bNWe1be5UIQKi+kD6awaZR16oAQAoQrG5DvwaVPRLb4F+0lkUFK/E6zdHRznBH2lLkd86 zUcUzhHK2Y86i+PHhmB9RK8f9l3OIYEmf1SJeuEpNVL7ZyhQ0dNDAxmMpGHr/3GVDaU5wT0abzG O8WzY2ikc3TGdzdRGEolz4NZT8l1UCntdhnmvby/T0fTDLbF0q0Smf2Jr6UPUTOcQhEf1RouB3Z Xt+GkD1Vu7WrjrgYixfsbX2nxY/q/UiLB+l/UiVD0u/mIF00gMlLRE1izC8wQmQpMI9kWBaSvdq MwEwcX0vSpO6gZcAYABrNmwOQ2iMEfZkOuN4Nrhq3a6/dHJ+PIfQiWth58WRJfTEk= X-Google-Smtp-Source: AGHT+IGsGLQmT/fqz4ZdhoqeXBIAD0kFflNjnloNzk4kAXywALv6EyLOZQo0Dddm4CmrrnEu6S8G/g== X-Received: by 2002:a05:620a:31a3:b0:8b2:e638:7dc8 with SMTP id af79cd13be357-8b33d1fe720mr1199680685a.31.1763941523091; Sun, 23 Nov 2025 15:45:23 -0800 (PST) Received: from ghidorah.spiteful.org (107-179-213-3.cpe.teksavvy.com. [107.179.213.3]) by smtp.gmail.com with ESMTPSA id af79cd13be357-8b32932db59sm843706585a.1.2025.11.23.15.45.22 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 23 Nov 2025 15:45:22 -0800 (PST) From: Scott Murray To: yocto-patches@lists.yoctoproject.org Subject: [meta-security][scarthgap][PATCH 07/32] checksecurity: update the debian package Date: Sun, 23 Nov 2025 18:44:47 -0500 Message-ID: <5f791761ffb9414966959335ec68aa4bf13d65b1.1763938436.git.scott.murray@konsulko.com> X-Mailer: git-send-email 2.51.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 23 Nov 2025 23:45:33 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto-patches/message/2665 From: Marta Rybczynska The previously used package (nmu1) is not longer available, use the latest current one (nmu3). The changelog between the two: checksecurity (2.0.16+nmu3) unstable; urgency=medium * Non-maintainer upload. * Fix "missing required debian/rules targets build-arch and/or build- indep": Add targets to debian/rules. (Closes: #999082) * Fix "Removal of obsolete debhelper compat 5 and 6 in bookworm": Bump to 7 in debian/{compat,control}. (Closes: #965448) * Fix some grave packaging errors: - move debhelper from Build-Depends-Indep to Build-Depends - remove temporary files debian/postrm.debhelper and debian/substvars from source package -- gregor herrmann Sun, 26 Dec 2021 01:56:10 +0100 checksecurity (2.0.16+nmu2) unstable; urgency=medium * Non maintainer upload by the Reproducible Builds team. * No source change upload to rebuild on buildd with .buildinfo files. -- Holger Levsen Fri, 01 Jan 2021 19:17:53 +0100 Signed-off-by: Marta Rybczynska (adapted from 828a78314f51b919baf638d64e8e12c0c0a408ad) Signed-off-by: Scott Murray --- .../recipes-scanners/checksecurity/checksecurity_2.0.16.bb | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/dynamic-layers/meta-perl/recipes-scanners/checksecurity/checksecurity_2.0.16.bb b/dynamic-layers/meta-perl/recipes-scanners/checksecurity/checksecurity_2.0.16.bb index 8006c9f..6a223f8 100644 --- a/dynamic-layers/meta-perl/recipes-scanners/checksecurity/checksecurity_2.0.16.bb +++ b/dynamic-layers/meta-perl/recipes-scanners/checksecurity/checksecurity_2.0.16.bb @@ -4,14 +4,13 @@ SECTION = "security" LICENSE = "GPL-2.0-only" LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/GPL-2.0-only;md5=801f80980d171dd6425610833a22dbe6" -SRC_URI = "http://ftp.de.debian.org/debian/pool/main/c/checksecurity/checksecurity_${PV}+nmu1.tar.gz \ +SRC_URI = "http://ftp.de.debian.org/debian/pool/main/c/checksecurity/checksecurity_${PV}+nmu3.tar.gz \ file://check-setuid-use-more-portable-find-args.patch \ " -SRC_URI[sha256sum] = "9803b3760e9ec48e06ebaf48cec081db48c6fe72254a476224e4c5c55ed97fb0" - -S = "${WORKDIR}/checksecurity-${PV}+nmu1" +SRC_URI[sha256sum] = "12b043dc7b38512cdf0735c7c147a4f9e60d83a397b5b8ec130c65ceddbe1a0c" +S = "${WORKDIR}/checksecurity-${PV}+nmu3" # allow for anylocal, no need to patch LOGDIR="/etc/checksecurity" From patchwork Sun Nov 23 23:44:48 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Scott Murray X-Patchwork-Id: 75281 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5A2BACFD343 for ; Sun, 23 Nov 2025 23:45:33 +0000 (UTC) Received: from mail-qk1-f170.google.com (mail-qk1-f170.google.com [209.85.222.170]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.5034.1763941525427099924 for ; Sun, 23 Nov 2025 15:45:25 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@konsulko.com header.s=google header.b=oX/6XRMn; spf=pass (domain: konsulko.com, ip: 209.85.222.170, mailfrom: scott.murray@konsulko.com) Received: by mail-qk1-f170.google.com with SMTP id af79cd13be357-8b2dcdde65bso560146085a.0 for ; Sun, 23 Nov 2025 15:45:25 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=konsulko.com; s=google; t=1763941524; x=1764546324; darn=lists.yoctoproject.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=cLHwj9QEB00o/oUFOIqQduBjz8JP6qpNtReS9FEwPDY=; b=oX/6XRMnuEnPajAOEpvQxFUwQa5C3l+H3IXHD+rbplNtDdRrC447nYkBpZeVIN6GUd ZYCEntYOftxrBSUrArnU2s+dIAS2ARHzvt2fmw6XqoJvWSkB7/9w60AK198ocAPi5q0f lFHyUCUx911m25oqbm5IKZ9LpggxOD8AjBunc= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1763941524; x=1764546324; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=cLHwj9QEB00o/oUFOIqQduBjz8JP6qpNtReS9FEwPDY=; b=SVve6iVfG4kVY2MqP5R5nC8LsT7Bd2GHgxnkkR5ezVGKOjuI0UG4RO1YkX3wh45qWy 0Jr6MkWLigQU8psPwVPsBYBZ7f3ulzyvK1r+BcJifK8qTiwKBK5hLotp2jOtJBQ+kYBK KkWy50Ci6nn/26r+NqxxJpz32GglaqSUnmwiVFfqnkxOGJgu2Ui0W6X0jz7OGVvdHuHb UzxQOmsNL/oaO+EtYBFuvHaLP0LSvTHOT2Ay8/qvUwcxWd04RukTfcz3ZgpRYTo06Vxg fZqUXACzoezk1SOJ5OwdYgqev1wEYt9SqLNbKRFPJnaBe1sfdyzz2qrUpc4cP8J2Pycs Ua7g== X-Gm-Message-State: AOJu0Yyu5r+PgM6I+e0k6QJhzERQ/vwvrovPKRK158Zq5vkiaJw8TUeO s1HxgOGhMTsGwSMErWRBx75380kaMYoGTB4+skJ0WX6CSzNefChBI+fDCCT7eeigwSgDbmiNww4 F35np X-Gm-Gg: ASbGnctHmKIkQ2bFR+NiAVwXbgygfI3uKMLMCJqnsEC8RI++CFze/NHvuXdFgrjDgWQ vHteYx1BF670AwFylkV2iKcbT2RihzNGN10EVpaCa/DYDFzclTzN6Kps4uFa8beArpgR0GRXGzL Y5PTaQSyf5H5qVqsBSLpvJtRJ2cys2QokJ+15t8nMcAHF9hlz+TdIfUK502RmkwzNCMcjs5indd tjS6KxNd114ppZ3dIeh5BsROzt1u7q2y//bSjGxvELU4NKzSCSo6XAY9SiwQr36zZ9BQZI/oM8i cwHKnwrI9CMAa4S1KCafFOn+leHhNruvXTtCA3DP7Z80fraRuMVd3rttgL9pn/fllHN6f0dD+Uo Cuok7eAnUgvh+Eh7MGzGpGwFOj8MhasqiVClWJ1umjXPsjiXq6cKmuLKYmn0dmh4wo4se0mMVu7 sRIRli1AnViBlaNkvNW6Cv1dNefoA6m9yD2qM1xyjcF3bx91MgmVS/CnkztyFESe4= X-Google-Smtp-Source: AGHT+IHQ1DbK31fCbXSjT8J2NPjUrtXZGtYyvIhtEKMqSfBlqFvKSFYlB1lWQsSI9DDNnvcGhYIE2w== X-Received: by 2002:a05:620a:288e:b0:8b2:5649:25ef with SMTP id af79cd13be357-8b33d23a948mr1270591085a.21.1763941524148; Sun, 23 Nov 2025 15:45:24 -0800 (PST) Received: from ghidorah.spiteful.org (107-179-213-3.cpe.teksavvy.com. [107.179.213.3]) by smtp.gmail.com with ESMTPSA id af79cd13be357-8b32932db59sm843706585a.1.2025.11.23.15.45.23 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 23 Nov 2025 15:45:23 -0800 (PST) From: Scott Murray To: yocto-patches@lists.yoctoproject.org Subject: [meta-security][scarthgap][PATCH 08/32] bastille: prevent host uids on files Date: Sun, 23 Nov 2025 18:44:48 -0500 Message-ID: <2617d4c9c980127f5ef5c2e905fbd125dfeb1c18.1763938436.git.scott.murray@konsulko.com> X-Mailer: git-send-email 2.51.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 23 Nov 2025 23:45:33 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto-patches/message/2666 From: Marta Rybczynska We get an intermittent QA error about file permissions, happening roughly on 1 build of 10. The change adds chown to prevent host ids on files related to the set_required_questions.py script, to avoid long debugging for now. Signed-off-by: Marta Rybczynska (cherry picked from commit 7bdd0a8b48442e3a93b98647801c2ff5dee7267b) Signed-off-by: Scott Murray --- .../meta-perl/recipes-security/bastille/bastille_3.2.1.bb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/dynamic-layers/meta-perl/recipes-security/bastille/bastille_3.2.1.bb b/dynamic-layers/meta-perl/recipes-security/bastille/bastille_3.2.1.bb index f2ef335..afd7bfc 100644 --- a/dynamic-layers/meta-perl/recipes-security/bastille/bastille_3.2.1.bb +++ b/dynamic-layers/meta-perl/recipes-security/bastille/bastille_3.2.1.bb @@ -146,6 +146,8 @@ do_install () { ${THISDIR}/files/set_required_questions.py ${D}${sysconfdir}/Bastille/config ${D}${datadir}/Bastille/Questions + chown root:root -R ${D}/${datadir}/Bastille + ln -s RevertBastille ${D}${sbindir}/UndoBastille # Create /var/log/Bastille in runtime. From patchwork Sun Nov 23 23:44:49 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Scott Murray X-Patchwork-Id: 75277 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4C5DBCFD31F for ; Sun, 23 Nov 2025 23:45:33 +0000 (UTC) Received: from mail-qk1-f178.google.com (mail-qk1-f178.google.com [209.85.222.178]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.4861.1763941526498794928 for ; Sun, 23 Nov 2025 15:45:26 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@konsulko.com header.s=google header.b=rS80408R; spf=pass (domain: konsulko.com, ip: 209.85.222.178, mailfrom: scott.murray@konsulko.com) Received: by mail-qk1-f178.google.com with SMTP id af79cd13be357-8b2dcdde65bso560147585a.0 for ; Sun, 23 Nov 2025 15:45:26 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=konsulko.com; s=google; t=1763941525; x=1764546325; darn=lists.yoctoproject.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=oP/IbHT1Vbov/eJXHfyl89gHoOeQRpKgsVfU0RULpJI=; b=rS80408Rs2NV/3W/sLbihglxrGBS9KayW6RWqUXnxIHhBqK7iWqGvlG8xZIM1sK6HQ 7pkIsaw0m43u1j6qFv5Zm+44f6Y10wr4BLDLBto11r7OCWmJAPt8V2jpWg640hKO/PZa 1vplaLk5218GZWhcWX5aK3dZA0sQAkqBVQXtI= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1763941525; x=1764546325; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=oP/IbHT1Vbov/eJXHfyl89gHoOeQRpKgsVfU0RULpJI=; b=fgvNzhKKlihWmgHYFdatU50lbgyaXNDIiEZPlR6VruhiBxWCX7KBQfgD64xkgjg84R n0Xz7L5wIKEv7kdVTzPZyeGzFcG1+2HcIhdx7LSWGunkN2NV2YDbtT8zAaMHIim4Xr2a Q2aBohgwxRfQz2sqJ9SNzEpCz+I6gGG5LT9aaKlmCrFACQsLLoab+6nOdEj+mAGjP0KL gEu5bxXy/O3JdH6SGmLtVkQH5+ES0XyQaCvjXh5ztvLOTxNIOpuNSgf0HUUt0HhquOGi BBLCYjWNIbuuK/gwf0ZNxsQt8+ywJzcCvvXgK4jUn0mu7Qo0BQ2EpQiMMi5jpUJQ3DH3 JPGw== X-Gm-Message-State: AOJu0YxD9+ZoX5kSeO7Wx4KZnGHnKjYdxkYRo42yDmgPoVoPgxkS1okZ EGWUACJcbv1/jCZs7rzaBbzeikxWMj9zm3h6wLlWgmgXYLwaqsBbWpRYRRelmeJX0047nKPIwU4 n6rj4 X-Gm-Gg: ASbGnctVWCGh9KYYbeoeUGGYSp7mhRS2u44Lhdwye7ifaZ9K4pSL5Nah5Zhl6wF5Rgn puXeKdWydi6OkJ2Lu+ozzMSrhpG2T5PrDtl1bBLkcEssxTFuFdWYHAknXDe2tClWJ5ulqroPRDD kX0pPXevZZngaPJ4xgqOhR/GLnwfWlxQXrvBkfLhVGmM0lRVNnjBDyA56vMbiU4QPhFkm7XA2hC Ew/godomYRzhd14QVhaP+Jw4IJdfK6cYSviBdpQFFsQ8u2ho0mCi5vTUa5ZnmHgPfmsgbBKOq+d Bi2j9pZmajzLWeN+QBVP3ejviSdQxsavQB0RyPssD9eY1wVC8vQfTdkcM98XkEMq5gaUOkWUv1E ysug/MjNmCgsNAJacYCRfhY1ZjB1w8JH7SrwVmCMicitykArQAgpipXxG1CZEhmT7P6OURN6G9X UGYp4m0afpTHQOG1VpuEtg2s5BhxfFyP5gZ94RJ7QFX9+H6iQh/pGaDUwYyaNPIIs= X-Google-Smtp-Source: AGHT+IHp6XQp3wsLLc7VLxQypYjr8eGUG/vJkRZJqhfKTALD6rVbMjJlIlz7F9bU40AZ3KH9ivlWEA== X-Received: by 2002:a05:620a:28d2:b0:8b2:e1b5:a142 with SMTP id af79cd13be357-8b33d23a9bfmr1206027685a.19.1763941525084; Sun, 23 Nov 2025 15:45:25 -0800 (PST) Received: from ghidorah.spiteful.org (107-179-213-3.cpe.teksavvy.com. [107.179.213.3]) by smtp.gmail.com with ESMTPSA id af79cd13be357-8b32932db59sm843706585a.1.2025.11.23.15.45.24 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 23 Nov 2025 15:45:24 -0800 (PST) From: Scott Murray To: yocto-patches@lists.yoctoproject.org Subject: [meta-security][scarthgap][PATCH 09/32] libgssglue: switch to use git source Date: Sun, 23 Nov 2025 18:44:49 -0500 Message-ID: <9025527f4ccd407e01de577cb84b1c2ae2ddd0a4.1763938436.git.scott.murray@konsulko.com> X-Mailer: git-send-email 2.51.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 23 Nov 2025 23:45:33 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto-patches/message/2667 From: Chen Qi The 0.8 orig.tar.gz is not in debian mirror any more. In fact, we really should avoid using orig.tar.gz like this because distros like debian will just delete those that they don't maintain any more. Switch to use git source. Signed-off-by: Chen Qi Signed-off-by: Armin Kuster (cherry picked from commit baaafdf08b7ffb8703618684d571c4766ea3e28e) Signed-off-by: Scott Murray --- recipes-security/libgssglue/libgssglue_0.8.bb | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/recipes-security/libgssglue/libgssglue_0.8.bb b/recipes-security/libgssglue/libgssglue_0.8.bb index 9d01964..e534615 100644 --- a/recipes-security/libgssglue/libgssglue_0.8.bb +++ b/recipes-security/libgssglue/libgssglue_0.8.bb @@ -21,11 +21,12 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=56871e72a5c475289c0d5e4ba3f2ee3a \ file://src/oid_ops.c;beginline=378;endline=398;md5=72457a5cdc0354cb5c25c8b150326364\ " -SRC_URI = "${DEBIAN_MIRROR}/main/libg/${BPN}/${BPN}_${PV}.orig.tar.gz \ +SRC_URI = "git://gitlab.com/gsasl/libgssglue.git;protocol=https;branch=master \ file://libgssglue-canon-name.patch \ " +SRCREV = "c8b4b2936b854a7d4f7ef12e30d6f519b30dec87" -SRC_URI[sha256sum] = "a2bb183e946f6e30562a2a856950a2916c9b6d42c34d67a8400e4efc28917746" +S = "${WORKDIR}/git" inherit autotools-brokensep From patchwork Sun Nov 23 23:44:50 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Scott Murray X-Patchwork-Id: 75274 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4025CCFD31E for ; Sun, 23 Nov 2025 23:45:33 +0000 (UTC) Received: from mail-qk1-f175.google.com (mail-qk1-f175.google.com [209.85.222.175]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.5037.1763941527430971423 for ; Sun, 23 Nov 2025 15:45:27 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@konsulko.com header.s=google header.b=idsg2rWb; spf=pass (domain: konsulko.com, ip: 209.85.222.175, mailfrom: scott.murray@konsulko.com) Received: by mail-qk1-f175.google.com with SMTP id af79cd13be357-8b22624bcdaso481162185a.3 for ; Sun, 23 Nov 2025 15:45:27 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=konsulko.com; s=google; t=1763941526; x=1764546326; darn=lists.yoctoproject.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=TPEbQ4jv5f5OfzqavuzEikFXYwyBTK2BGinkDxw8d6A=; b=idsg2rWbs3xTpEZeFoHWm4IiaG33T6C78mgJkCjvYHzQXYtrhSgoWwbgnEPpSIOQ6t 1SKbGwT2CfBsXiLS/lf+71vUNYCqmTUDdGTKJTbkRl8VR2m4QNNR6H7wZeXmceTPw4Pd /17vf+Kx4RR4UC4D21V5mlkvhC8vVlfN51T28= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1763941526; x=1764546326; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=TPEbQ4jv5f5OfzqavuzEikFXYwyBTK2BGinkDxw8d6A=; b=tdATjgEaqjSbbyXrBCci9zYZGfZBT+BpxQ0/Uyfmad5t3vVClrldKM9qrJoRduEwNo ORpkKUPcGxYUp2ET4YnRBSWv0OoArfmcNKsBwnERdHBBSMNEemDhZPqLxYWFAVPqfoPf M0GoqYIQQ1Wv0VLk6cZjozF3jAO7PFxFKbmzW3H8ThkY9a0eFjBEfgKGh+LSdsQcDLaU Wr6HnU9WA5wSwzm8mJLsg8hM+O/XnRUCXQ/CX402x+c3rd5ub7aApZbKLVo2likE7EJg k7d8eowRko01chM2eSQ/cn1Y5fU3mljTzl3xeJHQT5xhULXVZfN7Jujth7jUKS7gOIN3 IE6g== X-Gm-Message-State: AOJu0Yxz55cME6DOakdvUlF6neT781DoUYJOwsMgHAy8HM5xfEIWokHd Sw+m81uWQuitVRnQaLirbXq0yLOR4/nw0zcyK0kMqatZnOhiAeO7sgG3cgnVKR4v7lUWydt4b3S FpVwP X-Gm-Gg: ASbGnct+V/dXGdqkxzQgUSbLhCf67LMye8EpgLvWKu/m48iJdD6EzHpDATNsEry/7mf gO7BT/CGc/pILUA/ild58FyJqv47fRKDUm4juV3b6K9u01jtXT3gFO/zOBfzLWGOdNJW80rnyEA x5o/zfqG6aX34J9SsBJyEl0MTolkcgau4J5Wmi/5JB9qgdyZOd5aiuve7vuD2BsMzrOu7ChqNpt o+ar28Y1h1qqE85jLaD37IVWKXWK6AZOZGhgy9Oh5fPRfRylGa4yjZi0n0jsa6b7p7Mld1OxDmy GFJIv8IZWAwsRlpFxsfDBJGf0SNr/a3NrUq0zFs+Fa37ornJKIUbG4ImN/TV2srNvSr7D7CYT+y p6aVxrAn0/i7qIzynDmq7g3U1iOab84EH98SxzfZcsNdH6I+oT1BUoIVr/shHY+e+lQ8VEVO4nQ fzHinCtZLfvX3OKjUjUgjEHcSYIHl/dxhVtRHkVHgLwhg12V3SfuQN3ZP/R+iJmKg= X-Google-Smtp-Source: AGHT+IH//XkSnPe4Z+DqOD/JJ9wwibrY0t02Og5W7N2EiwgaYq1yudf3HAgYmJ6tcItKP1HdX3EPEQ== X-Received: by 2002:a05:620a:3910:b0:8b2:7726:c7bd with SMTP id af79cd13be357-8b33d498e31mr1264039185a.62.1763941526118; Sun, 23 Nov 2025 15:45:26 -0800 (PST) Received: from ghidorah.spiteful.org (107-179-213-3.cpe.teksavvy.com. [107.179.213.3]) by smtp.gmail.com with ESMTPSA id af79cd13be357-8b32932db59sm843706585a.1.2025.11.23.15.45.25 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 23 Nov 2025 15:45:25 -0800 (PST) From: Scott Murray To: yocto-patches@lists.yoctoproject.org Subject: [meta-security][scarthgap][PATCH 10/32] packagegroup-core-security: add missing packages Date: Sun, 23 Nov 2025 18:44:50 -0500 Message-ID: X-Mailer: git-send-email 2.51.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 23 Nov 2025 23:45:33 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto-patches/message/2668 Changes: - Add libmhash and libgssglue so they will get tested by CI. - Switch to MACHINE_ARCH to facilitate the above, but it makes sense anyway due to all the machine overrides used in the packagegroup definition. Since this packagegroup is to facilitate testing and unlikely to be used by downstreams, it is believed this will have minimal impact. (adapted from 26e745243d6d28768ed4a237d9a48f68210c70a6) Signed-off-by: Scott Murray --- recipes-core/packagegroup/packagegroup-core-security.bb | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/recipes-core/packagegroup/packagegroup-core-security.bb b/recipes-core/packagegroup/packagegroup-core-security.bb index 3ef77e5..10063c3 100644 --- a/recipes-core/packagegroup/packagegroup-core-security.bb +++ b/recipes-core/packagegroup/packagegroup-core-security.bb @@ -3,6 +3,8 @@ LICENSE = "MIT" LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302 \ file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420" +PACKAGE_ARCH = "${MACHINE_ARCH}" + inherit packagegroup PACKAGES = "\ @@ -36,6 +38,8 @@ RDEPENDS:packagegroup-security-utils = "\ fscryptctl \ glome \ keyutils \ + libgssglue \ + libmhash \ nmap \ pinentry \ softhsm \ From patchwork Sun Nov 23 23:44:51 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Scott Murray X-Patchwork-Id: 75278 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 402ACCFD340 for ; Sun, 23 Nov 2025 23:45:33 +0000 (UTC) Received: from mail-qk1-f177.google.com (mail-qk1-f177.google.com [209.85.222.177]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.4862.1763941528779223601 for ; Sun, 23 Nov 2025 15:45:28 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@konsulko.com header.s=google header.b=JOisPsrJ; spf=pass (domain: konsulko.com, ip: 209.85.222.177, mailfrom: scott.murray@konsulko.com) Received: by mail-qk1-f177.google.com with SMTP id af79cd13be357-8b29ff9d18cso370983285a.3 for ; Sun, 23 Nov 2025 15:45:28 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=konsulko.com; s=google; t=1763941528; x=1764546328; darn=lists.yoctoproject.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=xdbl+yVp+Km2h6LY3EBesr1Nc7wab5SobWbXS0e5P8c=; b=JOisPsrJiW9af+JiAEe71fGCfqPLH8ODj2gh9qsnbJxbFM7ge83RaSxCBqPgW/mvoR epJm7ESZxoFY0akT6OsFwl9J9Vt5wq7ANHTJ5irM7Fb+TYJts+cYolE+lSpoxJr1k0PD E8RYeq2U4bc/6bJumkthqNCCDpgSNfBJFEfA8= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1763941528; x=1764546328; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=xdbl+yVp+Km2h6LY3EBesr1Nc7wab5SobWbXS0e5P8c=; b=XfedJuBAmV4yncjvpNq833W6Wd4wk6k77ClPxbhH8Hayl41wV1/s7AeSHt//2QCsrh P4SQeOviOhgWX+u4hRPz9EYkTPU79Jf2Pq6GNOcYFz2xi3nLiiuMX9xtqt4HWQ7mD2EU toLDKPLyFscfIxJx+Ik0KM2psy+0Y79K4E9NyYICzZ5FlwbITXMSobUca/XcnBMoirJ4 nqMpPBUP8D+Wdbeqv3mge4aNY3zQ6kw+7yU++v+eqPvFbVXGhl1m4DULg1R0gtURlXey fvKdzSK7lzFaC/f3pMrpLrmygGRpotd99OxpLbS+4zlNpGG3uUCshmgPXOXmXq4zM3nN AurQ== X-Gm-Message-State: AOJu0Ywhtb0oRwoCNqBT9qDz5ZySO+cGotlyzcgEF/kn/azeCLo0KwZZ Ow5gc3a1nIDk/e8SGuVWqUW2frH/lw/vHOLlIKTPX5gv/qpskA772UVDYwKRHAmewaer4mkDszs hqsZQ X-Gm-Gg: ASbGncvg7cfqnDSo5YveeP/sj5rQ1xsRoe5Jcvp932F+7irb40U1tr8NcK2ObK/JV/C 7aDtnz/Z4UHFNgeXzxO06LF3Kc5FxM2XGVZTVKJBi763sdaJiLsf1/6V9BAtLbMkMKc3qTtdAuB gDaoRwtSS4YyXwZfDqEb4zbUIEvq2RaF3Z2UBuNNDYW+8Es9Vq3dSFCrK8E4rc48eicI6wj3Akn dod+jHdyV7yX1BUtkV3CA8st/nOUCbKeNAvNQsWM4wbUwFpinjGEh/Qs1VTTx37eZ5hyx80FhMQ 13VhNXfEDK6M7OCOSAF3NAfcSLXOE69zoPrHSIawFVyfpa547kfRN4vd/MKegb//pBaW1dUOyML EEfRqFvTEWJ8tFkIQpOzfh+K12kTigOvZg3uCpg+dTiAJ0hg3WexAMbLUxM4r8WfuZFTtsUWIYe YJoae27AW0W9QW5xKOWsChLNWxfB8RTlW2J3DTTZPWunrrrYuPQWxcCwgh1hU7VZIQyR7viE0k0 Q== X-Google-Smtp-Source: AGHT+IGhOAbqa+3P88QyOvuf5+l6/oJ4tZXn702MQuFmh1+SIXkmaropObQNhqnmkmLXnxXsztc4CQ== X-Received: by 2002:a05:620a:4402:b0:8a4:6ac1:ae9 with SMTP id af79cd13be357-8b33d1b139fmr1250018185a.3.1763941527528; Sun, 23 Nov 2025 15:45:27 -0800 (PST) Received: from ghidorah.spiteful.org (107-179-213-3.cpe.teksavvy.com. [107.179.213.3]) by smtp.gmail.com with ESMTPSA id af79cd13be357-8b32932db59sm843706585a.1.2025.11.23.15.45.26 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 23 Nov 2025 15:45:27 -0800 (PST) From: Scott Murray To: yocto-patches@lists.yoctoproject.org Subject: [meta-security][scarthgap][PATCH 11/32] meta-tpm: Small maintainers fix Date: Sun, 23 Nov 2025 18:44:51 -0500 Message-ID: X-Mailer: git-send-email 2.51.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 23 Nov 2025 23:45:33 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto-patches/message/2669 To avoid confusion, remove stray aircrack-ng entry as it is actually in the main layer and not meta-tpm. (cherry picked from commit 9f1d763bb17bf105cc313a95eb3b07496b34bacc) Signed-off-by: Scott Murray --- meta-tpm/conf/distro/include/maintainers-meta-tpm.inc | 1 - 1 file changed, 1 deletion(-) diff --git a/meta-tpm/conf/distro/include/maintainers-meta-tpm.inc b/meta-tpm/conf/distro/include/maintainers-meta-tpm.inc index 829f198..0925eef 100644 --- a/meta-tpm/conf/distro/include/maintainers-meta-tpm.inc +++ b/meta-tpm/conf/distro/include/maintainers-meta-tpm.inc @@ -19,7 +19,6 @@ # RECIPE_MAINTAINER:pn- = "Full Name " # # Please keep this list in alphabetical order. -RECIPE_MAINTAINER:pn-aircrack-ng = "Scott Murray " RECIPE_MAINTAINER:pn-pcr-extend = "Scott Murray " RECIPE_MAINTAINER:pn-tpm-quote-tools = "Scott Murray " RECIPE_MAINTAINER:pn-libtpms = "Scott Murray " From patchwork Sun Nov 23 23:44:52 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Scott Murray X-Patchwork-Id: 75275 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3392ECFD31D for ; Sun, 23 Nov 2025 23:45:33 +0000 (UTC) Received: from mail-qk1-f174.google.com (mail-qk1-f174.google.com [209.85.222.174]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.5038.1763941529976839157 for ; Sun, 23 Nov 2025 15:45:30 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@konsulko.com header.s=google header.b=VMbidtpD; spf=pass (domain: konsulko.com, ip: 209.85.222.174, mailfrom: scott.murray@konsulko.com) Received: by mail-qk1-f174.google.com with SMTP id af79cd13be357-8b2dcdde65bso560151385a.0 for ; Sun, 23 Nov 2025 15:45:29 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=konsulko.com; s=google; t=1763941529; x=1764546329; darn=lists.yoctoproject.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=KLxBfJueovbo3gTdK8FYBULNuYYFWxvoDIshRGYv65s=; b=VMbidtpDdXnS24MhfemoYHTVr9VJQRLlAOyLtzB4PTjcb9H+M0q37wxMRZMfdSVDK+ Q+iKMF9B/kDlYHTstJztVJLqUvoGqEazRGOa7nY+lkBzsyPCEIHH2WC8h6cQkGomkAwJ uqQIe8wU93iV9SnQXnOFsTBBZC1v4iABB2nY8= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1763941529; x=1764546329; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=KLxBfJueovbo3gTdK8FYBULNuYYFWxvoDIshRGYv65s=; b=W2OZ/2yWV8xOXELkqUE79ZPEt3t9dDJbwDVtOJF1BhkOjrilDZ2LHHSTuPfq8oYibB +SwLApzLLI1gv4QypZQoU+/BbnvtaD6ZGdhcKTRMML5l+kLs38ncjpE3BKRQEaJMGuSC ZS7CPS/nzLoQu3u8F5XIRqwXgcr5VUalWT3TY9jY1vG/mMPSr+MLwi9RZlldHQIDLw3J uUcl7VPaQ7h04liihwiPFA+jtCawRFqGxYRE9uXjVs6tyNXiZ1BJ4VcVq+54uQZzqUds nMsbl/b78vvdvXxMdlHJW5kuMmGQnaQpr+9s22J6chpKbgO0gHXgCiLCluCF7LsZznnp +xiQ== X-Gm-Message-State: AOJu0Yx0xJNgsJ8vADYTrP1m7LlaRt2NlpptjvER+FgH/6672Q+3ytTX 9cM8kBYMODCx07pr1scZr+GyYAAma7vw61pJ5eAGuy0cN6ANZKP6JYK69N8lis7mJGYtdNODBC9 HbtPE X-Gm-Gg: ASbGncukHYWIs+CcLtxhOq5u2r7Bk4pXFwomlBbMQQS4GheMdP4n+nxfX3ncSE2mA80 GQxn5v07ebSk9hrnsWTTE/8xvgcjWAAQiFUwcLEsEV2v4NEq1jNcKtYF9BqHKYMHaKwdOm1flUI YUScfftEqySzZ2/bUvKdQ8IvNigaITJNLGv7Ohl1ozYg+KC3yJ+pvluMiBVEsgNT3cIABmk/SX6 3wx9cKSp7JKdlxHXJXwcJk8LYUNbFoh3b89C5A72Qh8QvLd1NxCIzQqShCUY1f9Hw9aCdDCXXvc zOuH+yeXXxPVFsEvXDS9oSPbbvL/p5QDyhuU66UCT3NOBbPXbJ8j34kKcidzNcZw+RDUvRhpA3O rjS3qdxlOk1HC6jfNsRnyaO5SjBcFXv5Vp/YCsS6JQLNxc0YUYoIIdY7mqJAzDypgotx4Vaygap cmzoZ/8bBYxxBo7lPDqTAvFWGmd9K+rCH29HN+C/cWvnXSjDdvsdHR4vDbAY10ypHkQw7DWi68x w== X-Google-Smtp-Source: AGHT+IHFP9GOuGe6EokZ8W0GnD0xDg0WQ3f0tpKMpOu7MhzubW/JIjf4ai8Fx6KyyztUxmD9AN41WQ== X-Received: by 2002:a05:620a:4712:b0:8b2:6bdf:3d15 with SMTP id af79cd13be357-8b33d21330bmr1300067485a.8.1763941528494; Sun, 23 Nov 2025 15:45:28 -0800 (PST) Received: from ghidorah.spiteful.org (107-179-213-3.cpe.teksavvy.com. [107.179.213.3]) by smtp.gmail.com with ESMTPSA id af79cd13be357-8b32932db59sm843706585a.1.2025.11.23.15.45.27 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 23 Nov 2025 15:45:28 -0800 (PST) From: Scott Murray To: yocto-patches@lists.yoctoproject.org Subject: [meta-security][scarthgap][PATCH 12/32] ima-evm-utils: remove unnecessary FILESEXTRAPATHS tweak Date: Sun, 23 Nov 2025 18:44:52 -0500 Message-ID: <6be5c4ef33389075dbaf87d207ddabd6aeb11531.1763938436.git.scott.murray@konsulko.com> X-Mailer: git-send-email 2.51.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 23 Nov 2025 23:45:33 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto-patches/message/2670 It was pointed out that the recipe was wrongly doing FILESEXTRAPATHS:append, but on inspection the recipe does not need it at all, so just remove. Reported-by: Robert P. J. Day (cherry picked from commit 5770a76fc0d78a645ab254979986f572fd18b3ec) Signed-off-by: Scott Murray --- .../recipes-security/ima-evm-utils/ima-evm-utils_1.5.bb | 2 -- 1 file changed, 2 deletions(-) diff --git a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.5.bb b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.5.bb index 8ac080c..ac0a383 100644 --- a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.5.bb +++ b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.5.bb @@ -6,8 +6,6 @@ DEPENDS += "openssl attr keyutils" DEPENDS:class-native += "openssl-native keyutils-native" -FILESEXTRAPATHS:append := "${THISDIR}/${PN}:" - SRC_URI = " \ https://github.com/mimizohar/ima-evm-utils/releases/download/v${PV}/${BP}.tar.gz \ file://0001-Do-not-get-generation-using-ioctl-when-evm_portable-.patch \ From patchwork Sun Nov 23 23:44:53 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Scott Murray X-Patchwork-Id: 75276 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2AD9DCFD313 for ; Sun, 23 Nov 2025 23:45:33 +0000 (UTC) Received: from mail-qk1-f181.google.com (mail-qk1-f181.google.com [209.85.222.181]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.4863.1763941530861916124 for ; Sun, 23 Nov 2025 15:45:31 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@konsulko.com header.s=google header.b=CtyPUsXq; spf=pass (domain: konsulko.com, ip: 209.85.222.181, mailfrom: scott.murray@konsulko.com) Received: by mail-qk1-f181.google.com with SMTP id af79cd13be357-8b1e54aefc5so313222485a.1 for ; Sun, 23 Nov 2025 15:45:30 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=konsulko.com; s=google; t=1763941530; x=1764546330; darn=lists.yoctoproject.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=l7THLSz2lr8pYVnGU6CseWh1dKjTeFxmIwP5ttjgEnE=; b=CtyPUsXq7PyccZaUFJD6Gv/9FNaGX7SMnVXpRDC0lbPzKPalkCAr5hmMPEg7nzoyDc kejkzLcCe3t0xj9X+NsaqgNri196VQmVEzcqZU1oudh5OGRpZZ3/Y9VHpkrplIMzgFBN Zox/HFWYWZk3RoM1kk5FbfVQ8cFLgIkne6u0w= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1763941530; x=1764546330; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=l7THLSz2lr8pYVnGU6CseWh1dKjTeFxmIwP5ttjgEnE=; b=nJwdlwA7Guu43rKBimlPizUAmgBXoi1SIGGp4+6tuYKojbq+ZznM2zgRcTuKm3kYC9 NDLlhRHE2cPSkS5UwdDTrHmrnklWwng0uEP4w/8VAy2PGKgcu2vn7j452QTccllLFLuU aMo82FFkacOxoo8HxaUFh83qQ7SklfKjUMwOMofCIgMCtMymNqdJLhVoTJiuMp4qKlSK IdFj3KJ8e/XjarxCQD3uKm0Wb+nx8eW3+6CXWPEDu6vq/yAGFknKGjl6uCV77ciDRh2i dCX/A0avQumecD+aCrarBqWTRqoZimL/dO1P64cjE0/HnQztu7wBhZuxptwg+M8BwfRd WhCg== X-Gm-Message-State: AOJu0YzdYl22O6xvfmHyUjvxU3MbZxcEbuZgNHp0lpEBfVloS0I+Tcs1 T5Ex9vugdHt5zX7PUTz13t10Y4Sfeh8bFTt9ES95IqHlOof9Jfd/H8au8RL/vhcl+huMaDZXK11 lLruI X-Gm-Gg: ASbGncsQDOJZSiqZ6obtOt7ZKdDc22cZMX6l5gb8wGMqv/T9+q787SArWEtwrPgmDRu h5ZpE7V8V0cRg/CVkVW3dEKtCWChi7YhkUzdqfOJEHO66OmeSANIKIy9aPYKMpZPV1EAXV0JrZc aPEzPbeqW3wUvXi3oNexcp1ozPpk46romfWvl0xy8Fbb1n+N3MNNcf5WU3T6vy3vPPJ0PrE6CBF 733yvmUcMqdJ5yZx3QsWUq75axqPt24GkdUF2V+OJ/BygSI+KguTbxFxB1p/hwGpiaAfwxMwgsY muoQsH7gSEHjnVe27YkWBFUS7vntQo301Br1YmcOAS/8/Lm1bXFOPQrOAJSjvbS7BfDC2JtYeWi weI8nzKEUx4c8rYgxxVZL64dpnWryJdzDW6yeDuWk/0VOyxijkB+tFCut36gUqbgSnk5MUG9xnY 5+5pmhOfERAhTvrWWhETMNQzGJxIpN8gueABUn5XP1BSMKu0256L5hP1Egfw2VRJ8= X-Google-Smtp-Source: AGHT+IFQ5Q1/7ytryjiiYFcjBbC0CbWyJHFjDHgaXUdBJt353XjJQXKoTxg0v/BJuP1FwhdVBdxQzg== X-Received: by 2002:a05:620a:4611:b0:8b2:dafb:9089 with SMTP id af79cd13be357-8b33d469027mr1287875985a.67.1763941529582; Sun, 23 Nov 2025 15:45:29 -0800 (PST) Received: from ghidorah.spiteful.org (107-179-213-3.cpe.teksavvy.com. [107.179.213.3]) by smtp.gmail.com with ESMTPSA id af79cd13be357-8b32932db59sm843706585a.1.2025.11.23.15.45.28 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 23 Nov 2025 15:45:28 -0800 (PST) From: Scott Murray To: yocto-patches@lists.yoctoproject.org Subject: [meta-security][scarthgap][PATCH 13/32] harden-image-minimal: Fix usermod Date: Sun, 23 Nov 2025 18:44:53 -0500 Message-ID: <056217207643a3d89d88fd1b6ffff1f0e1b4ac6e.1763938436.git.scott.murray@konsulko.com> X-Mailer: git-send-email 2.51.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 23 Nov 2025 23:45:33 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto-patches/message/2671 From: Armin Kuster Signed-off-by: Armin Kuster (cherry picked from commit c08a91e5e607806460854936ef622f6f78bb0f03) Signed-off-by: Scott Murray --- meta-hardening/recipes-core/images/harden-image-minimal.bb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/meta-hardening/recipes-core/images/harden-image-minimal.bb b/meta-hardening/recipes-core/images/harden-image-minimal.bb index 38771cd..4366961 100644 --- a/meta-hardening/recipes-core/images/harden-image-minimal.bb +++ b/meta-hardening/recipes-core/images/harden-image-minimal.bb @@ -18,9 +18,9 @@ DEFAULT_ADMIN_ACCOUNT ?= "myadmin" DEFAULT_ADMIN_GROUP ?= "wheel" DEFAULT_ADMIN_ACCOUNT_PASSWORD ?= "1SimplePw!" -EXTRA_USERS_PARAMS = "${@bb.utils.contains('DISABLE_ROOT', 'True', "usermod -L root;", "usermod -P '${ROOT_DEFAULT_PASSWORD}' root;", d)}" +EXTRA_USERS_PARAMS = "${@bb.utils.contains('DISABLE_ROOT', 'True', "usermod -L root;", "usermod -p '${ROOT_DEFAULT_PASSWORD}' root;", d)}" EXTRA_USERS_PARAMS:append = " useradd ${DEFAULT_ADMIN_ACCOUNT};" EXTRA_USERS_PARAMS:append = " groupadd ${DEFAULT_ADMIN_GROUP};" -EXTRA_USERS_PARAMS:append = " usermod -P '${DEFAULT_ADMIN_ACCOUNT_PASSWORD}' ${DEFAULT_ADMIN_ACCOUNT};" +EXTRA_USERS_PARAMS:append = " usermod -p '${DEFAULT_ADMIN_ACCOUNT_PASSWORD}' ${DEFAULT_ADMIN_ACCOUNT};" EXTRA_USERS_PARAMS:append = " usermod -aG ${DEFAULT_ADMIN_GROUP} ${DEFAULT_ADMIN_ACCOUNT};" From patchwork Sun Nov 23 23:44:54 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Scott Murray X-Patchwork-Id: 75273 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 27148CFD316 for ; Sun, 23 Nov 2025 23:45:33 +0000 (UTC) Received: from mail-qk1-f175.google.com (mail-qk1-f175.google.com [209.85.222.175]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.5039.1763941531885412661 for ; Sun, 23 Nov 2025 15:45:32 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@konsulko.com header.s=google header.b=EZrHmhDg; spf=pass (domain: konsulko.com, ip: 209.85.222.175, mailfrom: scott.murray@konsulko.com) Received: by mail-qk1-f175.google.com with SMTP id af79cd13be357-8b29ff9d18cso370985185a.3 for ; Sun, 23 Nov 2025 15:45:31 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=konsulko.com; s=google; t=1763941531; x=1764546331; darn=lists.yoctoproject.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=s5zuB1tqVtyEjN0u11rGQ5DAWrOa+zMpvt/tL6z9eGk=; b=EZrHmhDgexiMXrh713xN89pyyDrj2hZZfZWdHPkQOWGsSL5n9RM3BV8PygLIHXWbkv x9/xAU078z1mxi4K3z0RLOLJ+BFIdJ3I/Rl7rXaCasw6xwOb60ULc6kDlFdSUui7/Iw8 zkL4vUq26lunAlcygkxBKWvdrAal56J2Pdny8= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1763941531; x=1764546331; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=s5zuB1tqVtyEjN0u11rGQ5DAWrOa+zMpvt/tL6z9eGk=; b=jnlqOoNUbSdTjeT9N46p7dEk4B0p3UHdphXD+7u4oEkrjKPlYnCQv8ocwN8sqzE/vL nPVnK3ndauSh1iIhYkKJsB6ADLl2DiOXCHI6oy2nxCN2A8onUoU4Sy/Nrk8WrzAspBL/ vzaGDk32WKkplDejbTr0Zs4haQ09BNHbGipxZ182dXPrR9kjxpvOJ0wYm6lLHin3TpLS NC/rDK1wk+E9ajw8yTjgoqNOTfo1HgvDqhYPs+1hO6P1zTwP9s8hJO5UIicxXmLwOoO6 R0W0Na/fT+wIEwRvSkpdVFNmUW8D3c61+fIMSoPD5GuQaObzVUDtECOr7Xa3yMZcNibv aZWg== X-Gm-Message-State: AOJu0Yy6t+TBsGPZTBWRcbFDOnrFWF7wltX3ZeRi0irow8mlolOfHs6m 6ci2mU15X3VWGUHhqlWwbZZ4ptgGEHtX453E2sKWLZ5CBnHkA5neYBcIytiWaIcE2UERiNQ15A2 TzfTP X-Gm-Gg: ASbGnctb5U3bSelVdPmxtYTaUNwtUmlEmgrykM0BJ6eSzuSZIRwmPUZ99wUoZJKk6AI gxi+mpcl6XFKXh7j6oZjr+bDCO3SypXRHwVDZWYVXl5s+gNqBTtaXF5Z0nI4n6U4C0L/LH/anLn uEeanGCKgXtlxWCq2/1M7h+MY901W5nCofgzZ7ft1JxqqIDKh7zYVVYX2qOr9uTPYyzYP/LfZ4v zgNxYJS+pS+g8LLSf7lcuQIFwp5K2qFKdrakQkbuuBo55I2/xTV2T/Gw9zzuvFQYjXYist97pGD jYLvK3KXg4jjnYvTHdh9XIkEYmUvSXhQ48vJ+BipUel11XP3fFOKPytcxRMV0X+ZwdhimM7zz/I /Hb9dtnZcy8KmYgp5kO8+gBHQ47SZ5L2WaY1xyaToZAQZA7MeQTEycJHliazCWYpo4IrR/igCP9 4XCT1br2alWMmEN1Zyh/fzHFZauzS1UOeLmP6XE0cxycIfdSX9sgTWSZIT09a6dqo= X-Google-Smtp-Source: AGHT+IHYuIAgT8dKghC/robag+heGN3CVaczThyKdaStpzTb8RbIkHLM5Cunf0fijSqEzgto5lpUQA== X-Received: by 2002:a05:620a:400c:b0:883:9b33:f6b6 with SMTP id af79cd13be357-8b33d48b7e1mr1285354685a.84.1763941530560; Sun, 23 Nov 2025 15:45:30 -0800 (PST) Received: from ghidorah.spiteful.org (107-179-213-3.cpe.teksavvy.com. [107.179.213.3]) by smtp.gmail.com with ESMTPSA id af79cd13be357-8b32932db59sm843706585a.1.2025.11.23.15.45.29 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 23 Nov 2025 15:45:30 -0800 (PST) From: Scott Murray To: yocto-patches@lists.yoctoproject.org Subject: [meta-security][scarthgap][PATCH 14/32] suricata: fix CVE-2024-45795 & CVE-2024-45796 Date: Sun, 23 Nov 2025 18:44:54 -0500 Message-ID: <4f19c6b49a69ce915c41925879c9e5dd133e380e.1763938436.git.scott.murray@konsulko.com> X-Mailer: git-send-email 2.51.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 23 Nov 2025 23:45:33 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto-patches/message/2672 From: Hitendra Prajapati * CVE-2024-45795 - Upstream-Status: Backport from https://github.com/OISF/suricata/commit/72456d359bf3064306b62024c809bb30b162f18c && https://github.com/OISF/suricata/commit/96d5c81aed01f2bc0cd3e2e60057d0deb38caa99 * CVE-2024-45796 - Upstream-Status: Backport from https://github.com/OISF/suricata/commit/9203656496c4081260817cce018a0d8fd57869b5 Signed-off-by: Hitendra Prajapati Signed-off-by: Scott Murray --- .../suricata/files/CVE-2024-45795.patch | 123 ++++++++++++++++++ .../suricata/files/CVE-2024-45796.patch | 33 +++++ recipes-ids/suricata/suricata_7.0.0.bb | 2 + 3 files changed, 158 insertions(+) create mode 100644 recipes-ids/suricata/files/CVE-2024-45795.patch create mode 100644 recipes-ids/suricata/files/CVE-2024-45796.patch diff --git a/recipes-ids/suricata/files/CVE-2024-45795.patch b/recipes-ids/suricata/files/CVE-2024-45795.patch new file mode 100644 index 0000000..10363c5 --- /dev/null +++ b/recipes-ids/suricata/files/CVE-2024-45795.patch @@ -0,0 +1,123 @@ +From 72456d359bf3064306b62024c809bb30b162f18c Mon Sep 17 00:00:00 2001 +From: Philippe Antoine +Date: Mon, 12 Aug 2024 09:54:43 +0200 +Subject: [PATCH] detect/datasets: implement unset command + +Ticket: 7195 + +Otherwise, Suricata aborted on such a rule + +(cherry picked from commit e47598110a557bb9f87ea498d85ba91a45bb0cb6) + +Upstream-Status: Backport [https://github.com/OISF/suricata/commit/72456d359bf3064306b62024c809bb30b162f18c && https://github.com/OISF/suricata/commit/96d5c81aed01f2bc0cd3e2e60057d0deb38caa99] +CVE: CVE-2024-45795 +Signed-off-by: Hitendra Prajapati +--- + doc/userguide/rules/datasets.rst | 2 +- + src/datasets.c | 20 ++++++++++++++++++++ + src/datasets.h | 1 + + src/detect-dataset.c | 11 +++++++++++ + src/detect-dataset.h | 5 ----- + 5 files changed, 33 insertions(+), 6 deletions(-) + +diff --git a/doc/userguide/rules/datasets.rst b/doc/userguide/rules/datasets.rst +index 647b12e..dd9ecd2 100644 +--- a/doc/userguide/rules/datasets.rst ++++ b/doc/userguide/rules/datasets.rst +@@ -78,7 +78,7 @@ Syntax:: + + dataset:,,; + +- dataset:, \ ++ dataset:, \ + [, type , save , load , state , memcap , hashsize ]; + + type +diff --git a/src/datasets.c b/src/datasets.c +index d89ed8d..32bcf6e 100644 +--- a/src/datasets.c ++++ b/src/datasets.c +@@ -1741,3 +1741,23 @@ int DatasetRemoveSerialized(Dataset *set, const char *string) + return DatasetOpSerialized(set, string, DatasetRemoveString, DatasetRemoveMd5, + DatasetRemoveSha256, DatasetRemoveIPv4, DatasetRemoveIPv6); + } ++ ++int DatasetRemove(Dataset *set, const uint8_t *data, const uint32_t data_len) ++{ ++ if (set == NULL) ++ return -1; ++ ++ switch (set->type) { ++ case DATASET_TYPE_STRING: ++ return DatasetRemoveString(set, data, data_len); ++ case DATASET_TYPE_MD5: ++ return DatasetRemoveMd5(set, data, data_len); ++ case DATASET_TYPE_SHA256: ++ return DatasetRemoveSha256(set, data, data_len); ++ case DATASET_TYPE_IPV4: ++ return DatasetRemoveIPv4(set, data, data_len); ++ case DATASET_TYPE_IPV6: ++ return DatasetRemoveIPv6(set, data, data_len); ++ } ++ return -1; ++} +diff --git a/src/datasets.h b/src/datasets.h +index af4fc17..0f28a9f 100644 +--- a/src/datasets.h ++++ b/src/datasets.h +@@ -56,6 +56,7 @@ Dataset *DatasetFind(const char *name, enum DatasetTypes type); + Dataset *DatasetGet(const char *name, enum DatasetTypes type, const char *save, const char *load, + uint64_t memcap, uint32_t hashsize); + int DatasetAdd(Dataset *set, const uint8_t *data, const uint32_t data_len); ++int DatasetRemove(Dataset *set, const uint8_t *data, const uint32_t data_len); + int DatasetLookup(Dataset *set, const uint8_t *data, const uint32_t data_len); + DataRepResultType DatasetLookupwRep(Dataset *set, const uint8_t *data, const uint32_t data_len, + const DataRepType *rep); +diff --git a/src/detect-dataset.c b/src/detect-dataset.c +index 3d29646..aad5cf0 100644 +--- a/src/detect-dataset.c ++++ b/src/detect-dataset.c +@@ -41,6 +41,11 @@ + #include "util-path.h" + #include "util-conf.h" + ++#define DETECT_DATASET_CMD_SET 0 ++#define DETECT_DATASET_CMD_UNSET 1 ++#define DETECT_DATASET_CMD_ISNOTSET 2 ++#define DETECT_DATASET_CMD_ISSET 3 ++ + int DetectDatasetMatch (ThreadVars *, DetectEngineThreadCtx *, Packet *, + const Signature *, const SigMatchCtx *); + static int DetectDatasetSetup (DetectEngineCtx *, Signature *, const char *); +@@ -91,6 +96,12 @@ int DetectDatasetBufferMatch(DetectEngineThreadCtx *det_ctx, + return 1; + break; + } ++ case DETECT_DATASET_CMD_UNSET: { ++ int r = DatasetRemove(sd->set, data, data_len); ++ if (r == 1) ++ return 1; ++ break; ++ } + default: + abort(); + } +diff --git a/src/detect-dataset.h b/src/detect-dataset.h +index ca83267..d243552 100644 +--- a/src/detect-dataset.h ++++ b/src/detect-dataset.h +@@ -26,11 +26,6 @@ + + #include "datasets.h" + +-#define DETECT_DATASET_CMD_SET 0 +-#define DETECT_DATASET_CMD_UNSET 1 +-#define DETECT_DATASET_CMD_ISNOTSET 2 +-#define DETECT_DATASET_CMD_ISSET 3 +- + typedef struct DetectDatasetData_ { + Dataset *set; + uint8_t cmd; +-- +2.25.1 + diff --git a/recipes-ids/suricata/files/CVE-2024-45796.patch b/recipes-ids/suricata/files/CVE-2024-45796.patch new file mode 100644 index 0000000..ae00a5f --- /dev/null +++ b/recipes-ids/suricata/files/CVE-2024-45796.patch @@ -0,0 +1,33 @@ +From 9203656496c4081260817cce018a0d8fd57869b5 Mon Sep 17 00:00:00 2001 +From: Philippe Antoine +Date: Mon, 15 Jul 2024 09:52:00 +0200 +Subject: [PATCH] defrag: fix off by one + +Ticket: 7067 + +This off by one could lead to an empty fragment being inserted +in the rb tree, which led to integer underflow. + +Upstream-Status: Backport [https://github.com/OISF/suricata/commit/9203656496c4081260817cce018a0d8fd57869b5] +CVE: CVE-2024-45796 +Signed-off-by: Hitendra Prajapati +--- + src/defrag.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/defrag.c b/src/defrag.c +index 71cf420..38704c9 100644 +--- a/src/defrag.c ++++ b/src/defrag.c +@@ -808,7 +808,7 @@ DefragInsertFrag(ThreadVars *tv, DecodeThreadVars *dtv, DefragTracker *tracker, + } + } + +- if (ltrim > data_len) { ++ if (ltrim >= data_len) { + /* Full packet has been trimmed due to the overlap policy. Overlap + * already set. */ + goto done; +-- +2.25.1 + diff --git a/recipes-ids/suricata/suricata_7.0.0.bb b/recipes-ids/suricata/suricata_7.0.0.bb index a01b3d9..e5d6ed1 100644 --- a/recipes-ids/suricata/suricata_7.0.0.bb +++ b/recipes-ids/suricata/suricata_7.0.0.bb @@ -16,6 +16,8 @@ SRC_URI += " \ file://suricata.service \ file://run-ptest \ file://fixup.patch \ + file://CVE-2024-45795.patch \ + file://CVE-2024-45796.patch \ " inherit autotools pkgconfig python3native systemd ptest cargo cargo-update-recipe-crates From patchwork Sun Nov 23 23:44:55 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Scott Murray X-Patchwork-Id: 75279 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 66F6ECFD342 for ; Sun, 23 Nov 2025 23:45:33 +0000 (UTC) Received: from mail-qk1-f182.google.com (mail-qk1-f182.google.com [209.85.222.182]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.5041.1763941533025957844 for ; Sun, 23 Nov 2025 15:45:33 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@konsulko.com header.s=google header.b=DhLAUcUz; spf=pass (domain: konsulko.com, ip: 209.85.222.182, mailfrom: scott.murray@konsulko.com) Received: by mail-qk1-f182.google.com with SMTP id af79cd13be357-8b2dcdde698so560430985a.3 for ; Sun, 23 Nov 2025 15:45:32 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=konsulko.com; s=google; t=1763941532; x=1764546332; darn=lists.yoctoproject.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=Zmlzo+NDmx/qphuzY7X0BQZMShXeJivTAS5UUPo0tc0=; b=DhLAUcUzucCoQE8xhHVLZ+RRicVmYhYGagH25HV5JpZUzsEqAg84MNH/Ney23v2kbJ 2klS034jerRUxQP00DEZHKMHbf/YpwNe8gRxEdH2TixVDmMKtcpdXjU82qRbCPxMKx4U BBX1aiqM/khIcbrFPMofG/tput9V62zsVqTz4= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1763941532; x=1764546332; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=Zmlzo+NDmx/qphuzY7X0BQZMShXeJivTAS5UUPo0tc0=; b=BXvHpns5A55l0UVLY5/Mpv4VKzZepUhFE1IVZ2mguB+GXHRMt912dOUK/ALkaIhFw4 Cu15SQE9lc4RW5c7LLS3p8Rk25774jcv6ieiavsPvMna9JXBwRQ0WEKO2PU3B3+IL41I dDwTS9qYEXdgDqYKIM66d7sx5XJ3Xbk9SyrXGBXu1q/NT4an765DjUcaBXdp62/e1Z7B d36ToXGOkmCsbTGMJO9DJsMJALU8/9TE5vb+7ZjYTpnZEKYoySBNPtdXnjy0V+PFiamX gTvAfPmSh4HmzlpY8gmbthdzm9aATExlTuH+jboeOogAATI+vp3ZPB1JbBcRtZetl3Pj gldQ== X-Gm-Message-State: AOJu0YwbGjFUrw5dHS10VLM1mZIeOLqM0EYtWnTpFPhxzuCyjQOez8rA TWOjj6wOmiUtMZQvFUnATIrX/h3oeoD7GMlo4QgZ6O1iflI/nFZqDg8NLnxpqmLHTBZCX64RJiq 7yRd5 X-Gm-Gg: ASbGncuTuEVbG7gjbStPG8N4hEliFOfVFAXnvaqtMrwUg+SuCme226aBu7GNUjpHZqo 8o70TOE6lJapo/rsZ1GJql3bCAdEQ09S3YBaIH2SoTvdKgrqFfj3iuwGqPrzpvHJoc4uXVrDt+u h3iLU5aYshJZ7OKiUAWtcbeMh0v80a9x4NsmUHV15+Ehz7H5PPUluw0Vu1d87mlqww8AZ+ljxq0 ygM1/GPUMZjBc/Kcd0xQ1zTkNXDA37RILCrse0w2nvVJuvgX7Aiy/COCPjFmv/VKlXnXADWkrp3 xKeI15Ausnlt0nmqUkxoWxMVEr6vhKZ4poI//MXR7KfzZ+zplzhtO9AtIzno14oRSHtV/9mg+d7 ifkBBvinTUL9H/gaNkA7F4WdirvR0MQ3yGl3GDq+IzeJVwFBLd1WRN52++BuavMHxSKh+Ljw/Dl j4fkvebZXKQ7zqTRT4B9ind6rTJ5lgHlGDp3O+CWVhT8VavRJ868eDEChpAA9jlwM= X-Google-Smtp-Source: AGHT+IHjEaXcxNkPfuEGDaeAbonAce1O2tUJ0WUJJTU7x8S2zdECwgS1ddgBp5jp3H1208fp007wAA== X-Received: by 2002:a05:620a:2915:b0:892:63c8:2861 with SMTP id af79cd13be357-8b33d211259mr1114535085a.40.1763941531629; Sun, 23 Nov 2025 15:45:31 -0800 (PST) Received: from ghidorah.spiteful.org (107-179-213-3.cpe.teksavvy.com. [107.179.213.3]) by smtp.gmail.com with ESMTPSA id af79cd13be357-8b32932db59sm843706585a.1.2025.11.23.15.45.30 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 23 Nov 2025 15:45:31 -0800 (PST) From: Scott Murray To: yocto-patches@lists.yoctoproject.org Subject: [meta-security][scarthgap][PATCH 15/32] meta-security: Remove True option to getVar calls Date: Sun, 23 Nov 2025 18:44:55 -0500 Message-ID: <0b3cb32abdb35a774c6c11611720f2b19987af19.1763938436.git.scott.murray@konsulko.com> X-Mailer: git-send-email 2.51.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 23 Nov 2025 23:45:33 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto-patches/message/2673 From: akash hadke getVar() now defaults to expanding by default, thus remove the True option from getVar() calls with a regex search and replace. Signed-off-by: Akash Hadke Signed-off-by: Scott Murray --- meta-integrity/classes/ima-evm-rootfs.bbclass | 2 +- .../recipes-parsec/parsec-service/parsec-service_1.3.0.bb | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/meta-integrity/classes/ima-evm-rootfs.bbclass b/meta-integrity/classes/ima-evm-rootfs.bbclass index 7b73373..8b2e767 100644 --- a/meta-integrity/classes/ima-evm-rootfs.bbclass +++ b/meta-integrity/classes/ima-evm-rootfs.bbclass @@ -59,7 +59,7 @@ ima_evm_sign_rootfs () { # # Deduplicates iversion in case that this gets called more than once. if [ -f etc/fstab ]; then - perl -pi -e 's;(\S+)(\s+)(${@"|".join((d.getVar("IMA_EVM_ROOTFS_IVERSION", True) or "no-such-mount-point").split())})(\s+)(\S+)(\s+)(\S+);\1\2\3\4\5\6\7,iversion;; s/(,iversion)+/,iversion/;' etc/fstab + perl -pi -e 's;(\S+)(\s+)(${@"|".join((d.getVar("IMA_EVM_ROOTFS_IVERSION") or "no-such-mount-point").split())})(\s+)(\S+)(\s+)(\S+);\1\2\3\4\5\6\7,iversion;; s/(,iversion)+/,iversion/;' etc/fstab fi # Detect 32bit target to pass --m32 to evmctl by looking at libc diff --git a/meta-parsec/recipes-parsec/parsec-service/parsec-service_1.3.0.bb b/meta-parsec/recipes-parsec/parsec-service/parsec-service_1.3.0.bb index 477988e..6887b9f 100644 --- a/meta-parsec/recipes-parsec/parsec-service/parsec-service_1.3.0.bb +++ b/meta-parsec/recipes-parsec/parsec-service/parsec-service_1.3.0.bb @@ -27,11 +27,11 @@ PACKAGECONFIG[MBED-CRYPTO] = "mbed-crypto-provider," PACKAGECONFIG[CRYPTOAUTHLIB] = "cryptoauthlib-provider," PACKAGECONFIG[TS] = "trusted-service-provider,,libts,libts" -PARSEC_FEATURES = "${@d.getVar('PACKAGECONFIG_CONFARGS',True).strip().replace(' ', ',')}" +PARSEC_FEATURES = "${@d.getVar('PACKAGECONFIG_CONFARGS').strip().replace(' ', ',')}" CARGO_BUILD_FLAGS += " --features ${PARSEC_FEATURES}" export BINDGEN_EXTRA_CLANG_ARGS -target = "${@d.getVar('TARGET_SYS',True).replace('-', ' ')}" +target = "${@d.getVar('TARGET_SYS').replace('-', ' ')}" BINDGEN_EXTRA_CLANG_ARGS = "${@bb.utils.contains('target', 'arm', \ '--sysroot=${WORKDIR}/recipe-sysroot -I${WORKDIR}/recipe-sysroot/usr/include -mfloat-abi=hard', \ '--sysroot=${WORKDIR}/recipe-sysroot -I${WORKDIR}/recipe-sysroot/usr/include', \ From patchwork Sun Nov 23 23:44:56 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Scott Murray X-Patchwork-Id: 75283 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5F4BFCFD2F6 for ; Sun, 23 Nov 2025 23:45:43 +0000 (UTC) Received: from mail-qk1-f169.google.com (mail-qk1-f169.google.com [209.85.222.169]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.5043.1763941534115887875 for ; Sun, 23 Nov 2025 15:45:34 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@konsulko.com header.s=google header.b=h3SE9K2K; spf=pass (domain: konsulko.com, ip: 209.85.222.169, mailfrom: scott.murray@konsulko.com) Received: by mail-qk1-f169.google.com with SMTP id af79cd13be357-8b2dec4d115so378818785a.0 for ; Sun, 23 Nov 2025 15:45:34 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=konsulko.com; s=google; t=1763941533; x=1764546333; darn=lists.yoctoproject.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=eEBT2Q1pXVhJBASg4K4wMWq31Pgk/8wzBRCs1mP/xEY=; b=h3SE9K2KoA6AY7K25CFMiq/gv2WoLzoX5bbrFhjL/vWVk4BYSRWevoteHIY1NNO96u YiQ18u13rTWMaVIFZDeM6OU/+A9CP+38IWpc//GFrJw30yDpR6bW/6euMukhA9kzuwlO eO0QFoXjScCihwl59So3A/NdiEwd8KRUEcB68= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1763941533; x=1764546333; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=eEBT2Q1pXVhJBASg4K4wMWq31Pgk/8wzBRCs1mP/xEY=; b=TCW9QkloMtdFv7QbNCMhP24KQ/s2dhMaipkzauT5AeNv0HsuyT8vX2xUxyIhg/FHlX RfaBk1gq0F0a3rSUeMRpSF9zEefx1dHPefXFWtn2VTUNYv3ghky49ff859voNgSVlzzI spd6pSBCoa3gO+uM2FhbWH/iCsWUg4FENk/h5IjaItC3/pHjwflW2yv+PmLtCeCtQrJG sn4Ky3mlwnKoAGW4RakeDihHEpWBevFRpOa5EOytq+pFkHwilBxvvyY6Du+AP2ORURQ7 G7I3AFzxkTZNAUZ1L5xt7dSestcBozF7fXMHksWPSJBFB1wDsqjkD2s+B6QkprZK//b8 5Wkg== X-Gm-Message-State: AOJu0YwAPb34oVaLiwMaNp0g5+7/st9jN7mWsb2RH7QaT0N5tRSsi3Lk bFnwbSliix4itUA7Ey9wcECDt08nbp2HwwykoeZX92WTRucTw6iysBD8/RHAVwhRnlT1MqDsZ82 Jz3Ni X-Gm-Gg: ASbGncvIeHgMH3TJPozJgs8TvSk6bIYA+WkiapTQHYbMZGm82NcuOSXT+4rQO2WHLI8 oP9t0gIer2PcX/BGi4lyVKzHDbBRZpue9/Wc5C4m4tl/KlPtpgkwbzFUkpbJKgv3JCYpZOlSURw PUIMeaABXWlpGhz3xW7+3ymT1pzpk1+Ckdu2IW0UduekvMGaoFQaevEnnwUTt/fmpM8NljqptE0 ICHkNnK+4FecfvUJcRQvGwMH2zdrzp0leSrVDb+KRvsHcIo9rEY2EsNuf9PpkNKGCiIkjXs+d5Z 6YdRT+ojqTx/m/UfJk/yH3JwDUm1wdKiR4k+mg9Kuxp5c7OiMU22uXi5H2co06ZZT8plqsZCaXa NKbUTtvlL+zSzljHdtpQN2HFs3O6rhaRiqloC+P29W4XUq8zgTIJET2Dtb8xiOEENzVpmZGPUJ0 9snNuZktUSiNz2NhBAE3z5ijSfx+t7gntX7LYRxC3T90G1icGAKLsRfskWqqVDyWY= X-Google-Smtp-Source: AGHT+IFB+W9wDn7hi0EuvafAh6OpsHFfUZ1XGFKS2qpMOOs1bFJqgeuK48GrdGn9DNyL7GzHzK10uQ== X-Received: by 2002:a05:620a:1a25:b0:8b1:f2cd:76ad with SMTP id af79cd13be357-8b33d5ffadamr1370962385a.89.1763941532720; Sun, 23 Nov 2025 15:45:32 -0800 (PST) Received: from ghidorah.spiteful.org (107-179-213-3.cpe.teksavvy.com. [107.179.213.3]) by smtp.gmail.com with ESMTPSA id af79cd13be357-8b32932db59sm843706585a.1.2025.11.23.15.45.31 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 23 Nov 2025 15:45:32 -0800 (PST) From: Scott Murray To: yocto-patches@lists.yoctoproject.org Subject: [meta-security][scarthgap][PATCH 16/32] suricata: Fix CVE-2024-55605 Date: Sun, 23 Nov 2025 18:44:56 -0500 Message-ID: <8477af51d60170ce783cc6db3c0040c29468e65f.1763938436.git.scott.murray@konsulko.com> X-Mailer: git-send-email 2.51.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 23 Nov 2025 23:45:43 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto-patches/message/2674 From: Hitendra Prajapati Upstream-Status: Backport from https://github.com/OISF/suricata/commit/f80ebd5a30b02db5915f749f0c067c7adefbbe76 && https://github.com/OISF/suricata/commit/c3a6abf60134c2993ee3802ee52206e9fdbf55ba Signed-off-by: Hitendra Prajapati Signed-off-by: Scott Murray --- .../suricata/files/CVE-2024-55605.patch | 205 ++++++++++++++++++ recipes-ids/suricata/suricata_7.0.0.bb | 1 + 2 files changed, 206 insertions(+) create mode 100644 recipes-ids/suricata/files/CVE-2024-55605.patch diff --git a/recipes-ids/suricata/files/CVE-2024-55605.patch b/recipes-ids/suricata/files/CVE-2024-55605.patch new file mode 100644 index 0000000..c8bfead --- /dev/null +++ b/recipes-ids/suricata/files/CVE-2024-55605.patch @@ -0,0 +1,205 @@ +From f80ebd5a30b02db5915f749f0c067c7adefbbe76 Mon Sep 17 00:00:00 2001 +From: Philippe Antoine +Date: Thu, 7 Nov 2024 17:49:45 +0100 +Subject: [PATCH] detect/transforms: write directly in inspect buffer + +instead of writing to a temporary buffer and then copying, +to save the cost of copying. + +Ticket: 7229 + +Upstream-Status: Backport [https://github.com/OISF/suricata/commit/f80ebd5a30b02db5915f749f0c067c7adefbbe76 && https://github.com/OISF/suricata/commit/c3a6abf60134c2993ee3802ee52206e9fdbf55ba] +CVE: CVE-2024-55605 +Signed-off-by: Hitendra Prajapati +--- + src/detect-engine.c | 23 ++++++++++++++++++++-- + src/detect-engine.h | 3 ++- + src/detect-transform-compress-whitespace.c | 8 ++++++-- + src/detect-transform-dotprefix.c | 10 +++++++--- + src/detect-transform-strip-whitespace.c | 8 ++++++-- + src/detect-transform-urldecode.c | 8 ++++++-- + src/detect-transform-xor.c | 7 +++++-- + 7 files changed, 53 insertions(+), 14 deletions(-) + +diff --git a/src/detect-engine.c b/src/detect-engine.c +index 141b48a..cdb24d8 100644 +--- a/src/detect-engine.c ++++ b/src/detect-engine.c +@@ -1647,11 +1647,13 @@ void InspectionBufferFree(InspectionBuffer *buffer) + /** + * \brief make sure that the buffer has at least 'min_size' bytes + * Expand the buffer if necessary ++ * ++ * \retval pointer to inner buffer to use, or NULL if realloc failed + */ +-void InspectionBufferCheckAndExpand(InspectionBuffer *buffer, uint32_t min_size) ++uint8_t *InspectionBufferCheckAndExpand(InspectionBuffer *buffer, uint32_t min_size) + { + if (likely(buffer->size >= min_size)) +- return; ++ return buffer->buf; + + uint32_t new_size = (buffer->size == 0) ? 4096 : buffer->size; + while (new_size < min_size) { +@@ -1662,7 +1664,24 @@ void InspectionBufferCheckAndExpand(InspectionBuffer *buffer, uint32_t min_size) + if (ptr != NULL) { + buffer->buf = ptr; + buffer->size = new_size; ++ } else { ++ return NULL; + } ++ return buffer->buf; ++} ++ ++/** ++ * \brief set inspect length of inspect buffer ++ * The inspect buffer may have been overallocated (by strip_whitespace for example) ++ * so, this sets the final length ++ */ ++void InspectionBufferTruncate(InspectionBuffer *buffer, uint32_t buf_len) ++{ ++ DEBUG_VALIDATE_BUG_ON(buffer->buf == NULL); ++ DEBUG_VALIDATE_BUG_ON(buf_len > buffer->size); ++ buffer->inspect = buffer->buf; ++ buffer->inspect_len = buf_len; ++ buffer->initialized = true; + } + + void InspectionBufferCopy(InspectionBuffer *buffer, uint8_t *buf, uint32_t buf_len) +diff --git a/src/detect-engine.h b/src/detect-engine.h +index 7617e66..04713a7 100644 +--- a/src/detect-engine.h ++++ b/src/detect-engine.h +@@ -31,7 +31,8 @@ void InspectionBufferInit(InspectionBuffer *buffer, uint32_t initial_size); + void InspectionBufferSetup(DetectEngineThreadCtx *det_ctx, const int list_id, + InspectionBuffer *buffer, const uint8_t *data, const uint32_t data_len); + void InspectionBufferFree(InspectionBuffer *buffer); +-void InspectionBufferCheckAndExpand(InspectionBuffer *buffer, uint32_t min_size); ++uint8_t *InspectionBufferCheckAndExpand(InspectionBuffer *buffer, uint32_t min_size); ++void InspectionBufferTruncate(InspectionBuffer *buffer, uint32_t buf_len); + void InspectionBufferCopy(InspectionBuffer *buffer, uint8_t *buf, uint32_t buf_len); + void InspectionBufferApplyTransforms(InspectionBuffer *buffer, + const DetectEngineTransforms *transforms); +diff --git a/src/detect-transform-compress-whitespace.c b/src/detect-transform-compress-whitespace.c +index 5cbf0fd..cc78c7e 100644 +--- a/src/detect-transform-compress-whitespace.c ++++ b/src/detect-transform-compress-whitespace.c +@@ -111,7 +111,11 @@ static void TransformCompressWhitespace(InspectionBuffer *buffer, void *options) + return; + } + +- uint8_t output[input_len]; // we can only shrink ++ // we can only shrink ++ uint8_t *output = InspectionBufferCheckAndExpand(buffer, input_len); ++ if (output == NULL) { ++ return; ++ } + uint8_t *oi = output, *os = output; + + //PrintRawDataFp(stdout, input, input_len); +@@ -132,7 +136,7 @@ static void TransformCompressWhitespace(InspectionBuffer *buffer, void *options) + uint32_t output_size = oi - os; + //PrintRawDataFp(stdout, output, output_size); + +- InspectionBufferCopy(buffer, os, output_size); ++ InspectionBufferTruncate(buffer, output_size); + } + + #ifdef UNITTESTS +diff --git a/src/detect-transform-dotprefix.c b/src/detect-transform-dotprefix.c +index 52a2633..d58e1d4 100644 +--- a/src/detect-transform-dotprefix.c ++++ b/src/detect-transform-dotprefix.c +@@ -110,11 +110,15 @@ static void TransformDotPrefix(InspectionBuffer *buffer, void *options) + const size_t input_len = buffer->inspect_len; + + if (input_len) { +- uint8_t output[input_len + 1]; // For the leading '.' ++ // For the leading '.' ++ uint8_t *output = InspectionBufferCheckAndExpand(buffer, input_len + 1); ++ if (output == NULL) { ++ return; ++ } + ++ memmove(&output[1], buffer->inspect, input_len); + output[0] = '.'; +- memcpy(&output[1], buffer->inspect, input_len); +- InspectionBufferCopy(buffer, output, input_len + 1); ++ InspectionBufferTruncate(buffer, input_len + 1); + } + } + +diff --git a/src/detect-transform-strip-whitespace.c b/src/detect-transform-strip-whitespace.c +index 32fb96f..6040592 100644 +--- a/src/detect-transform-strip-whitespace.c ++++ b/src/detect-transform-strip-whitespace.c +@@ -106,7 +106,11 @@ static void TransformStripWhitespace(InspectionBuffer *buffer, void *options) + if (input_len == 0) { + return; + } +- uint8_t output[input_len]; // we can only shrink ++ // we can only shrink ++ uint8_t *output = InspectionBufferCheckAndExpand(buffer, input_len); ++ if (output == NULL) { ++ return; ++ } + uint8_t *oi = output, *os = output; + + //PrintRawDataFp(stdout, input, input_len); +@@ -119,7 +123,7 @@ static void TransformStripWhitespace(InspectionBuffer *buffer, void *options) + uint32_t output_size = oi - os; + //PrintRawDataFp(stdout, output, output_size); + +- InspectionBufferCopy(buffer, os, output_size); ++ InspectionBufferTruncate(buffer, output_size); + } + + #ifdef UNITTESTS +diff --git a/src/detect-transform-urldecode.c b/src/detect-transform-urldecode.c +index 13ef033..a4e9655 100644 +--- a/src/detect-transform-urldecode.c ++++ b/src/detect-transform-urldecode.c +@@ -125,12 +125,16 @@ static void TransformUrlDecode(InspectionBuffer *buffer, void *options) + if (input_len == 0) { + return; + } +- uint8_t output[input_len]; // we can only shrink ++ // we can only shrink ++ uint8_t *output = InspectionBufferCheckAndExpand(buffer, input_len); ++ if (output == NULL) { ++ return; ++ } + + changed = BufferUrlDecode(input, input_len, output, &output_size); + + if (changed) { +- InspectionBufferCopy(buffer, output, output_size); ++ InspectionBufferTruncate(buffer, output_size); + } + } + +diff --git a/src/detect-transform-xor.c b/src/detect-transform-xor.c +index e42700f..18f96df 100644 +--- a/src/detect-transform-xor.c ++++ b/src/detect-transform-xor.c +@@ -133,12 +133,15 @@ static void DetectTransformXor(InspectionBuffer *buffer, void *options) + if (input_len == 0) { + return; + } +- uint8_t output[input_len]; ++ uint8_t *output = InspectionBufferCheckAndExpand(buffer, input_len); ++ if (output == NULL) { ++ return; ++ } + + for (uint32_t i = 0; i < input_len; i++) { + output[i] = input[i] ^ pxd->key[i % pxd->length]; + } +- InspectionBufferCopy(buffer, output, input_len); ++ InspectionBufferTruncate(buffer, input_len); + } + + #ifdef UNITTESTS +-- +2.25.1 + diff --git a/recipes-ids/suricata/suricata_7.0.0.bb b/recipes-ids/suricata/suricata_7.0.0.bb index e5d6ed1..1cb02f4 100644 --- a/recipes-ids/suricata/suricata_7.0.0.bb +++ b/recipes-ids/suricata/suricata_7.0.0.bb @@ -18,6 +18,7 @@ SRC_URI += " \ file://fixup.patch \ file://CVE-2024-45795.patch \ file://CVE-2024-45796.patch \ + file://CVE-2024-55605.patch \ " inherit autotools pkgconfig python3native systemd ptest cargo cargo-update-recipe-crates From patchwork Sun Nov 23 23:44:57 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Scott Murray X-Patchwork-Id: 75286 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 84763CFD31F for ; Sun, 23 Nov 2025 23:45:43 +0000 (UTC) Received: from mail-qk1-f171.google.com (mail-qk1-f171.google.com [209.85.222.171]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.5044.1763941535564258155 for ; Sun, 23 Nov 2025 15:45:35 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@konsulko.com header.s=google header.b=kwOtWN6n; spf=pass (domain: konsulko.com, ip: 209.85.222.171, mailfrom: scott.murray@konsulko.com) Received: by mail-qk1-f171.google.com with SMTP id af79cd13be357-8b22b1d3e7fso386925185a.3 for ; Sun, 23 Nov 2025 15:45:35 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=konsulko.com; s=google; t=1763941534; x=1764546334; darn=lists.yoctoproject.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=mkDQAqyryP/0ijH7+ENgqxvOCZJY4Csst8amGLL59FM=; b=kwOtWN6ndP4IJZcN4PGnC+D6J7RdJhstW3QSBsD3OTHZGam40wMn2pEEc+MgTB4R/n pxeRyWCzDOEZMOss3/6/Q/8NIvkMzIpYy7rQ5ZAbqoq3exeOwy2TrB30dD7JSSdfNwiS 47xW07QiXkAFnDMiMPPkUsoHHodgvEMdaGjVI= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1763941534; x=1764546334; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=mkDQAqyryP/0ijH7+ENgqxvOCZJY4Csst8amGLL59FM=; b=A2M4kHXzAgZZjYyRDGTuC6SIUCQJcpZfY5IvYkH0DTR9cnGlJilludAkwLSdAd4XV/ 8+1Vbt6vXzmmiKikGJ0uTQVxbIiaX5m8PESW+D2Z9dMWKbC9PYFLdI4csvG0EGCYvM3C KcVE47rgNwVgfXbGPy/1A3gx63GlGFkVJ9Gz2okmPhmiONs15ke76IC0Px0v6v8q8buF hNvM152as/2hOOjN5k3s20Frx4kGoluWytbRvdR9MNMFZvewqqFhQPooQGTz8qMbAE7h tbygfRHBgfmQ6wH5qbk+JuE5/Uzl/as1HcH2KHUDlqgK1L0xH4DV2sAZro9sSQfui94p T2wQ== X-Gm-Message-State: AOJu0YwvgHCB8JLTkAT5qVJ/kZoyXzqodaoakS6Edx3ORPUsvPbY97YK Rlra10miWdoFgNxiOju9dSBcHLGgWyT8bHASshZvOoOlW0fPBmgFdLjdOsad2hZQEcOT2hgHlH8 V3QFM X-Gm-Gg: ASbGnctuWPLS/2lj75twtQMhhyvQgS+tNf0gYxr0i6Aj7kVKJgA+ihhl7SiG+8QK9gt tBDvgumcrTjapki1vqQ7e2xYgx5h9lP2nHOYDOLwi0RrvFudFvLeWIECe9U7tA0RkOpw761opJd IFTZ8xuqHojZDVkbo/+nLotUKW0t0dc6ZtTguVio1wLQhPhGDKpAAxvOH/yATJS/tq9Q/YnAYo/ Aez2WLOq48tRI7tZ4KMQx/2esDr4XdlE6VrWmvNb+zXN8vwFmgpNsaaW2cpfNp6KfG2eXl1fb76 D8Ur7G5NxWJNXjBk9F5nzqOJ3caqc8uAkHNAxpmUgTwmtmn4elyPpxSvdAdO4XrZ+lxPalkm3OL mS51sQRW8u0kkr55OHJgXaRLbMDiZe8bmPq7/U2AQxU4ts2fHzrENYnleRvxDWOYbpNNVhMSBkH bFby2jIFpuvCkwnX9+zk/ud2P+AIMalkcGECOMwUmxNI/CASnvn5UUHDbh87RgIoA= X-Google-Smtp-Source: AGHT+IGm21/Q6KbOFeGj9fKAXwOPIpDJJvd+rvv1/U9Ln+sz+aoKgOm5mBtbOBI4pgQ110nMKzhZ0w== X-Received: by 2002:a05:620a:25c8:b0:8b2:e827:14bc with SMTP id af79cd13be357-8b33d4cfac2mr1209583885a.56.1763941533965; Sun, 23 Nov 2025 15:45:33 -0800 (PST) Received: from ghidorah.spiteful.org (107-179-213-3.cpe.teksavvy.com. [107.179.213.3]) by smtp.gmail.com with ESMTPSA id af79cd13be357-8b32932db59sm843706585a.1.2025.11.23.15.45.32 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 23 Nov 2025 15:45:33 -0800 (PST) From: Scott Murray To: yocto-patches@lists.yoctoproject.org Subject: [meta-security][scarthgap][PATCH 17/32] clamav: fix CVE-2025-20260 Date: Sun, 23 Nov 2025 18:44:57 -0500 Message-ID: <1fcb48fd8e2d4c1ab60d36988ff58671cccacf22.1763938436.git.scott.murray@konsulko.com> X-Mailer: git-send-email 2.51.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 23 Nov 2025 23:45:43 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto-patches/message/2675 From: Hitendra Prajapati Upstream-Status: Backport https://github.com/Cisco-Talos/clamav/commit/7fe290b573db66ffcf590902977b2b6043b30834 Signed-off-by: Hitendra Prajapati Signed-off-by: Scott Murray --- recipes-scanners/clamav/clamav_0.104.4.bb | 1 + .../clamav/files/CVE-2025-20260.patch | 366 ++++++++++++++++++ 2 files changed, 367 insertions(+) create mode 100644 recipes-scanners/clamav/files/CVE-2025-20260.patch diff --git a/recipes-scanners/clamav/clamav_0.104.4.bb b/recipes-scanners/clamav/clamav_0.104.4.bb index d7beade..0bd776c 100644 --- a/recipes-scanners/clamav/clamav_0.104.4.bb +++ b/recipes-scanners/clamav/clamav_0.104.4.bb @@ -22,6 +22,7 @@ SRC_URI = "git://github.com/Cisco-Talos/clamav;branch=rel/0.104;protocol=https \ file://oe_cmake_fixup.patch \ file://CVE-2024-20505.patch \ file://CVE-2024-20506.patch \ + file://CVE-2025-20260.patch \ " S = "${WORKDIR}/git" diff --git a/recipes-scanners/clamav/files/CVE-2025-20260.patch b/recipes-scanners/clamav/files/CVE-2025-20260.patch new file mode 100644 index 0000000..6177d4b --- /dev/null +++ b/recipes-scanners/clamav/files/CVE-2025-20260.patch @@ -0,0 +1,366 @@ +From 7fe290b573db66ffcf590902977b2b6043b30834 Mon Sep 17 00:00:00 2001 +From: John Humlick <15677335+jhumlick@users.noreply.github.com> +Date: Mon, 21 Apr 2025 16:18:07 -0700 +Subject: [PATCH] Fix integer overflow in PDF parser + +The ascii85decode function calculates the amount of memory to reserve as +a function of (4 * bytes) + 1. Since the result is stored in a uint32_t, +we need to make sure that this calculation will not overflow. If we +detect that an overflow would occur, return CL_EFORMAT and do not +proceed. + +Also check additional potential overflow conditions. +Other areas were identified that could potentially overflow. +This commit adds additional checks to prevent said overflows. + +Thank you Greg Walkup at Sandia National Labs for reporting this issue. + +CLAM-2752 +CLAM-2757 +CLAM-2759 + +Upstream-Status: Backport [https://github.com/Cisco-Talos/clamav/commit/7fe290b573db66ffcf590902977b2b6043b30834] +CVE: CVE-2025-20260 +Signed-off-by: Hitendra Prajapati +--- + libclamav/pdf.c | 42 +++++++++++------------ + libclamav/pdf.h | 16 ++++----- + libclamav/pdfdecode.c | 80 +++++++++++++++++++++++++++++++------------ + 3 files changed, 87 insertions(+), 51 deletions(-) + +diff --git a/libclamav/pdf.c b/libclamav/pdf.c +index 40eea19eb..a305b1701 100644 +--- a/libclamav/pdf.c ++++ b/libclamav/pdf.c +@@ -441,7 +441,7 @@ int pdf_findobj_in_objstm(struct pdf_struct *pdf, struct objstm_struct *objstm, + + if (CL_SUCCESS != cli_strntol_wrap(index, bytes_remaining, 0, 10, &temp_long)) { + /* Failed to find obj offset for next obj */ +- cli_dbgmsg("pdf_findobj_in_objstm: Failed to find next obj offset for obj in object stream though there should be {%u} more.\n", objstm->n - objstm->nobjs_found); ++ cli_dbgmsg("pdf_findobj_in_objstm: Failed to find next obj offset for obj in object stream though there should be {%zu} more.\n", objstm->n - objstm->nobjs_found); + status = CL_EPARSE; + goto done; + } else if (temp_long < 0) { +@@ -1551,18 +1551,18 @@ cl_error_t pdf_extract_obj(struct pdf_struct *pdf, struct pdf_obj *obj, uint32_t + } + } + +- cli_dbgmsg("pdf_extract_obj: calculated length %lld\n", (long long)length); ++ cli_dbgmsg("pdf_extract_obj: calculated length %zu\n", length); + } else { + if (obj->stream_size > (size_t)length + 2) { + cli_dbgmsg("cli_pdf: calculated length %zu < %zu\n", +- (size_t)length, obj->stream_size); ++ length, obj->stream_size); + length = obj->stream_size; + } + } + +- if ((0 != orig_length) && (obj->stream_size > (size_t)orig_length + 20)) { +- cli_dbgmsg("pdf_extract_obj: orig length: %lld, length: %lld, size: %zu\n", +- (long long)orig_length, (long long)length, obj->stream_size); ++ if ((0 != orig_length) && (obj->stream_size > orig_length + 20)) { ++ cli_dbgmsg("pdf_extract_obj: orig length: %zu, length: %zu, size: %zu\n", ++ orig_length, length, obj->stream_size); + pdfobj_flag(pdf, obj, BAD_STREAMLEN); + } + +@@ -1613,18 +1613,18 @@ cl_error_t pdf_extract_obj(struct pdf_struct *pdf, struct pdf_obj *obj, uint32_t + */ + dict_len = obj->stream - start; + if (NULL != (pstr = pdf_getdict(start, &dict_len, "/Type/ObjStm"))) { +- int32_t objstm_first = -1; +- int32_t objstm_length = -1; +- int32_t objstm_n = -1; ++ int objstm_first = -1; ++ int objstm_length = -1; ++ int objstm_n = -1; + + cli_dbgmsg("pdf_extract_obj: Found /Type/ObjStm\n"); + + dict_len = obj->stream - start; +- if ((-1 == (objstm_first = pdf_readint(start, dict_len, "/First")))) { ++ if (-1 == (objstm_first = pdf_readint(start, dict_len, "/First"))) { + cli_warnmsg("pdf_extract_obj: Failed to find offset of first object in object stream\n"); +- } else if ((-1 == (objstm_length = pdf_readint(start, dict_len, "/Length")))) { ++ } else if (-1 == (objstm_length = pdf_readint(start, dict_len, "/Length"))) { + cli_warnmsg("pdf_extract_obj: Failed to find length of object stream\n"); +- } else if ((-1 == (objstm_n = pdf_readint(start, dict_len, "/N")))) { ++ } else if (-1 == (objstm_n = pdf_readint(start, dict_len, "/N"))) { + cli_warnmsg("pdf_extract_obj: Failed to find num objects in object stream\n"); + } else { + /* Add objstm to pdf struct, so it can be freed eventually */ +@@ -1646,19 +1646,19 @@ cl_error_t pdf_extract_obj(struct pdf_struct *pdf, struct pdf_obj *obj, uint32_t + + memset(objstm, 0, sizeof(*objstm)); + +- objstm->first = (uint32_t)objstm_first; +- objstm->current = (uint32_t)objstm_first; ++ objstm->first = (size_t)objstm_first; ++ objstm->current = (size_t)objstm_first; + objstm->current_pair = 0; +- objstm->length = (uint32_t)objstm_length; +- objstm->n = (uint32_t)objstm_n; ++ objstm->length = (size_t)objstm_length; ++ objstm->n = (size_t)objstm_n; + +- cli_dbgmsg("pdf_extract_obj: ObjStm first obj at offset %d\n", objstm->first); +- cli_dbgmsg("pdf_extract_obj: ObjStm length is %d bytes\n", objstm->length); +- cli_dbgmsg("pdf_extract_obj: ObjStm should contain %d objects\n", objstm->n); ++ cli_dbgmsg("pdf_extract_obj: ObjStm first obj at offset %zu\n", objstm->first); ++ cli_dbgmsg("pdf_extract_obj: ObjStm length is %zu bytes\n", objstm->length); ++ cli_dbgmsg("pdf_extract_obj: ObjStm should contain %zu objects\n", objstm->n); + } + } + +- sum = pdf_decodestream(pdf, obj, dparams, obj->stream, (uint32_t)length, xref, fout, &rc, objstm); ++ sum = pdf_decodestream(pdf, obj, dparams, obj->stream, length, xref, fout, &rc, objstm); + if ((CL_SUCCESS != rc) && (CL_VIRUS != rc)) { + cli_dbgmsg("Error decoding stream! Error code: %d\n", rc); + +@@ -3341,7 +3341,7 @@ cl_error_t pdf_find_and_parse_objs_in_objstm(struct pdf_struct *pdf, struct objs + retval = pdf_findobj_in_objstm(pdf, objstm, &obj); + if (retval != CL_SUCCESS) { + if (retval != CL_BREAK) { +- cli_dbgmsg("pdf_find_and_parse_objs_in_objstm: Fewer objects in stream than expected: %u found, %u expected.\n", ++ cli_dbgmsg("pdf_find_and_parse_objs_in_objstm: Fewer objects in stream than expected: %zu found, %zu expected.\n", + objstm->nobjs_found, objstm->n); + badobjects++; + pdf->stats.ninvalidobjs++; +diff --git a/libclamav/pdf.h b/libclamav/pdf.h +index 3a03f19f1..b5b69cec7 100644 +--- a/libclamav/pdf.h ++++ b/libclamav/pdf.h +@@ -25,14 +25,14 @@ + #define PDF_FILTERLIST_MAX 64 + + struct objstm_struct { +- uint32_t first; // offset of first obj +- uint32_t current; // offset of current obj +- uint32_t current_pair; // offset of current pair describing id, location of object +- uint32_t length; // total length of all objects (starting at first) +- uint32_t n; // number of objects that should be found in the object stream +- uint32_t nobjs_found; // number of objects actually found in the object stream +- char *streambuf; // address of stream buffer, beginning with first obj pair +- size_t streambuf_len; // length of stream buffer, includes pairs followed by actual objects ++ size_t first; // offset of first obj ++ size_t current; // offset of current obj ++ size_t current_pair; // offset of current pair describing id, location of object ++ size_t length; // total length of all objects (starting at first) ++ size_t n; // number of objects that should be found in the object stream ++ size_t nobjs_found; // number of objects actually found in the object stream ++ char *streambuf; // address of stream buffer, beginning with first obj pair ++ size_t streambuf_len; // length of stream buffer, includes pairs followed by actual objects + }; + + struct pdf_obj { +diff --git a/libclamav/pdfdecode.c b/libclamav/pdfdecode.c +index 473cfcd43..92ba52d50 100644 +--- a/libclamav/pdfdecode.c ++++ b/libclamav/pdfdecode.c +@@ -73,7 +73,7 @@ + struct pdf_token { + uint32_t flags; /* tracking flags */ + uint32_t success; /* successfully decoded filters */ +- uint32_t length; /* length of current content; TODO: transition to size_t */ ++ size_t length; /* length of current content; TODO: transition to size_t */ + uint8_t *content; /* content stream */ + }; + +@@ -461,10 +461,16 @@ static cl_error_t filter_ascii85decode(struct pdf_struct *pdf, struct pdf_obj *o + uint32_t declen = 0; + + const uint8_t *ptr = (uint8_t *)token->content; +- uint32_t remaining = token->length; ++ size_t remaining = token->length; + int quintet = 0, rc = CL_SUCCESS; + uint64_t sum = 0; + ++ /* Check for overflow */ ++ if (remaining > (SIZE_MAX / 4)) { ++ cli_dbgmsg("cli_pdf: ascii85decode: overflow detected\n"); ++ return CL_EFORMAT; ++ } ++ + /* 5:4 decoding ratio, with 1:4 expansion sequences => (4*length)+1 */ + if (!(dptr = decoded = (uint8_t *)cli_malloc((4 * remaining) + 1))) { + cli_errmsg("cli_pdf: cannot allocate memory for decoded output\n"); +@@ -851,8 +857,8 @@ static cl_error_t filter_asciihexdecode(struct pdf_struct *pdf, struct pdf_obj * + uint8_t *decoded; + + const uint8_t *content = (uint8_t *)token->content; +- uint32_t length = token->length; +- uint32_t i, j; ++ size_t length = token->length; ++ size_t i, j; + cl_error_t rc = CL_SUCCESS; + + if (!(decoded = (uint8_t *)cli_calloc(length / 2 + 1, sizeof(uint8_t)))) { +@@ -882,8 +888,8 @@ static cl_error_t filter_asciihexdecode(struct pdf_struct *pdf, struct pdf_obj * + if (rc == CL_SUCCESS) { + free(token->content); + +- cli_dbgmsg("cli_pdf: deflated %lu bytes from %lu total bytes\n", +- (unsigned long)j, (unsigned long)(token->length)); ++ cli_dbgmsg("cli_pdf: deflated %zu bytes from %zu total bytes\n", ++ j, token->length); + + token->content = decoded; + token->length = j; +@@ -891,8 +897,8 @@ static cl_error_t filter_asciihexdecode(struct pdf_struct *pdf, struct pdf_obj * + if (!(obj->flags & ((1 << OBJ_IMAGE) | (1 << OBJ_TRUNCATED)))) + pdfobj_flag(pdf, obj, BAD_ASCIIDECODE); + +- cli_dbgmsg("cli_pdf: error occurred parsing byte %lu of %lu\n", +- (unsigned long)i, (unsigned long)(token->length)); ++ cli_dbgmsg("cli_pdf: error occurred parsing byte %zu of %zu\n", ++ i, token->length); + free(decoded); + } + return rc; +@@ -933,27 +939,29 @@ static cl_error_t filter_decrypt(struct pdf_struct *pdf, struct pdf_obj *obj, st + return CL_EPARSE; /* TODO: what should this value be? CL_SUCCESS would mirror previous behavior */ + } + +- cli_dbgmsg("cli_pdf: decrypted %zu bytes from %u total bytes\n", ++ cli_dbgmsg("cli_pdf: decrypted %zu bytes from %zu total bytes\n", + length, token->length); + + free(token->content); + token->content = (uint8_t *)decrypted; +- token->length = (uint32_t)length; /* this may truncate unfortunately, TODO: use 64-bit values internally? */ ++ token->length = length; + return CL_SUCCESS; + } + + static cl_error_t filter_lzwdecode(struct pdf_struct *pdf, struct pdf_obj *obj, struct pdf_dict *params, struct pdf_token *token) + { + uint8_t *decoded, *temp; +- uint32_t declen = 0, capacity = 0; ++ size_t declen = 0, capacity = 0; + + uint8_t *content = (uint8_t *)token->content; + uint32_t length = token->length; + lzw_stream stream; + int echg = 1, lzwstat, rc = CL_SUCCESS; + +- if (pdf->ctx && !(pdf->ctx->dconf->other & OTHER_CONF_LZW)) +- return CL_BREAK; ++ if (pdf->ctx && !(pdf->ctx->dconf->other & OTHER_CONF_LZW)) { ++ rc = CL_BREAK; ++ goto done; ++ } + + if (params) { + struct pdf_dict_node *node = params->nodes; +@@ -984,15 +992,18 @@ static cl_error_t filter_lzwdecode(struct pdf_struct *pdf, struct pdf_obj *obj, + * Sample 0015315109, it has \r followed by zlib header. + * Flag pdf as suspicious, and attempt to extract by skipping the \r. + */ +- if (!length) +- return CL_SUCCESS; ++ if (!length) { ++ rc = CL_SUCCESS; ++ goto done; ++ } + } + + capacity = INFLATE_CHUNK_SIZE; + + if (!(decoded = (uint8_t *)cli_malloc(capacity))) { + cli_errmsg("cli_pdf: cannot allocate memory for decoded output\n"); +- return CL_EMEM; ++ rc = CL_EMEM; ++ goto done; + } + + memset(&stream, 0, sizeof(stream)); +@@ -1007,7 +1018,8 @@ static cl_error_t filter_lzwdecode(struct pdf_struct *pdf, struct pdf_obj *obj, + if (lzwstat != Z_OK) { + cli_warnmsg("cli_pdf: lzwInit failed\n"); + free(decoded); +- return CL_EMEM; ++ rc = CL_EMEM; ++ goto done; + } + + /* initial inflate */ +@@ -1022,16 +1034,23 @@ static cl_error_t filter_lzwdecode(struct pdf_struct *pdf, struct pdf_obj *obj, + length -= q - content; + content = q; + +- stream.next_in = (Bytef *)content; +- stream.avail_in = length; +- stream.next_out = (Bytef *)decoded; ++ stream.next_in = (Bytef *)content; ++ stream.avail_in = length; ++ stream.next_out = (Bytef *)decoded; ++ /* Make sure we don't overflow during type conversion */ ++ if (capacity > UINT_MAX) { ++ cli_dbgmsg("cli_pdf: lzwdecode: overflow detected\n"); ++ rc = CL_EFORMAT; ++ goto done; ++ } + stream.avail_out = capacity; + + lzwstat = lzwInit(&stream); + if (lzwstat != Z_OK) { + cli_warnmsg("cli_pdf: lzwInit failed\n"); + free(decoded); +- return CL_EMEM; ++ rc = CL_EMEM; ++ goto done; + } + + pdfobj_flag(pdf, obj, BAD_FLATESTART); +@@ -1044,7 +1063,7 @@ static cl_error_t filter_lzwdecode(struct pdf_struct *pdf, struct pdf_obj *obj, + /* extend output capacity if needed,*/ + if (stream.avail_out == 0) { + if ((rc = cli_checklimits("pdf", pdf->ctx, capacity + INFLATE_CHUNK_SIZE, 0, 0)) != CL_SUCCESS) { +- cli_dbgmsg("cli_pdf: required buffer size to inflate compressed filter exceeds maximum: %u\n", capacity + INFLATE_CHUNK_SIZE); ++ cli_dbgmsg("cli_pdf: required buffer size to inflate compressed filter exceeds maximum: %zu\n", capacity + INFLATE_CHUNK_SIZE); + break; + } + +@@ -1056,7 +1075,17 @@ static cl_error_t filter_lzwdecode(struct pdf_struct *pdf, struct pdf_obj *obj, + decoded = temp; + stream.next_out = decoded + capacity; + stream.avail_out = INFLATE_CHUNK_SIZE; ++ if (declen > (SIZE_MAX - INFLATE_CHUNK_SIZE)) { ++ cli_dbgmsg("cli_pdf: lzwdecode: overflow detected\n"); ++ rc = CL_EFORMAT; ++ goto done; ++ } + declen += INFLATE_CHUNK_SIZE; ++ if (capacity > (SIZE_MAX - INFLATE_CHUNK_SIZE)) { ++ cli_dbgmsg("cli_pdf: lzwdecode: overflow detected\n"); ++ rc = CL_EFORMAT; ++ goto done; ++ } + capacity += INFLATE_CHUNK_SIZE; + } + +@@ -1064,6 +1093,12 @@ static cl_error_t filter_lzwdecode(struct pdf_struct *pdf, struct pdf_obj *obj, + lzwstat = lzwInflate(&stream); + } + ++ if (declen > (UINT32_MAX - (INFLATE_CHUNK_SIZE - stream.avail_out))) { ++ cli_dbgmsg("cli_pdf: lzwdecode: overflow detected\n"); ++ rc = CL_EFORMAT; ++ goto done; ++ } ++ + /* add stream end fragment to decoded length */ + declen += (INFLATE_CHUNK_SIZE - stream.avail_out); + +@@ -1104,6 +1139,7 @@ static cl_error_t filter_lzwdecode(struct pdf_struct *pdf, struct pdf_obj *obj, + + (void)lzwInflateEnd(&stream); + ++done: + if (rc == CL_SUCCESS) { + if (declen == 0) { + cli_dbgmsg("cli_pdf: empty stream after inflation completed.\n"); +-- +2.49.0 + From patchwork Sun Nov 23 23:44:58 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Scott Murray X-Patchwork-Id: 75287 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8633FCFD340 for ; Sun, 23 Nov 2025 23:45:43 +0000 (UTC) Received: from mail-qk1-f176.google.com (mail-qk1-f176.google.com [209.85.222.176]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.5045.1763941537463351949 for ; Sun, 23 Nov 2025 15:45:37 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@konsulko.com header.s=google header.b=KtwG6MjF; spf=pass (domain: konsulko.com, ip: 209.85.222.176, mailfrom: scott.murray@konsulko.com) Received: by mail-qk1-f176.google.com with SMTP id af79cd13be357-8b1e54aefc5so313224685a.1 for ; Sun, 23 Nov 2025 15:45:37 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=konsulko.com; s=google; t=1763941536; x=1764546336; darn=lists.yoctoproject.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=K0Wp8nZ4k+gOKpOHNIEX+oHEUIcQUnD1jb3EYpeUU4g=; b=KtwG6MjFCFWf1AIKpGLIZuzujunSzHzgfn/YC6wx9KpzhVYJZSwqIx6/i7X/wQDvzw TnTjBZRtx/+VKYn4FAyji+s4DuJpXT9KB2qtbyFR2EX38yV+ld8PBkenNl+fAeBhMoOd MCb4TK7MiXnqlHuCgGzjTKw1vyEjga4WHEmAc= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1763941536; x=1764546336; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=K0Wp8nZ4k+gOKpOHNIEX+oHEUIcQUnD1jb3EYpeUU4g=; b=HrR+SNkvh+MMSxar3qTU59wS3fNJmPrFwzkRzqXzseAlndDDQpd3SGiDJ/s8YiHIb9 Tvl9Rf+XTY3qFY1mIiH0YZMJAqgKjlXojiyD6k5AXS6cur5bar6nevwd2iTWrBA/msaH Seg6uNi30/2ixov2KsZZxS+50/l8ou9V9VXGRYgejK/AX76lX0mlo8eNqbM5Dc88VwqC ZFmDdRmKWHAQjhN25Hm6RmBqxvWh6XVqWp4R4Y5A9FrXQMbJ6O59qd3eokRa2BCNj9L9 RcWYsDZR+G/IMmEiPxkZpInIoq1b+4qQa6N/bBPUlxXRIKx22uYFj0VPKbVaqy8Bgtq/ E7dQ== X-Gm-Message-State: AOJu0YzY7l+hblOxuw8wjzbGDjRB+b+wNWcXTyaZAxs2dSZOzGF+gHzc uAq9/vng9DnbNpVXkwn1EzVFM8gIxQpOkLg1Km2k1nwGRRHfc5Ie0qDquU7TL3wARVS8qjdXEp4 zEZ1k X-Gm-Gg: ASbGncsJHfZ5n+Zmo3xPZmDpFBqBc/DVVGgmB0k0tsrO5RSeKbVFpLxuiaAD25al1cf cEgPMEH/O+79goFT0a4HnaXg98C9iHGyvFDICMCYaP/XtQvYkcbPWUxiEiOghQ9oCilWYfND+6H guEl74k1ouzybfKsI+2KnZGfxPFCB0EFqIvkxlLYCCvMK3t/fO5VeYRxrAcMb6UQ3cZpaaFIaxS wYeLv/gWb3e35EHnp/Kyadoy+g5i7fQe7StwnK3LGDiVetpxilaRlrhhwXxaXNnX2scgGgh6Vns Ce8CQKgfDN9Py3vP0HJSvB8didrqxHhkc0aGI48hOwpg3as30gx2RiNVJ1SNyieFRO/vdU7Ejd2 zThbDW2Zi0SH4oOI8VvrpZUZU2JGcLwDK+m+ttkCT97QaiOqZJiATJ3EpkSnWHHl946ULV8fWpR 8Rp/Nx4VLxB6XqKw+KOhlUShXELG1PST8sWu9Vod4j+FqVHjgaa70zNJzQps+MwBg= X-Google-Smtp-Source: AGHT+IGplDF8+/cbWJZ8/31TkhkCeGTRx9M2MrzG0Fy8Wy0yR1b21GFuf4pBk12Xg0ESh9Scgf7k9Q== X-Received: by 2002:a05:620a:7108:b0:8b2:59f0:d161 with SMTP id af79cd13be357-8b33d48449amr1264829885a.89.1763941535528; Sun, 23 Nov 2025 15:45:35 -0800 (PST) Received: from ghidorah.spiteful.org (107-179-213-3.cpe.teksavvy.com. [107.179.213.3]) by smtp.gmail.com with ESMTPSA id af79cd13be357-8b32932db59sm843706585a.1.2025.11.23.15.45.34 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 23 Nov 2025 15:45:34 -0800 (PST) From: Scott Murray To: yocto-patches@lists.yoctoproject.org Subject: [meta-security][scarthgap][PATCH 18/32] suricata: fix multiple CVEs Date: Sun, 23 Nov 2025 18:44:58 -0500 Message-ID: X-Mailer: git-send-email 2.51.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 23 Nov 2025 23:45:43 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto-patches/message/2676 From: Hitendra Prajapati Backport fixes for: * CVE-2025-29916 - Upstream-Status: Backport from https://github.com/OISF/suricata/commit/2f432c99a9734ea3a75c9218f35060e11a7a39ad && https://github.com/OISF/suricata/commit/e28c8c655a324a18932655a2c2b8f0d5aa1c55d7 && https://github.com/OISF/suricata/commit/d86c5f9f0c75736d4fce93e27c0773fcb27e1047 * CVE-2025-29917 - Upstream-Status: Backport from https://github.com/OISF/suricata/commit/bab716776ba3561cfbfd1a57fc18ff1f6859f019 * CVE-2025-29918 - Upstream-Status: Backport from https://github.com/OISF/suricata/commit/f6c9490e1f7b0b375c286d5313ebf3bc81a95eb6 Signed-off-by: Hitendra Prajapati Signed-off-by: Scott Murray --- .../suricata/files/CVE-2025-29916-01.patch | 124 +++++++++++ .../suricata/files/CVE-2025-29916-02.patch | 197 ++++++++++++++++++ .../suricata/files/CVE-2025-29916-03.patch | 55 +++++ .../suricata/files/CVE-2025-29917.patch | 115 ++++++++++ .../suricata/files/CVE-2025-29918.patch | 49 +++++ recipes-ids/suricata/suricata_7.0.0.bb | 5 + 6 files changed, 545 insertions(+) create mode 100644 recipes-ids/suricata/files/CVE-2025-29916-01.patch create mode 100644 recipes-ids/suricata/files/CVE-2025-29916-02.patch create mode 100644 recipes-ids/suricata/files/CVE-2025-29916-03.patch create mode 100644 recipes-ids/suricata/files/CVE-2025-29917.patch create mode 100644 recipes-ids/suricata/files/CVE-2025-29918.patch diff --git a/recipes-ids/suricata/files/CVE-2025-29916-01.patch b/recipes-ids/suricata/files/CVE-2025-29916-01.patch new file mode 100644 index 0000000..ae020e2 --- /dev/null +++ b/recipes-ids/suricata/files/CVE-2025-29916-01.patch @@ -0,0 +1,124 @@ +From 2f432c99a9734ea3a75c9218f35060e11a7a39ad Mon Sep 17 00:00:00 2001 +From: Victor Julien +Date: Tue, 18 Mar 2025 10:55:39 +0100 +Subject: [PATCH] datasets: improve default hashsize handling + +Make hashsize default local to dataset code, instead of relying on the +thash code. + +Use the same default value as before. + +(cherry picked from commit d32a39ca4b53d7f659f4f0a2a5c162ef97dc4797) + +Upstream-Status: Backport [https://github.com/OISF/suricata/commit/2f432c99a9734ea3a75c9218f35060e11a7a39ad] +CVE: CVE-2025-29916 +Signed-off-by: Hitendra Prajapati +--- + src/datasets.c | 37 +++++++++++++++++++++++-------------- + 1 file changed, 23 insertions(+), 14 deletions(-) + +diff --git a/src/datasets.c b/src/datasets.c +index 32bcf6e..89e7899 100644 +--- a/src/datasets.c ++++ b/src/datasets.c +@@ -677,6 +677,11 @@ Dataset *DatasetGet(const char *name, enum DatasetTypes type, const char *save, + } + } + ++ GetDefaultMemcap(&default_memcap, &default_hashsize); ++ if (hashsize == 0) { ++ hashsize = default_hashsize; ++ } ++ + set = DatasetAlloc(name); + if (set == NULL) { + goto out_err; +@@ -696,12 +701,11 @@ Dataset *DatasetGet(const char *name, enum DatasetTypes type, const char *save, + char cnf_name[128]; + snprintf(cnf_name, sizeof(cnf_name), "datasets.%s.hash", name); + +- GetDefaultMemcap(&default_memcap, &default_hashsize); + switch (type) { + case DATASET_TYPE_MD5: + set->hash = THashInit(cnf_name, sizeof(Md5Type), Md5StrSet, Md5StrFree, Md5StrHash, + Md5StrCompare, load != NULL ? 1 : 0, memcap > 0 ? memcap : default_memcap, +- hashsize > 0 ? hashsize : default_hashsize); ++ hashsize); + if (set->hash == NULL) + goto out_err; + if (DatasetLoadMd5(set) < 0) +@@ -710,7 +714,7 @@ Dataset *DatasetGet(const char *name, enum DatasetTypes type, const char *save, + case DATASET_TYPE_STRING: + set->hash = THashInit(cnf_name, sizeof(StringType), StringSet, StringFree, StringHash, + StringCompare, load != NULL ? 1 : 0, memcap > 0 ? memcap : default_memcap, +- hashsize > 0 ? hashsize : default_hashsize); ++ hashsize); + if (set->hash == NULL) + goto out_err; + if (DatasetLoadString(set) < 0) +@@ -719,26 +723,25 @@ Dataset *DatasetGet(const char *name, enum DatasetTypes type, const char *save, + case DATASET_TYPE_SHA256: + set->hash = THashInit(cnf_name, sizeof(Sha256Type), Sha256StrSet, Sha256StrFree, + Sha256StrHash, Sha256StrCompare, load != NULL ? 1 : 0, +- memcap > 0 ? memcap : default_memcap, +- hashsize > 0 ? hashsize : default_hashsize); ++ memcap > 0 ? memcap : default_memcap, hashsize); + if (set->hash == NULL) + goto out_err; + if (DatasetLoadSha256(set) < 0) + goto out_err; + break; + case DATASET_TYPE_IPV4: +- set->hash = THashInit(cnf_name, sizeof(IPv4Type), IPv4Set, IPv4Free, IPv4Hash, +- IPv4Compare, load != NULL ? 1 : 0, memcap > 0 ? memcap : default_memcap, +- hashsize > 0 ? hashsize : default_hashsize); ++ set->hash = ++ THashInit(cnf_name, sizeof(IPv4Type), IPv4Set, IPv4Free, IPv4Hash, IPv4Compare, ++ load != NULL ? 1 : 0, memcap > 0 ? memcap : default_memcap, hashsize); + if (set->hash == NULL) + goto out_err; + if (DatasetLoadIPv4(set) < 0) + goto out_err; + break; + case DATASET_TYPE_IPV6: +- set->hash = THashInit(cnf_name, sizeof(IPv6Type), IPv6Set, IPv6Free, IPv6Hash, +- IPv6Compare, load != NULL ? 1 : 0, memcap > 0 ? memcap : default_memcap, +- hashsize > 0 ? hashsize : default_hashsize); ++ set->hash = ++ THashInit(cnf_name, sizeof(IPv6Type), IPv6Set, IPv6Free, IPv6Hash, IPv6Compare, ++ load != NULL ? 1 : 0, memcap > 0 ? memcap : default_memcap, hashsize); + if (set->hash == NULL) + goto out_err; + if (DatasetLoadIPv6(set) < 0) +@@ -825,6 +828,10 @@ void DatasetPostReloadCleanup(void) + SCMutexUnlock(&sets_lock); + } + ++/* Value reflects THASH_DEFAULT_HASHSIZE which is what the default was earlier, ++ * despite 2048 commented out in the default yaml. */ ++#define DATASETS_HASHSIZE_DEFAULT 4096 ++ + static void GetDefaultMemcap(uint64_t *memcap, uint32_t *hashsize) + { + const char *str = NULL; +@@ -836,12 +843,14 @@ static void GetDefaultMemcap(uint64_t *memcap, uint32_t *hashsize) + *memcap = 0; + } + } ++ ++ *hashsize = (uint32_t)DATASETS_HASHSIZE_DEFAULT; + if (ConfGet("datasets.defaults.hashsize", &str) == 1) { + if (ParseSizeStringU32(str, hashsize) < 0) { ++ *hashsize = (uint32_t)DATASETS_HASHSIZE_DEFAULT; + SCLogWarning("hashsize value cannot be deduced: %s," +- " resetting to default", +- str); +- *hashsize = 0; ++ " resetting to default: %u", ++ str, *hashsize); + } + } + } +-- +2.49.0 + diff --git a/recipes-ids/suricata/files/CVE-2025-29916-02.patch b/recipes-ids/suricata/files/CVE-2025-29916-02.patch new file mode 100644 index 0000000..fbaaabc --- /dev/null +++ b/recipes-ids/suricata/files/CVE-2025-29916-02.patch @@ -0,0 +1,197 @@ +From e28c8c655a324a18932655a2c2b8f0d5aa1c55d7 Mon Sep 17 00:00:00 2001 +From: Philippe Antoine +Date: Tue, 18 Mar 2025 10:55:39 +0100 +Subject: [PATCH] detect: add configurable limits for datasets + +Ticket: 7615 + +Avoids signatures setting extreme hash sizes, which would lead to very +high memory use. + +Default to allowing: +- 65536 per dataset +- 16777216 total + +To override these built-in defaults: + +```yaml +datasets: + # Limits for per rule dataset instances to avoid rules using too many + # resources. + limits: + # Max value for per dataset `hashsize` setting + #single-hashsize: 65536 + # Max combined hashsize values for all datasets. + #total-hashsizes: 16777216 +``` + +(cherry picked from commit a7713db709b8a0be5fc5e5809ab58e9b14a16e85) + +Upstream-Status: Backport [https://github.com/OISF/suricata/commit/e28c8c655a324a18932655a2c2b8f0d5aa1c55d7] +CVE: CVE-2025-29916 +Signed-off-by: Hitendra Prajapati +--- + src/datasets.c | 65 ++++++++++++++++++++++++++++++++++++++++++++++++ + src/util-thash.c | 5 ---- + suricata.yaml.in | 8 ++++++ + 3 files changed, 73 insertions(+), 5 deletions(-) + +diff --git a/src/datasets.c b/src/datasets.c +index 89e7899..0729894 100644 +--- a/src/datasets.c ++++ b/src/datasets.c +@@ -39,11 +39,16 @@ + #include "util-misc.h" + #include "util-path.h" + #include "util-debug.h" ++#include "util-validate.h" + + SCMutex sets_lock = SCMUTEX_INITIALIZER; + static Dataset *sets = NULL; + static uint32_t set_ids = 0; + ++uint32_t dataset_max_one_hashsize = 65536; ++uint32_t dataset_max_total_hashsize = 16777216; ++uint32_t dataset_used_hashsize = 0; ++ + static int DatasetAddwRep(Dataset *set, const uint8_t *data, const uint32_t data_len, + DataRepType *rep); + +@@ -629,6 +634,34 @@ Dataset *DatasetFind(const char *name, enum DatasetTypes type) + return set; + } + ++static bool DatasetCheckHashsize(const char *name, uint32_t hash_size) ++{ ++ if (dataset_max_one_hashsize > 0 && hash_size > dataset_max_one_hashsize) { ++ SCLogError("hashsize %u in dataset '%s' exceeds configured 'single-hashsize' limit (%u)", ++ hash_size, name, dataset_max_one_hashsize); ++ return false; ++ } ++ // we cannot underflow as we know from conf loading that ++ // dataset_max_total_hashsize >= dataset_max_one_hashsize if dataset_max_total_hashsize > 0 ++ if (dataset_max_total_hashsize > 0 && ++ dataset_max_total_hashsize - hash_size < dataset_used_hashsize) { ++ SCLogError("hashsize %u in dataset '%s' exceeds configured 'total-hashsizes' limit (%u, in " ++ "use %u)", ++ hash_size, name, dataset_max_total_hashsize, dataset_used_hashsize); ++ return false; ++ } ++ ++ return true; ++} ++ ++static void DatasetUpdateHashsize(const char *name, uint32_t hash_size) ++{ ++ if (dataset_max_total_hashsize > 0) { ++ dataset_used_hashsize += hash_size; ++ SCLogDebug("set %s adding with hash_size %u", name, hash_size); ++ } ++} ++ + Dataset *DatasetGet(const char *name, enum DatasetTypes type, const char *save, const char *load, + uint64_t memcap, uint32_t hashsize) + { +@@ -682,6 +715,10 @@ Dataset *DatasetGet(const char *name, enum DatasetTypes type, const char *save, + hashsize = default_hashsize; + } + ++ if (!DatasetCheckHashsize(name, hashsize)) { ++ goto out_err; ++ } ++ + set = DatasetAlloc(name); + if (set == NULL) { + goto out_err; +@@ -755,6 +792,10 @@ Dataset *DatasetGet(const char *name, enum DatasetTypes type, const char *save, + set->next = sets; + sets = set; + ++ /* hash size accounting */ ++ DEBUG_VALIDATE_BUG_ON(set->hash->config.hash_size != hashsize); ++ DatasetUpdateHashsize(set->name, set->hash->config.hash_size); ++ + SCMutexUnlock(&sets_lock); + return set; + out_err: +@@ -796,6 +837,9 @@ void DatasetReload(void) + continue; + } + set->hidden = true; ++ if (dataset_max_total_hashsize > 0) { ++ dataset_used_hashsize -= set->hash->config.hash_size; ++ } + SCLogDebug("Set %s at %p hidden successfully", set->name, set); + set = set->next; + } +@@ -863,6 +907,27 @@ int DatasetsInit(void) + uint32_t default_hashsize = 0; + GetDefaultMemcap(&default_memcap, &default_hashsize); + if (datasets != NULL) { ++ const char *str = NULL; ++ if (ConfGet("datasets.limits.total-hashsizes", &str) == 1) { ++ if (ParseSizeStringU32(str, &dataset_max_total_hashsize) < 0) { ++ FatalError("failed to parse datasets.limits.total-hashsizes value: %s", str); ++ } ++ } ++ if (ConfGet("datasets.limits.single-hashsize", &str) == 1) { ++ if (ParseSizeStringU32(str, &dataset_max_one_hashsize) < 0) { ++ FatalError("failed to parse datasets.limits.single-hashsize value: %s", str); ++ } ++ } ++ if (dataset_max_total_hashsize > 0 && ++ dataset_max_total_hashsize < dataset_max_one_hashsize) { ++ FatalError("total-hashsizes (%u) cannot be smaller than single-hashsize (%u)", ++ dataset_max_total_hashsize, dataset_max_one_hashsize); ++ } ++ if (dataset_max_total_hashsize > 0 && dataset_max_one_hashsize == 0) { ++ // the total limit also applies for single limit ++ dataset_max_one_hashsize = dataset_max_total_hashsize; ++ } ++ + int list_pos = 0; + ConfNode *iter = NULL; + TAILQ_FOREACH(iter, &datasets->head, next) { +diff --git a/src/util-thash.c b/src/util-thash.c +index 6443990..3fba3ef 100644 +--- a/src/util-thash.c ++++ b/src/util-thash.c +@@ -310,16 +310,11 @@ THashTableContext *THashInit(const char *cnf_prefix, size_t data_size, + ctx->config.hash_size = hashsize > 0 ? hashsize : THASH_DEFAULT_HASHSIZE; + /* Reset memcap in case of loading from file to the highest possible value + unless defined by the rule keyword */ +-#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION +- // limit memcap size to default when fuzzing +- ctx->config.memcap = THASH_DEFAULT_MEMCAP; +-#else + if (memcap > 0) { + ctx->config.memcap = memcap; + } else { + ctx->config.memcap = reset_memcap ? UINT64_MAX : THASH_DEFAULT_MEMCAP; + } +-#endif + ctx->config.prealloc = THASH_DEFAULT_PREALLOC; + + SC_ATOMIC_INIT(ctx->counter); +diff --git a/suricata.yaml.in b/suricata.yaml.in +index 6303991..b218515 100644 +--- a/suricata.yaml.in ++++ b/suricata.yaml.in +@@ -1167,6 +1167,14 @@ datasets: + #memcap: 100mb + #hashsize: 2048 + ++ # Limits for per rule dataset instances to avoid rules using too many ++ # resources. ++ limits: ++ # Max value for per dataset `hashsize` setting ++ #single-hashsize: 65536 ++ # Max combined hashsize values for all datasets. ++ #total-hashsizes: 16777216 ++ + rules: + # Set to true to allow absolute filenames and filenames that use + # ".." components to reference parent directories in rules that specify +-- +2.49.0 + diff --git a/recipes-ids/suricata/files/CVE-2025-29916-03.patch b/recipes-ids/suricata/files/CVE-2025-29916-03.patch new file mode 100644 index 0000000..73e66a2 --- /dev/null +++ b/recipes-ids/suricata/files/CVE-2025-29916-03.patch @@ -0,0 +1,55 @@ +From d86c5f9f0c75736d4fce93e27c0773fcb27e1047 Mon Sep 17 00:00:00 2001 +From: Victor Julien +Date: Mon, 17 Mar 2025 21:19:13 +0100 +Subject: [PATCH] datasets: set higher hashsize limits + +To avoid possible upgrade issues, allow higher defaults than in the +master branch. Add some upgrade guidance and a note that defaults will +probably be further reduced. + +Upstream-Status: Backport [https://github.com/OISF/suricata/commit/d86c5f9f0c75736d4fce93e27c0773fcb27e1047] +CVE: CVE-2025-29916 +Signed-off-by: Hitendra Prajapati +--- + src/datasets.c | 5 +++-- + suricata.yaml.in | 5 +++-- + 2 files changed, 6 insertions(+), 4 deletions(-) + +diff --git a/src/datasets.c b/src/datasets.c +index 0729894..f99f63c 100644 +--- a/src/datasets.c ++++ b/src/datasets.c +@@ -45,8 +45,9 @@ SCMutex sets_lock = SCMUTEX_INITIALIZER; + static Dataset *sets = NULL; + static uint32_t set_ids = 0; + +-uint32_t dataset_max_one_hashsize = 65536; +-uint32_t dataset_max_total_hashsize = 16777216; ++/* 4x what we set in master to allow a smoother upgrade path */ ++uint32_t dataset_max_one_hashsize = 262144; ++uint32_t dataset_max_total_hashsize = 67108864; + uint32_t dataset_used_hashsize = 0; + + static int DatasetAddwRep(Dataset *set, const uint8_t *data, const uint32_t data_len, +diff --git a/suricata.yaml.in b/suricata.yaml.in +index b218515..59db9ef 100644 +--- a/suricata.yaml.in ++++ b/suricata.yaml.in +@@ -1169,11 +1169,12 @@ datasets: + + # Limits for per rule dataset instances to avoid rules using too many + # resources. ++ # Note: in Suricata 8 the built-in default will be set to lower values. + limits: + # Max value for per dataset `hashsize` setting +- #single-hashsize: 65536 ++ #single-hashsize: 262144 + # Max combined hashsize values for all datasets. +- #total-hashsizes: 16777216 ++ #total-hashsizes: 67108864 + + rules: + # Set to true to allow absolute filenames and filenames that use +-- +2.49.0 + diff --git a/recipes-ids/suricata/files/CVE-2025-29917.patch b/recipes-ids/suricata/files/CVE-2025-29917.patch new file mode 100644 index 0000000..8b30dbf --- /dev/null +++ b/recipes-ids/suricata/files/CVE-2025-29917.patch @@ -0,0 +1,115 @@ +From bab716776ba3561cfbfd1a57fc18ff1f6859f019 Mon Sep 17 00:00:00 2001 +From: Philippe Antoine +Date: Tue, 17 Dec 2024 15:06:25 +0100 +Subject: [PATCH] detect: limit base64_decode `bytes` to 64KiB + +Ticket: 7613 + +Avoids potential large per-thread memory allocation. A buffer with the +size of the largest decode_base64 buffer size setting would be allocated +per thread. As this was a u32, it could mean a per-thread 4GiB memory +allocation. + +64KiB was already the built-in default for cases where bytes size wasn't +specified. + +(cherry picked from commit 32d0bd2bbb4d486623dec85a94952fde2515f2f0) + +Upstream-Status: Backport [https://github.com/OISF/suricata/commit/bab716776ba3561cfbfd1a57fc18ff1f6859f019] +CVE: CVE-2025-29917 +Signed-off-by: Hitendra Prajapati +--- + doc/userguide/rules/base64-keywords.rst | 1 + + src/detect-base64-decode.c | 15 ++++++--------- + src/detect.h | 2 +- + 3 files changed, 8 insertions(+), 10 deletions(-) + +diff --git a/doc/userguide/rules/base64-keywords.rst b/doc/userguide/rules/base64-keywords.rst +index 7daf0c2..cf4e679 100644 +--- a/doc/userguide/rules/base64-keywords.rst ++++ b/doc/userguide/rules/base64-keywords.rst +@@ -15,6 +15,7 @@ Syntax:: + base64_decode:bytes , offset , relative; + + The ``bytes`` option specifies how many bytes Suricata should decode and make available for base64_data. ++This number is limited to 64KiB. + The decoding will stop at the end of the buffer. + + The ``offset`` option specifies how many bytes Suricata should skip before decoding. +diff --git a/src/detect-base64-decode.c b/src/detect-base64-decode.c +index 25fdf10..5ae38c5 100644 +--- a/src/detect-base64-decode.c ++++ b/src/detect-base64-decode.c +@@ -28,7 +28,7 @@ + #define BASE64_DECODE_MAX 65535 + + typedef struct DetectBase64Decode_ { +- uint32_t bytes; ++ uint16_t bytes; + uint32_t offset; + uint8_t relative; + } DetectBase64Decode; +@@ -111,8 +111,8 @@ int DetectBase64DecodeDoMatch(DetectEngineThreadCtx *det_ctx, const Signature *s + return det_ctx->base64_decoded_len > 0; + } + +-static int DetectBase64DecodeParse(const char *str, uint32_t *bytes, +- uint32_t *offset, uint8_t *relative) ++static int DetectBase64DecodeParse( ++ const char *str, uint16_t *bytes, uint32_t *offset, uint8_t *relative) + { + const char *bytes_str = NULL; + const char *offset_str = NULL; +@@ -132,7 +132,7 @@ static int DetectBase64DecodeParse(const char *str, uint32_t *bytes, + + if (pcre_rc >= 3) { + if (pcre2_substring_get_bynumber(match, 2, (PCRE2_UCHAR8 **)&bytes_str, &pcre2_len) == 0) { +- if (StringParseUint32(bytes, 10, 0, bytes_str) <= 0) { ++ if (StringParseUint16(bytes, 10, 0, bytes_str) <= 0) { + SCLogError("Bad value for bytes: \"%s\"", bytes_str); + goto error; + } +@@ -186,7 +186,7 @@ error: + static int DetectBase64DecodeSetup(DetectEngineCtx *de_ctx, Signature *s, + const char *str) + { +- uint32_t bytes = 0; ++ uint16_t bytes = 0; + uint32_t offset = 0; + uint8_t relative = 0; + DetectBase64Decode *data = NULL; +@@ -238,9 +238,6 @@ static int DetectBase64DecodeSetup(DetectEngineCtx *de_ctx, Signature *s, + data->bytes = BASE64_DECODE_MAX; + } + if (data->bytes > de_ctx->base64_decode_max_len) { +-#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION +- data->bytes = BASE64_DECODE_MAX; +-#endif + de_ctx->base64_decode_max_len = data->bytes; + } + +@@ -272,7 +269,7 @@ static int g_http_header_buffer_id = 0; + static int DetectBase64TestDecodeParse(void) + { + int retval = 0; +- uint32_t bytes = 0; ++ uint16_t bytes = 0; + uint32_t offset = 0; + uint8_t relative = 0; + +diff --git a/src/detect.h b/src/detect.h +index 2760dda..fd938a1 100644 +--- a/src/detect.h ++++ b/src/detect.h +@@ -910,7 +910,7 @@ typedef struct DetectEngineCtx_ { + struct SigGroupHead_ *decoder_event_sgh; + + /* Maximum size of the buffer for decoded base64 data. */ +- uint32_t base64_decode_max_len; ++ uint16_t base64_decode_max_len; + + /** Store rule file and line so that parsers can use them in errors. */ + int rule_line; +-- +2.49.0 + diff --git a/recipes-ids/suricata/files/CVE-2025-29918.patch b/recipes-ids/suricata/files/CVE-2025-29918.patch new file mode 100644 index 0000000..da9d680 --- /dev/null +++ b/recipes-ids/suricata/files/CVE-2025-29918.patch @@ -0,0 +1,49 @@ +From f6c9490e1f7b0b375c286d5313ebf3bc81a95eb6 Mon Sep 17 00:00:00 2001 +From: Philippe Antoine +Date: Tue, 28 Jan 2025 15:02:45 +0100 +Subject: [PATCH] detect/pcre: avoid infinite loop after negated pcre + +Ticket: 7526 + +The usage of negated pcre, followed by other relative payload +content keywords could lead to an infinite loop. + +This is because regular (not negated) pcre can test multiple +occurences, but negated pcre should be tried only once. + +(cherry picked from commit b14c67cbdf25fa6c7ffe0d04ddf3ebe67b12b50b) + +Upstream-Status: Backport [https://github.com/OISF/suricata/commit/f6c9490e1f7b0b375c286d5313ebf3bc81a95eb6] +CVE: CVE-2025-29918 +Signed-off-by: Hitendra Prajapati +--- + src/detect-engine-content-inspection.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/src/detect-engine-content-inspection.c b/src/detect-engine-content-inspection.c +index 77ebb3f..2a789c9 100644 +--- a/src/detect-engine-content-inspection.c ++++ b/src/detect-engine-content-inspection.c +@@ -450,7 +450,6 @@ uint8_t DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThrea + if (r == 0) { + goto no_match; + } +- + if (!(pe->flags & DETECT_PCRE_RELATIVE_NEXT)) { + SCLogDebug("no relative match coming up, so this is a match"); + goto match; +@@ -473,6 +472,11 @@ uint8_t DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThrea + if (det_ctx->discontinue_matching) + goto no_match; + ++ if (prev_offset == 0) { ++ // This happens for negated PCRE ++ // We do not search for another occurrence of this pcre ++ SCReturnInt(0); ++ } + det_ctx->buffer_offset = prev_buffer_offset; + det_ctx->pcre_match_start_offset = prev_offset; + } while (1); +-- +2.49.0 + diff --git a/recipes-ids/suricata/suricata_7.0.0.bb b/recipes-ids/suricata/suricata_7.0.0.bb index 1cb02f4..9618c45 100644 --- a/recipes-ids/suricata/suricata_7.0.0.bb +++ b/recipes-ids/suricata/suricata_7.0.0.bb @@ -19,6 +19,11 @@ SRC_URI += " \ file://CVE-2024-45795.patch \ file://CVE-2024-45796.patch \ file://CVE-2024-55605.patch \ + file://CVE-2025-29916-01.patch \ + file://CVE-2025-29916-02.patch \ + file://CVE-2025-29916-03.patch \ + file://CVE-2025-29917.patch \ + file://CVE-2025-29918.patch \ " inherit autotools pkgconfig python3native systemd ptest cargo cargo-update-recipe-crates From patchwork Sun Nov 23 23:44:59 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Scott Murray X-Patchwork-Id: 75284 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 79CE0CFD316 for ; Sun, 23 Nov 2025 23:45:43 +0000 (UTC) Received: from mail-qk1-f171.google.com (mail-qk1-f171.google.com [209.85.222.171]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.5046.1763941537795813370 for ; Sun, 23 Nov 2025 15:45:37 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@konsulko.com header.s=google header.b=k0y35A7W; spf=pass (domain: konsulko.com, ip: 209.85.222.171, mailfrom: scott.murray@konsulko.com) Received: by mail-qk1-f171.google.com with SMTP id af79cd13be357-8b22624bcdaso481169385a.3 for ; Sun, 23 Nov 2025 15:45:37 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=konsulko.com; s=google; t=1763941537; x=1764546337; darn=lists.yoctoproject.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=+HJZfxV0y8GsEIC4tyT0hFfqa4Os96Kfl9qY6quyZiY=; b=k0y35A7Wv/T+BkV9gwiSkygmMbp0RaBoCtNxCzER6JPhL93rWn1IOdgZMN3y3Wna48 gMHJReG+Gn1eJOp+tItRDWaWJEBDoi15QGfMffc7dYwp6ljzjCwUkxwWfN8i4p4realG Wh6ZnMUZJyQQ8d6cz/MxSIDSLc/qOy95r+Qao= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1763941537; x=1764546337; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=+HJZfxV0y8GsEIC4tyT0hFfqa4Os96Kfl9qY6quyZiY=; b=IRUb8UyIM8p34ijfOsBmW8Wd7OhqM+4p6U04JSw8SiWxa32pB4kqy1jy5iPaCmP84F O4l3fV1ASWSwWFRpS+qFsJnKFXJhKTiagTiBDeh8R9OhF/9SfelPRdWRHhc9m5+D81MD h0bureMVhilNqxuAUG4ZhkoEF08/9bu/pih4T4p9J4031i/RQQPvzx1bVjEWOnk9f8hL 0HoybP9wcGqfNBnhg0eAFfrls4k91otoZ9Jsk+tmjtPgbgJmWSdtHsHcvTz/NFZhly4d b8X7hIH5JKDCKoRDvIWmtyW/HQ8fAYZdTgnSW+4oBIvV62xKr1G5zDnMuruih/CGBGGq tQ5Q== X-Gm-Message-State: AOJu0Yw66NSqNqviWIiIjNGuAgNCWRGovjkcV7FZsxtYwv/aX7TVfshV hk5NVNyKYLw9Zudss2D6phWoJG2PwzVtaup0Cr8r3aQW3Ot14ky6cqQQb18yRMhPzI5q6T5o5Pm IXTAz X-Gm-Gg: ASbGnctricOze+B+VOCM+KWnSG/gf1VyVLaDsjP9WoKjDS9tYoLVyGQrnEicCp7P5YB LvV79XQ1u8ev6tbDSjzRV7DmOFdFT6yvvMkbm+EA1gRbjUgpZ1wwqF+/n913FqzrwdNKiFziMa2 5hE8eF6PqFr67Jpa6Eowiv396fequiKu9c7ge8q0SAGWTqrO6b+PyGiEl/fL0rBm9nJftcdqBGN n6ixJg7nzXxntnaE5epDfcKHpvC8wed4QBxfwnpjh+j2giJUxPyCVj+lf9QOnUgs4ZXPqvPaIs4 P78UnLeEiLKhZwhAVPEh5WKOKrUXmZVlo5/JGVuWoSjJS9v2r+O2bS9y6F3WV8qbbjbAXN2MZb2 VEQx5Ys6tGpGUf+CLvCywJj5jxDTY2fm68yr3zV4s+iWC8vAGu0BxFPMYsc90EiPWLDcsssc3in tDYnTzJCohqDpun6jR46g+NQgd2QsEe0IQVVdFI7XqcToWwlAhamqvl2qg8DByoFA= X-Google-Smtp-Source: AGHT+IHNAY+dXqSqHfVPjgAFvaM2yxCyZ/A96CKkUGDFOkm0J8R5HNOga4CDCYyG1VNDZilSWYupmg== X-Received: by 2002:a05:620a:470d:b0:8b2:e666:713 with SMTP id af79cd13be357-8b33d476f8cmr1301540785a.42.1763941536495; Sun, 23 Nov 2025 15:45:36 -0800 (PST) Received: from ghidorah.spiteful.org (107-179-213-3.cpe.teksavvy.com. [107.179.213.3]) by smtp.gmail.com with ESMTPSA id af79cd13be357-8b32932db59sm843706585a.1.2025.11.23.15.45.35 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 23 Nov 2025 15:45:35 -0800 (PST) From: Scott Murray To: yocto-patches@lists.yoctoproject.org Subject: [meta-security][scarthgap][PATCH 19/32] smack: Switch to CVE_STATUS Date: Sun, 23 Nov 2025 18:44:59 -0500 Message-ID: X-Mailer: git-send-email 2.51.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 23 Nov 2025 23:45:43 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto-patches/message/2677 From: Aidan Stewart CVE_CHECK_IGNORE has been deprecated starting with the Nanbield release. Signed-off-by: Aidan Stewart Signed-off-by: Scott Murray --- recipes-mac/smack/smack_1.3.1.bb | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/recipes-mac/smack/smack_1.3.1.bb b/recipes-mac/smack/smack_1.3.1.bb index 6c52392..04e7a6e 100644 --- a/recipes-mac/smack/smack_1.3.1.bb +++ b/recipes-mac/smack/smack_1.3.1.bb @@ -13,10 +13,9 @@ SRC_URI = " \ PV = "1.3.1" -# CVE-2014-0363, CVE-2014-0364, CVE-2016-10027 is valnerble for other product. -CVE_CHECK_IGNORE += "CVE-2014-0363" -CVE_CHECK_IGNORE += "CVE-2014-0364" -CVE_CHECK_IGNORE += "CVE-2016-10027" +CVE_STATUS[CVE-2014-0363] = "cpe-incorrect: Affects Ignite Realtime Smack XMPP API" +CVE_STATUS[CVE-2014-0364] = "cpe-incorrect: Affects Ignite Realtime Smack XMPP API" +CVE_STATUS[CVE-2016-10027] = "cpe-incorrect: Affects Ignite Realtime Smack XMPP API" inherit autotools update-rc.d pkgconfig ptest inherit ${@bb.utils.contains('VIRTUAL-RUNTIME_init_manager','systemd','systemd','', d)} From patchwork Sun Nov 23 23:45:00 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Scott Murray X-Patchwork-Id: 75282 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6E71BCFD31E for ; Sun, 23 Nov 2025 23:45:43 +0000 (UTC) Received: from mail-qk1-f170.google.com (mail-qk1-f170.google.com [209.85.222.170]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.5047.1763941538786677810 for ; Sun, 23 Nov 2025 15:45:38 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@konsulko.com header.s=google header.b=SjfhTfI8; spf=pass (domain: konsulko.com, ip: 209.85.222.170, mailfrom: scott.murray@konsulko.com) Received: by mail-qk1-f170.google.com with SMTP id af79cd13be357-8b2da83f721so421196985a.1 for ; Sun, 23 Nov 2025 15:45:38 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=konsulko.com; s=google; t=1763941538; x=1764546338; darn=lists.yoctoproject.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=eypY4NuEDKS3LzRUmDzTHvNBKZaSx9hdUYfcT0BqKCA=; b=SjfhTfI8yLqahF8fzvgkpiEYhXk49MyjT0y0f2hSktYixUpHT4VoGzhxrLAwz0E1ug tztfkgIwzNVCaWjGae5qv5ay9xZnX4IB7dS7ZjlyejmWYRJvv4d3mQQ6CJTQO0LoS6J8 +qFyiNlEJMeIsNZjD4AbQjeRt3AuHTiThNXTk= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1763941538; x=1764546338; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=eypY4NuEDKS3LzRUmDzTHvNBKZaSx9hdUYfcT0BqKCA=; b=lLYwf+/vNddcGVhVSop+SdDO6ttaoNcvlL9ry6IncIBZTVP4QNzLuYmHIofSd4kMf+ SRfq1QwtpGhhnIR72sbHaNxS9BIQtPAEIHvk9Cq+UZWUlVQEsdOo5zFbugIoOD49fwpp 7yksoGeX+o73hvrk7c1pvmY3R9C7p/XrIkADHewqP9U1zd6GDhDCsDpv2WPD3sMJa85n C1+55uMMQhMCawZTYcLZFwPh3oJz+DnlD3pFv72SoBJddF6RhINTRj7VIXn7ekReCN6K JqVu/6z7yBIoMraRxpgxu7oawlw7RnyjdIfsw+Cxof+nlHyTqbfEMI/spinAU5arJhl4 dyLQ== X-Gm-Message-State: AOJu0YzGrXlpV4ie0eoEAqTlXcZkRCaIAikO1B9W409BaLeBPczwSAjz AIBcIMsOlembtYsbriePymDVCxkKz4xGNDH8eOgpGbYHF9Nu465lJchvllvS/j6zpAIpb7a/TgG qmxUV X-Gm-Gg: ASbGncs3bCViYELkEAi0SpyEuJnqkNte0aJZgeEVPkwbqQLJfnhmFY0Pgw+4fQe5a5M EPS6c+ju7aSFlae7CiKGUf3TL/tKCRXa5XVOA4pIcngHm3ORXnmreZtMGn7SDbJhxqXjqeelgVg ygSf0oRzxMGoM0BwRYEl44TgCQMURCBybTZbFFqRXTC139y5XEUGMPN3laOiaT3nHQo21NNHZ2a LyyfShnBw/47Ii6sdjGtebS83TKb73a37vdDNo0g8qpG98nbM34lbjTWdhcAAi/Du5L9q3w4bnK xRYa/9Sz0MQHg1EoyNojFiRmoDTdHfa9zKbg62rXKKjdQ5WINJjmzKSrQlP0O56Mb3lzUO9CcFo yHbH68RgMhZU/nCKuPsWODzAvA/40F+fvJY94Qf7mB8iNyRINYF0yRya2CJTi7T3y6ze0EA+NP+ Ru6yiMJSkcD5T0/MYBrKwGzocxo69V4kfB9Ai7sdethXdz/ZskHMaZgGqoml1/5hk= X-Google-Smtp-Source: AGHT+IGI6o8JRL+MufuxxHPCtdRWyM9VNTe8ggW1v40n/pDPaV+l7aVCyCZZwnpxH8OGC34dDXT7sw== X-Received: by 2002:a05:620a:448b:b0:8a6:1a5d:7ae8 with SMTP id af79cd13be357-8b33bde9a79mr1488557885a.28.1763941537492; Sun, 23 Nov 2025 15:45:37 -0800 (PST) Received: from ghidorah.spiteful.org (107-179-213-3.cpe.teksavvy.com. [107.179.213.3]) by smtp.gmail.com with ESMTPSA id af79cd13be357-8b32932db59sm843706585a.1.2025.11.23.15.45.36 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 23 Nov 2025 15:45:36 -0800 (PST) From: Scott Murray To: yocto-patches@lists.yoctoproject.org Subject: [meta-security][scarthgap][PATCH 20/32] libhtp: fix CVE-2025-53537 Date: Sun, 23 Nov 2025 18:45:00 -0500 Message-ID: <94f04a4dc279e7f2d5a8dcad2e64a7b3b6aa9d60.1763938436.git.scott.murray@konsulko.com> X-Mailer: git-send-email 2.51.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 23 Nov 2025 23:45:43 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto-patches/message/2678 From: Hitendra Prajapati Upstream-Status: Backport from https://github.com/OISF/libhtp/commit/226580d502ae98c148aaecc4846f78694b5e253c && https://github.com/OISF/libhtp/commit/9037ea35110a0d97be5cedf8d31fb4cd9a38c7a7 Signed-off-by: Hitendra Prajapati Signed-off-by: Scott Murray --- .../suricata/files/CVE-2025-53537-001.patch | 79 +++++++++++++++++++ .../suricata/files/CVE-2025-53537-002.patch | 31 ++++++++ recipes-ids/suricata/libhtp_0.5.45.bb | 2 + 3 files changed, 112 insertions(+) create mode 100644 recipes-ids/suricata/files/CVE-2025-53537-001.patch create mode 100644 recipes-ids/suricata/files/CVE-2025-53537-002.patch diff --git a/recipes-ids/suricata/files/CVE-2025-53537-001.patch b/recipes-ids/suricata/files/CVE-2025-53537-001.patch new file mode 100644 index 0000000..e16a59a --- /dev/null +++ b/recipes-ids/suricata/files/CVE-2025-53537-001.patch @@ -0,0 +1,79 @@ +From 226580d502ae98c148aaecc4846f78694b5e253c Mon Sep 17 00:00:00 2001 +From: Philippe Antoine +Date: Tue, 11 Mar 2025 16:45:35 +0100 +Subject: [PATCH] decompressors: do not take data after end + + +CVE: CVE-2025-53537 +Upstream-Status: Backport [https://github.com/OISF/libhtp/commit/226580d502ae98c148aaecc4846f78694b5e253c] +Signed-off-by: Hitendra Prajapati +--- + htp/htp_core.h | 5 ++++- + htp/htp_decompressors.c | 21 ++++++++++++--------- + 2 files changed, 16 insertions(+), 10 deletions(-) + +diff --git a/htp/htp_core.h b/htp/htp_core.h +index 7c23212..fb142c9 100644 +--- a/htp/htp_core.h ++++ b/htp/htp_core.h +@@ -161,7 +161,10 @@ enum htp_content_encoding_t { + HTP_COMPRESSION_DEFLATE = 3, + + /** LZMA compression. */ +- HTP_COMPRESSION_LZMA = 4 ++ HTP_COMPRESSION_LZMA = 4, ++ ++ /** No more data. */ ++ HTP_COMPRESSION_OVER = 5 + }; + + /** +diff --git a/htp/htp_decompressors.c b/htp/htp_decompressors.c +index 19950df..0d94c30 100644 +--- a/htp/htp_decompressors.c ++++ b/htp/htp_decompressors.c +@@ -203,6 +203,8 @@ htp_status_t htp_gzip_decompressor_decompress(htp_decompressor_t *drec1, htp_tx_ + } + + return HTP_OK; ++ } else if (drec->zlib_initialized == HTP_COMPRESSION_OVER) { ++ return HTP_ERROR; + } + + if (d->data == NULL) { +@@ -316,15 +318,9 @@ restart: + // no initialization means previous error on stream + return HTP_ERROR; + } +- if (GZIP_BUF_SIZE > drec->stream.avail_out) { +- if (rc == Z_DATA_ERROR) { +- // There is data even if there is an error +- // So use this data and log a warning +- htp_log(d->tx->connp, HTP_LOG_MARK, HTP_LOG_WARNING, 0, "GZip decompressor: inflate failed with %d", rc); +- rc = Z_STREAM_END; +- } +- } +- if (rc == Z_STREAM_END) { ++ ++ int error_after_data = (rc == Z_DATA_ERROR && drec->restart == 0 && GZIP_BUF_SIZE > drec->stream.avail_out); ++ if (rc == Z_STREAM_END || error_after_data) { + // How many bytes do we have? + size_t len = GZIP_BUF_SIZE - drec->stream.avail_out; + +@@ -351,6 +347,13 @@ restart: + drec->stream.next_out = drec->buffer; + // TODO Handle trailer. + ++ if (error_after_data) { ++ // There is data even if there is an error ++ // So use this data and log a warning ++ htp_log(d->tx->connp, HTP_LOG_MARK, HTP_LOG_WARNING, 0, "GZip decompressor: inflate failed with %d", rc); ++ drec->zlib_initialized = HTP_COMPRESSION_OVER; ++ return HTP_ERROR; ++ } + return HTP_OK; + } + else if (rc != Z_OK) { +-- +2.50.1 + diff --git a/recipes-ids/suricata/files/CVE-2025-53537-002.patch b/recipes-ids/suricata/files/CVE-2025-53537-002.patch new file mode 100644 index 0000000..ff4f1a0 --- /dev/null +++ b/recipes-ids/suricata/files/CVE-2025-53537-002.patch @@ -0,0 +1,31 @@ +From 9037ea35110a0d97be5cedf8d31fb4cd9a38c7a7 Mon Sep 17 00:00:00 2001 +From: Philippe Antoine +Date: Tue, 17 Jun 2025 10:12:47 +0200 +Subject: [PATCH] decompressors: fix leak in lzma error case + +Ticket: 7766 + +CVE: CVE-2025-53537 +Upstream-Status: Backport [https://github.com/OISF/libhtp/commit/9037ea35110a0d97be5cedf8d31fb4cd9a38c7a7] +Signed-off-by: Hitendra Prajapati +--- + htp/htp_decompressors.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/htp/htp_decompressors.c b/htp/htp_decompressors.c +index 0d94c30..ce6cfe1 100644 +--- a/htp/htp_decompressors.c ++++ b/htp/htp_decompressors.c +@@ -351,6 +351,9 @@ restart: + // There is data even if there is an error + // So use this data and log a warning + htp_log(d->tx->connp, HTP_LOG_MARK, HTP_LOG_WARNING, 0, "GZip decompressor: inflate failed with %d", rc); ++ if (drec->zlib_initialized == HTP_COMPRESSION_LZMA) { ++ LzmaDec_Free(&drec->state, &lzma_Alloc); ++ } + drec->zlib_initialized = HTP_COMPRESSION_OVER; + return HTP_ERROR; + } +-- +2.50.1 + diff --git a/recipes-ids/suricata/libhtp_0.5.45.bb b/recipes-ids/suricata/libhtp_0.5.45.bb index 604a0ca..b87db35 100644 --- a/recipes-ids/suricata/libhtp_0.5.45.bb +++ b/recipes-ids/suricata/libhtp_0.5.45.bb @@ -6,6 +6,8 @@ LIC_FILES_CHKSUM = "file://LICENSE;beginline=1;endline=2;md5=596ab7963a1a0e5198e SRC_URI = "git://github.com/OISF/libhtp.git;protocol=https;branch=0.5.x \ file://CVE-2024-45797.patch \ + file://CVE-2025-53537-001.patch \ + file://CVE-2025-53537-002.patch \ " SRCREV = "8bdfe7b9d04e5e948c8fbaa7472e14d884cc00af" From patchwork Sun Nov 23 23:45:01 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Scott Murray X-Patchwork-Id: 75285 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6B506CFD31D for ; Sun, 23 Nov 2025 23:45:43 +0000 (UTC) Received: from mail-qk1-f174.google.com (mail-qk1-f174.google.com [209.85.222.174]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.5048.1763941539947814128 for ; Sun, 23 Nov 2025 15:45:40 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@konsulko.com header.s=google header.b=qBknxrCh; spf=pass (domain: konsulko.com, ip: 209.85.222.174, mailfrom: scott.murray@konsulko.com) Received: by mail-qk1-f174.google.com with SMTP id af79cd13be357-8b2f2c5ec36so443229185a.1 for ; Sun, 23 Nov 2025 15:45:39 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=konsulko.com; s=google; t=1763941539; x=1764546339; darn=lists.yoctoproject.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=j9xN6GhqmZJCTl49Zo9HUWYj0K0hFYUm5Bb/GEUF+Bo=; b=qBknxrChXWkNGGFc24p4ZtXRH7xiYGneDKQbtNSxhRf384AuRfhpBUH53hp+D1+ycO hdAADgwBtZ8K3Ba4H7DNnGSe6kd77EoVF6N0GEsvYFzwON8qFchyWVtLl5ISF4OPP17C r3pABm1xOnNhd+LQ5zTUEu0KFuHewQRXyWvWw= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1763941539; x=1764546339; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=j9xN6GhqmZJCTl49Zo9HUWYj0K0hFYUm5Bb/GEUF+Bo=; b=nTwF0H0MMUTn/hXCamo8Oc6MrE/90A/W1HvBa9IuuvVSKNrNFkKKVrfyCA+Vjol0M6 QUMV1lwlsvRuBs2sj2FFkQc2GXyKUgzH7Vc7qxXtLdmmTntPPhLlmvYUF+OsmKKKGAVj 8W4laQFfLct0tU2yG89wu9DCmA6BB3hmcw571JBe2hVPeLrcLwdQbjBY8JuiX3HRL21X PyfIyU+vO3t8zMi+RFGyQ5zwTiTWd36OpJNbp8gEBvI6fiU8w+xGbc2/DljPv5jXFMub NfKi4lX/SkQtqUQ7sXZBL6NdagQUP33oQgOxe7daFlJrWhMXY6wrt9jiVDP2MTMmmZCL v83g== X-Gm-Message-State: AOJu0YwG0Fi0JFaqb+d8uQ9RTOkOT3B8q5AxUIME4+YGkrza0n/D8Jyu FqBkqsZI2b21CnjsQRD3qY6Kovhb7xeqDPG3+wMBzdw5HL7MgbY6bJ+9wOXdp3qj0saWPMcW8lE pblnL X-Gm-Gg: ASbGncuf8UxJTYRsY6CE+lXiN/JlMUMNgD7TBY4G7qKDCHbIgi42BqdBjkrkSpgebhB 3IEeX1WREretECgOWNSzdwD9TgP7eC5byYsAIYoCvX2aq1AeogaWMwrQIMCQgwcbSjoVUCJ2jsT 71UfwuDXR+02TJCf2t7HlA9GmhW7ZGS5i7JSzwfDw7A72UFL1JX+HTI5ehIRsjfXWHy5z5tRvIl JaLpjwplTDRyDT9uFqnxPMVzQNIhtbz4ASkRrnpZTj91CXVtd2sOEfZw1wuMkjs48/GN5go3nEi MPFZzC649S9VfFobXziiwr8B4+iiH6ZV0WjixBVjvF6zyC7I7LKlgKasjgbD1TT4+Cv3pTLU08y oIVZavC6X0tj3PYKTpB4WbRzL9BGU6C6JvkQ+HF7BM+HHPeNe6zvu5FKkqcrr0KtIFLk9uYtPiD dkKtMTdmydwXH88GLjIpkfbuX9t0ACnKiPAsVuv4a37glU8Nx3l2unKEr5t4zSx8k= X-Google-Smtp-Source: AGHT+IG63fs/HRubS5PfjvKnfjE5+k3bcr9zziL0ZvosyQGfx2dpRdBNjFLps4NzTfsJTPidmY9jXQ== X-Received: by 2002:a05:620a:46a0:b0:8b2:e1da:7532 with SMTP id af79cd13be357-8b33d2682d9mr1256197185a.34.1763941538402; Sun, 23 Nov 2025 15:45:38 -0800 (PST) Received: from ghidorah.spiteful.org (107-179-213-3.cpe.teksavvy.com. [107.179.213.3]) by smtp.gmail.com with ESMTPSA id af79cd13be357-8b32932db59sm843706585a.1.2025.11.23.15.45.37 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 23 Nov 2025 15:45:37 -0800 (PST) From: Scott Murray To: yocto-patches@lists.yoctoproject.org Subject: [meta-security][scarthgap][PATCH 21/32] fail2ban: update to 1.1.0+ Date: Sun, 23 Nov 2025 18:45:01 -0500 Message-ID: X-Mailer: git-send-email 2.51.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 23 Nov 2025 23:45:43 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto-patches/message/2679 From: Rasmus Villemoes Current 1.0.2 version does not work with scarthgap or later releases, as the asynchat module has been removed (as scheduled) from python's stdlib as of v3.12. fail2ban 1.1.0 also does not work out-of-the-box, as the distutils module which the pyinotify and systemd backends depend has also been removed. So update the recipe to point at commit ac62658c10f4, which fixes those two backends to no longer depend on distutils. Upstream's out-of-the-box ban action now uses the 'nft' command. People can still override and customize that in jail.conf/jail.local, but to make the recipe useful without customizing things back to use iptables, change the dependency iptables->nftables. Since 1.1.0, fail2ban has been python3-only, so the recipe becomes somewhat simpler since the whole do_compile preparation step can be removed. Signed-off-by: Rasmus Villemoes Signed-off-by: Armin Kuster Signed-off-by: Yi Zhao (update PV) Signed-off-by: Scott Murray --- ...fail2ban_1.0.2.bb => python3-fail2ban_git.bb} | 16 ++++------------ 1 file changed, 4 insertions(+), 12 deletions(-) rename dynamic-layers/meta-python/recipes-security/fail2ban/{python3-fail2ban_1.0.2.bb => python3-fail2ban_git.bb} (89%) diff --git a/dynamic-layers/meta-python/recipes-security/fail2ban/python3-fail2ban_1.0.2.bb b/dynamic-layers/meta-python/recipes-security/fail2ban/python3-fail2ban_git.bb similarity index 89% rename from dynamic-layers/meta-python/recipes-security/fail2ban/python3-fail2ban_1.0.2.bb rename to dynamic-layers/meta-python/recipes-security/fail2ban/python3-fail2ban_git.bb index bf5f87d..444574a 100644 --- a/dynamic-layers/meta-python/recipes-security/fail2ban/python3-fail2ban_1.0.2.bb +++ b/dynamic-layers/meta-python/recipes-security/fail2ban/python3-fail2ban_git.bb @@ -11,12 +11,14 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=ecabc31e90311da843753ba772885d9f" DEPENDS = "python3-native" -SRCREV = "e1d3006b0330e9777705a7baafe3989d442ed120" +SRCREV = "ac62658c10f492911f8a0037a0bcf97c8521cd78" SRC_URI = "git://github.com/fail2ban/fail2ban.git;branch=master;protocol=https \ file://initd \ file://run-ptest \ " +PV = "1.1.0+git${SRCPV}" + UPSTREAM_CHECK_GITTAGREGEX = "(?P\d+(\.\d+)+)" inherit update-rc.d ptest setuptools3_legacy @@ -26,16 +28,6 @@ SYSTEMD_SERVICE:${PN} = "fail2ban.service" S = "${WORKDIR}/git" -do_compile () { - cd ${S} - - #remove symlink to python3 - # otherwise 2to3 is run against it - rm -f bin/fail2ban-python - - ./fail2ban-2to3 -} - do_install:append () { rm -f ${D}/${bindir}/fail2ban-python install -d ${D}/${sysconfdir}/fail2ban @@ -66,7 +58,7 @@ INITSCRIPT_PARAMS = "defaults 25" INSANE_SKIP:${PN}:append = "already-stripped" -RDEPENDS:${PN} = "${VIRTUAL-RUNTIME_base-utils-syslog} iptables python3-core python3-pyinotify" +RDEPENDS:${PN} = "${VIRTUAL-RUNTIME_base-utils-syslog} nftables python3-core python3-pyinotify" RDEPENDS:${PN} += "python3-sqlite3" RDEPENDS:${PN} += " python3-logging python3-fcntl python3-json" RDEPENDS:${PN}-ptest = "python3-core python3-io python3-modules python3-fail2ban" From patchwork Sun Nov 23 23:45:02 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Scott Murray X-Patchwork-Id: 75288 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6B4B6CFD313 for ; Sun, 23 Nov 2025 23:45:43 +0000 (UTC) Received: from mail-qk1-f173.google.com (mail-qk1-f173.google.com [209.85.222.173]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.5049.1763941542549657376 for ; Sun, 23 Nov 2025 15:45:42 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@konsulko.com header.s=google header.b=Ld1l8WC4; spf=pass (domain: konsulko.com, ip: 209.85.222.173, mailfrom: scott.murray@konsulko.com) Received: by mail-qk1-f173.google.com with SMTP id af79cd13be357-8b3016c311bso473479485a.1 for ; Sun, 23 Nov 2025 15:45:42 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=konsulko.com; s=google; t=1763941541; x=1764546341; darn=lists.yoctoproject.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=5yKgdxQnT9U6JrJQniDrdzNXjmhBKrIDU4Y+EKXkO6A=; b=Ld1l8WC4VTwGmjbBkuJIFdDksS/kUdggrESSCCDUwzqHikHh6l6Ez1mjmefk4BTkOX Vauvr1pfAy2i2RV1KuWrIS24NH5FfeHx7mqu7U4PWeXhfx3o7vstwgTbzoCKc4iTIo4c 95c5n+gbqvinqm9/3/Z8QpL3w/sewQIP1imNE= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1763941541; x=1764546341; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=5yKgdxQnT9U6JrJQniDrdzNXjmhBKrIDU4Y+EKXkO6A=; b=cAqJd4L592XJLQqUJRev/QPbsIfu3w//2XEDutWQ8j4m2HbTrQZ6elPRRZa8UEvglb Ffhx4kqUfSKoMGQPnRDfA2KyjL1xm0t98erbvgNFuTLYvaJ9qCVifb/5M3Z8jhbF9t7B tDRmmwTRjF3XdAFAehQ8eRkoG0hChwXBvfI9182eGwA4mYaToqNmCzFE/B9tFYyZykPL WWZq5wzKsrbh+nPIvuIO7aQ+++P5qiCy0jH248gIGSizBo+by69nrMrLCmAMpA2xjZ1k FKHwl49zzuFrulbqeoiclcf8qW4G2zFY5YfC+5Y7U7xxam+/DQl3O57wXxFplCBF4qXV 0cBQ== X-Gm-Message-State: AOJu0Yy39YmQlFYOBpBLdBikEfsf8xLHKcDigE4q00Q1BNszg8OPdQe9 TiIg2Q49T6PBtNLg0VwG0OfPDitqu0OwOXOrp932P4XX3hL7jNzJCXrQSaKz930mGkgWMwgFQ6x yxnuv X-Gm-Gg: ASbGncutoZfTEmdvCOTXB3pBweZCufrmaIgsYSzcqRbouTULBOC+nBMuaVpGdG2Ac5Y aF9hifYDmLylFdiijMBXKsv4aDXFWN6TVb6lmRg5sGAI+SnO4DT5BuKaZsRd1Ws9ldwH3Le2Opk /lxpPHR46RZf+FqiZyWl4igtzefx6MEnm1VXhIS2Kd5gO0KIyR1MTonax5nYFpDCdG+T58kVRPj jSDVcPkBGuaU6HfDae0ytvRDDS7CzvqyCZUn98ewFMXp+HOFoaDorVbpRGT3RagpzycPJrRNWr2 MZ6KHeuuTeDhbLbAu7fZ5ofP2Vs45ui7wid59gnkAIkYotm4IGXy8rXdBbTDgdzVYqvuftGYfet lEwcbO0gp+UlpISouOOojaxiCqvevMLKgc77cvUSY1PJJCbNQM8ZQwhCbGLsL6JZRU2uAFP5FLC ixlro82T4/hr9i3mC3jEfImbq5oVC/F+P2c9IOEOxJOSxfZAgxkLSy14moUtD81bsPAZRFxVPbs w== X-Google-Smtp-Source: AGHT+IEinhZdEeiMGoNVyGrMFXAQl3aQV6Ui4UopJJy+o09iPcrRUnWDgJmTeG6TrkIdQ4BLFO8Mbw== X-Received: by 2002:a05:620a:4484:b0:8b2:ff63:d6a6 with SMTP id af79cd13be357-8b33d4a73f0mr1248966485a.56.1763941539853; Sun, 23 Nov 2025 15:45:39 -0800 (PST) Received: from ghidorah.spiteful.org (107-179-213-3.cpe.teksavvy.com. [107.179.213.3]) by smtp.gmail.com with ESMTPSA id af79cd13be357-8b32932db59sm843706585a.1.2025.11.23.15.45.38 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 23 Nov 2025 15:45:39 -0800 (PST) From: Scott Murray To: yocto-patches@lists.yoctoproject.org Subject: [meta-security][scarthgap][PATCH 22/32] suricata: Fix multiple CVEs Date: Sun, 23 Nov 2025 18:45:02 -0500 Message-ID: X-Mailer: git-send-email 2.51.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 23 Nov 2025 23:45:43 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto-patches/message/2680 From: Hitendra Prajapati Backport fixes for: * CVE-2024-32663 - Upstream-Status: Backport from https://github.com/OISF/suricata/commit/e68ec4b227d19498f364a41eb25d3182f0383ca5 && https://github.com/OISF/suricata/commit/c0af92295e833d1db29b184d63cd3b829451d7fd * CVE-2024-32664 - Upstream-Status: Backport from https://github.com/OISF/suricata/commit/d5ffecf11ad2c6fe89265e518f5d7443caf26ba4 * CVE-2024-32867 - Upstream-Status: Backport from https://github.com/OISF/suricata/commit/2f39ba75f153ba9bdf8eedc2a839cc973dbaea66 && https://github.com/OISF/suricata/commit/7137d5e7ab5500f1b7f3391f8ab55a59f1e4cbd7 && https://github.com/OISF/suricata/commit/1e110d0a71db46571040b937e17a4bc9f91d6de9 && https://github.com/OISF/suricata/commit/e6267758ed5da27f804f0c1c07f9423bdf4d72b8 Signed-off-by: Hitendra Prajapati Signed-off-by: Scott Murray --- .../suricata/files/CVE-2024-32663-001.patch | 294 +++++++++ .../suricata/files/CVE-2024-32663-002.patch | 70 +++ .../suricata/files/CVE-2024-32664.patch | 53 ++ .../suricata/files/CVE-2024-32867-001.patch | 235 +++++++ .../suricata/files/CVE-2024-32867-002.patch | 591 ++++++++++++++++++ .../suricata/files/CVE-2024-32867-003.patch | 472 ++++++++++++++ .../suricata/files/CVE-2024-32867-004.patch | 169 +++++ recipes-ids/suricata/suricata_7.0.0.bb | 7 + 8 files changed, 1891 insertions(+) create mode 100644 recipes-ids/suricata/files/CVE-2024-32663-001.patch create mode 100644 recipes-ids/suricata/files/CVE-2024-32663-002.patch create mode 100644 recipes-ids/suricata/files/CVE-2024-32664.patch create mode 100644 recipes-ids/suricata/files/CVE-2024-32867-001.patch create mode 100644 recipes-ids/suricata/files/CVE-2024-32867-002.patch create mode 100644 recipes-ids/suricata/files/CVE-2024-32867-003.patch create mode 100644 recipes-ids/suricata/files/CVE-2024-32867-004.patch diff --git a/recipes-ids/suricata/files/CVE-2024-32663-001.patch b/recipes-ids/suricata/files/CVE-2024-32663-001.patch new file mode 100644 index 0000000..f07904a --- /dev/null +++ b/recipes-ids/suricata/files/CVE-2024-32663-001.patch @@ -0,0 +1,294 @@ +From e68ec4b227d19498f364a41eb25d3182f0383ca5 Mon Sep 17 00:00:00 2001 +From: Philippe Antoine +Date: Wed, 27 Mar 2024 14:33:54 +0100 +Subject: [PATCH] http2: use a reference counter for headers + +Ticket: 6892 + +As HTTP hpack header compression allows one single byte to +express a previously seen arbitrary-size header block (name+value) +we should avoid to copy the vectors data, but just point +to the same data, while reamining memory safe, even in the case +of later headers eviction from the dybnamic table. + +Rust std solution is Rc, and the use of clone, so long as the +data is accessed by only one thread. + +(cherry picked from commit 390f09692eb99809c679d3f350c7cc185d163e1a) + +CVE: CVE-2024-32663 +Upstream-Status: Backport [https://github.com/OISF/suricata/commit/e68ec4b227d19498f364a41eb25d3182f0383ca5] +Signed-off-by: Hitendra Prajapati +--- + rust/src/http2/detect.rs | 19 +++++++------ + rust/src/http2/http2.rs | 2 +- + rust/src/http2/parser.rs | 61 +++++++++++++++++++++------------------- + 3 files changed, 43 insertions(+), 39 deletions(-) + +diff --git a/rust/src/http2/detect.rs b/rust/src/http2/detect.rs +index 99261ad..904b9ad 100644 +--- a/rust/src/http2/detect.rs ++++ b/rust/src/http2/detect.rs +@@ -23,6 +23,7 @@ use crate::core::Direction; + use crate::detect::uint::{detect_match_uint, DetectUintData}; + use std::ffi::CStr; + use std::str::FromStr; ++use std::rc::Rc; + + fn http2_tx_has_frametype( + tx: &mut HTTP2Transaction, direction: Direction, value: u8, +@@ -404,7 +405,7 @@ fn http2_frames_get_header_firstvalue<'a>( + for frame in frames { + if let Some(blocks) = http2_header_blocks(frame) { + for block in blocks.iter() { +- if block.name == name.as_bytes() { ++ if block.name.as_ref() == name.as_bytes() { + return Ok(&block.value); + } + } +@@ -428,7 +429,7 @@ pub fn http2_frames_get_header_value_vec( + for frame in frames { + if let Some(blocks) = http2_header_blocks(frame) { + for block in blocks.iter() { +- if block.name == name.as_bytes() { ++ if block.name.as_ref() == name.as_bytes() { + if found == 0 { + vec.extend_from_slice(&block.value); + found = 1; +@@ -465,7 +466,7 @@ fn http2_frames_get_header_value<'a>( + for frame in frames { + if let Some(blocks) = http2_header_blocks(frame) { + for block in blocks.iter() { +- if block.name == name.as_bytes() { ++ if block.name.as_ref() == name.as_bytes() { + if found == 0 { + single = Ok(&block.value); + found = 1; +@@ -905,8 +906,8 @@ fn http2_tx_set_header(state: &mut HTTP2State, name: &[u8], input: &[u8]) { + }; + let mut blocks = Vec::new(); + let b = parser::HTTP2FrameHeaderBlock { +- name: name.to_vec(), +- value: input.to_vec(), ++ name: Rc::new(name.to_vec()), ++ value: Rc::new(input.to_vec()), + error: parser::HTTP2HeaderDecodeStatus::HTTP2HeaderDecodeSuccess, + sizeupdate: 0, + }; +@@ -1061,15 +1062,15 @@ mod tests { + }; + let mut blocks = Vec::new(); + let b = parser::HTTP2FrameHeaderBlock { +- name: "Host".as_bytes().to_vec(), +- value: "abc.com".as_bytes().to_vec(), ++ name: "Host".as_bytes().to_vec().into(), ++ value: "abc.com".as_bytes().to_vec().into(), + error: parser::HTTP2HeaderDecodeStatus::HTTP2HeaderDecodeSuccess, + sizeupdate: 0, + }; + blocks.push(b); + let b2 = parser::HTTP2FrameHeaderBlock { +- name: "Host".as_bytes().to_vec(), +- value: "efg.net".as_bytes().to_vec(), ++ name: "Host".as_bytes().to_vec().into(), ++ value: "efg.net".as_bytes().to_vec().into(), + error: parser::HTTP2HeaderDecodeStatus::HTTP2HeaderDecodeSuccess, + sizeupdate: 0, + }; +diff --git a/rust/src/http2/http2.rs b/rust/src/http2/http2.rs +index 326030f..d14ca06 100644 +--- a/rust/src/http2/http2.rs ++++ b/rust/src/http2/http2.rs +@@ -204,7 +204,7 @@ impl HTTP2Transaction { + + fn handle_headers(&mut self, blocks: &[parser::HTTP2FrameHeaderBlock], dir: Direction) { + for block in blocks { +- if block.name == b"content-encoding" { ++ if block.name.as_ref() == b"content-encoding" { + self.decoder.http2_encoding_fromvec(&block.value, dir); + } + } +diff --git a/rust/src/http2/parser.rs b/rust/src/http2/parser.rs +index adabeb2..1a46437 100644 +--- a/rust/src/http2/parser.rs ++++ b/rust/src/http2/parser.rs +@@ -30,6 +30,7 @@ use nom7::sequence::tuple; + use nom7::{Err, IResult}; + use std::fmt; + use std::str::FromStr; ++use std::rc::Rc; + + #[repr(u8)] + #[derive(Clone, Copy, PartialEq, Eq, FromPrimitive, Debug)] +@@ -295,8 +296,8 @@ fn http2_frame_header_static(n: u64, dyn_headers: &HTTP2DynTable) -> Option Option, +- pub value: Vec, ++ // Use Rc reference counted so that indexed headers do not get copied. ++ // Otherwise, this leads to quadratic complexity in memory occupation. ++ pub name: Rc>, ++ pub value: Rc>, + pub error: HTTP2HeaderDecodeStatus, + pub sizeupdate: u64, + } +@@ -391,7 +394,7 @@ fn http2_parse_headers_block_literal_common<'a>( + ) -> IResult<&'a [u8], HTTP2FrameHeaderBlock> { + let (i3, name, error) = if index == 0 { + match http2_parse_headers_block_string(input) { +- Ok((r, n)) => Ok((r, n, HTTP2HeaderDecodeStatus::HTTP2HeaderDecodeSuccess)), ++ Ok((r, n)) => Ok((r, Rc::new(n), HTTP2HeaderDecodeStatus::HTTP2HeaderDecodeSuccess)), + Err(e) => Err(e), + } + } else { +@@ -403,7 +406,7 @@ fn http2_parse_headers_block_literal_common<'a>( + )), + None => Ok(( + input, +- Vec::new(), ++ Rc::new(Vec::new()), + HTTP2HeaderDecodeStatus::HTTP2HeaderDecodeNotIndexed, + )), + } +@@ -413,7 +416,7 @@ fn http2_parse_headers_block_literal_common<'a>( + i4, + HTTP2FrameHeaderBlock { + name, +- value, ++ value: Rc::new(value), + error, + sizeupdate: 0, + }, +@@ -435,8 +438,8 @@ fn http2_parse_headers_block_literal_incindex<'a>( + match r { + Ok((r, head)) => { + let headcopy = HTTP2FrameHeaderBlock { +- name: head.name.to_vec(), +- value: head.value.to_vec(), ++ name: head.name.clone(), ++ value: head.value.clone(), + error: head.error, + sizeupdate: 0, + }; +@@ -556,8 +559,8 @@ fn http2_parse_headers_block_dynamic_size<'a>( + return Ok(( + i3, + HTTP2FrameHeaderBlock { +- name: Vec::new(), +- value: Vec::new(), ++ name: Rc::new(Vec::new()), ++ value: Rc::new(Vec::new()), + error: HTTP2HeaderDecodeStatus::HTTP2HeaderDecodeSizeUpdate, + sizeupdate: maxsize2, + }, +@@ -614,8 +617,8 @@ fn http2_parse_headers_blocks<'a>( + // if we error from http2_parse_var_uint, we keep the first parsed headers + if err.code == ErrorKind::LengthValue { + blocks.push(HTTP2FrameHeaderBlock { +- name: Vec::new(), +- value: Vec::new(), ++ name: Rc::new(Vec::new()), ++ value: Rc::new(Vec::new()), + error: HTTP2HeaderDecodeStatus::HTTP2HeaderDecodeIntegerOverflow, + sizeupdate: 0, + }); +@@ -765,8 +768,8 @@ mod tests { + match r0 { + Ok((remainder, hd)) => { + // Check the first message. +- assert_eq!(hd.name, ":method".as_bytes().to_vec()); +- assert_eq!(hd.value, "GET".as_bytes().to_vec()); ++ assert_eq!(hd.name, ":method".as_bytes().to_vec().into()); ++ assert_eq!(hd.value, "GET".as_bytes().to_vec().into()); + // And we should have no bytes left. + assert_eq!(remainder.len(), 0); + } +@@ -782,8 +785,8 @@ mod tests { + match r1 { + Ok((remainder, hd)) => { + // Check the first message. +- assert_eq!(hd.name, "accept".as_bytes().to_vec()); +- assert_eq!(hd.value, "*/*".as_bytes().to_vec()); ++ assert_eq!(hd.name, "accept".as_bytes().to_vec().into()); ++ assert_eq!(hd.value, "*/*".as_bytes().to_vec().into()); + // And we should have no bytes left. + assert_eq!(remainder.len(), 0); + assert_eq!(dynh.table.len(), 1); +@@ -802,8 +805,8 @@ mod tests { + match result { + Ok((remainder, hd)) => { + // Check the first message. +- assert_eq!(hd.name, ":authority".as_bytes().to_vec()); +- assert_eq!(hd.value, "localhost:3000".as_bytes().to_vec()); ++ assert_eq!(hd.name, ":authority".as_bytes().to_vec().into()); ++ assert_eq!(hd.value, "localhost:3000".as_bytes().to_vec().into()); + // And we should have no bytes left. + assert_eq!(remainder.len(), 0); + assert_eq!(dynh.table.len(), 2); +@@ -820,8 +823,8 @@ mod tests { + match r3 { + Ok((remainder, hd)) => { + // same as before +- assert_eq!(hd.name, ":authority".as_bytes().to_vec()); +- assert_eq!(hd.value, "localhost:3000".as_bytes().to_vec()); ++ assert_eq!(hd.name, ":authority".as_bytes().to_vec().into()); ++ assert_eq!(hd.value, "localhost:3000".as_bytes().to_vec().into()); + // And we should have no bytes left. + assert_eq!(remainder.len(), 0); + assert_eq!(dynh.table.len(), 2); +@@ -856,8 +859,8 @@ mod tests { + match r2 { + Ok((remainder, hd)) => { + // Check the first message. +- assert_eq!(hd.name, ":path".as_bytes().to_vec()); +- assert_eq!(hd.value, "/doc/manual/html/index.html".as_bytes().to_vec()); ++ assert_eq!(hd.name, ":path".as_bytes().to_vec().into()); ++ assert_eq!(hd.value, "/doc/manual/html/index.html".as_bytes().to_vec().into()); + // And we should have no bytes left. + assert_eq!(remainder.len(), 0); + assert_eq!(dynh.table.len(), 2); +-- +2.50.1 + diff --git a/recipes-ids/suricata/files/CVE-2024-32663-002.patch b/recipes-ids/suricata/files/CVE-2024-32663-002.patch new file mode 100644 index 0000000..a57f58f --- /dev/null +++ b/recipes-ids/suricata/files/CVE-2024-32663-002.patch @@ -0,0 +1,70 @@ +From c0af92295e833d1db29b184d63cd3b829451d7fd Mon Sep 17 00:00:00 2001 +From: Philippe Antoine +Date: Thu, 28 Mar 2024 11:15:51 +0100 +Subject: [PATCH] http2: do not log duplicate headers + +Ticket: 6900 + +And thus avoid DOS by logging a request using a compressed +header block repeated many times and having a long value... + +(cherry picked from commit 03442c9071b8d863d26b609d54c6eacf4de9e340) + +CVE: CVE-2024-32663 +Upstream-Status: Backport [https://github.com/OISF/suricata/commit/c0af92295e833d1db29b184d63cd3b829451d7fd] +Signed-off-by: Hitendra Prajapati +--- + rust/src/http2/logger.rs | 17 +++++++++++++++-- + 1 file changed, 15 insertions(+), 2 deletions(-) + +diff --git a/rust/src/http2/logger.rs b/rust/src/http2/logger.rs +index d25f852..a117a54 100644 +--- a/rust/src/http2/logger.rs ++++ b/rust/src/http2/logger.rs +@@ -19,7 +19,8 @@ use super::http2::{HTTP2Frame, HTTP2FrameTypeData, HTTP2Transaction}; + use super::parser; + use crate::jsonbuilder::{JsonBuilder, JsonError}; + use std; +-use std::collections::HashMap; ++use std::collections::{HashMap, HashSet}; ++use std::rc::Rc; + + #[derive(Hash, PartialEq, Eq, Debug)] + enum HeaderName { +@@ -35,10 +36,20 @@ fn log_http2_headers<'a>( + blocks: &'a [parser::HTTP2FrameHeaderBlock], js: &mut JsonBuilder, + common: &mut HashMap>, + ) -> Result<(), JsonError> { ++ let mut logged_headers = HashSet::new(); + for block in blocks { +- js.start_object()?; ++ // delay js.start_object() because we skip suplicate headers + match block.error { + parser::HTTP2HeaderDecodeStatus::HTTP2HeaderDecodeSuccess => { ++ if Rc::strong_count(&block.name) > 2 { ++ // more than one reference in headers table + current headers ++ let ptr = Rc::as_ptr(&block.name) as usize; ++ if !logged_headers.insert(ptr) { ++ // only log once ++ continue; ++ } ++ } ++ js.start_object()?; + js.set_string_from_bytes("name", &block.name)?; + js.set_string_from_bytes("value", &block.value)?; + if let Ok(name) = std::str::from_utf8(&block.name) { +@@ -66,9 +77,11 @@ fn log_http2_headers<'a>( + } + } + parser::HTTP2HeaderDecodeStatus::HTTP2HeaderDecodeSizeUpdate => { ++ js.start_object()?; + js.set_uint("table_size_update", block.sizeupdate)?; + } + _ => { ++ js.start_object()?; + js.set_string("error", &block.error.to_string())?; + } + } +-- +2.50.1 + diff --git a/recipes-ids/suricata/files/CVE-2024-32664.patch b/recipes-ids/suricata/files/CVE-2024-32664.patch new file mode 100644 index 0000000..ee55b25 --- /dev/null +++ b/recipes-ids/suricata/files/CVE-2024-32664.patch @@ -0,0 +1,53 @@ +From d5ffecf11ad2c6fe89265e518f5d7443caf26ba4 Mon Sep 17 00:00:00 2001 +From: Philippe Antoine +Date: Thu, 28 Mar 2024 14:00:02 +0100 +Subject: [PATCH] util/base64: fix buffer overflow + +Ticket: 6902 + +In case the caller of DecodeBase64 does not supply a big enough +output buffer. + +(cherry picked from commit fd47e67dc65f9111895c88fb406c938b1f857325) + +CVE: CVE-2024-32664 +Upstream-Status: Backport [https://github.com/OISF/suricata/commit/d5ffecf11ad2c6fe89265e518f5d7443caf26ba4] +Signed-off-by: Hitendra Prajapati +--- + src/util-base64.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/src/util-base64.c b/src/util-base64.c +index 4a4a5d1..d973f0e 100644 +--- a/src/util-base64.c ++++ b/src/util-base64.c +@@ -156,6 +156,8 @@ Base64Ecode DecodeBase64(uint8_t *dest, uint32_t dest_size, const uint8_t *src, + ecode = BASE64_ECODE_BUF; + break; + } ++ if (dest_size - *decoded_bytes < ASCII_BLOCK) ++ return BASE64_ECODE_BUF; + + /* Decode base-64 block into ascii block and move pointer */ + DecodeBase64Block(dptr, b64); +@@ -183,7 +185,7 @@ Base64Ecode DecodeBase64(uint8_t *dest, uint32_t dest_size, const uint8_t *src, + /* if the destination size is not at least 3 Bytes long, it'll give a dynamic + * buffer overflow while decoding, so, return and let the caller take care of the + * remaining bytes to be decoded which should always be < 4 at this stage */ +- if (dest_size - *decoded_bytes < 3) ++ if (dest_size - *decoded_bytes < ASCII_BLOCK) + return BASE64_ECODE_BUF; + *decoded_bytes += numDecoded_blk; + DecodeBase64Block(dptr, b64); +@@ -193,6 +195,8 @@ Base64Ecode DecodeBase64(uint8_t *dest, uint32_t dest_size, const uint8_t *src, + /* Finish remaining b64 bytes by padding */ + if (valid && bbidx > 0 && (mode != BASE64_MODE_RFC2045)) { + /* Decode remaining */ ++ if (dest_size - *decoded_bytes < ASCII_BLOCK) ++ return BASE64_ECODE_BUF; + *decoded_bytes += ASCII_BLOCK - (B64_BLOCK - bbidx); + DecodeBase64Block(dptr, b64); + } +-- +2.50.1 + diff --git a/recipes-ids/suricata/files/CVE-2024-32867-001.patch b/recipes-ids/suricata/files/CVE-2024-32867-001.patch new file mode 100644 index 0000000..68bd6ea --- /dev/null +++ b/recipes-ids/suricata/files/CVE-2024-32867-001.patch @@ -0,0 +1,235 @@ +From 2f39ba75f153ba9bdf8eedc2a839cc973dbaea66 Mon Sep 17 00:00:00 2001 +From: Jason Ish +Date: Tue, 28 Nov 2023 12:35:26 -0600 +Subject: [PATCH] defrag: check next fragment for overlap before stopping + re-assembly + +Instead of breaking the loop when the current fragment does not have +any more fragments, set a flag and continue to the next fragment as +the next fragment may have data that occurs before this fragment, but +overlaps it. + +Then break if the next fragment does not overlap the previous. + +Bug: #6668 +(cherry picked from commit d0fd0782505d837e691ceef1b801776f0db82726) + +CVE: CVE-2024-32867 +Upstream-Status: Backport [https://github.com/OISF/suricata/commit/2f39ba75f153ba9bdf8eedc2a839cc973dbaea66] +Signed-off-by: Hitendra Prajapati +--- + src/defrag.c | 145 ++++++++++++++++++++++++++++++++++++++++++++++++--- + 1 file changed, 139 insertions(+), 6 deletions(-) + +diff --git a/src/defrag.c b/src/defrag.c +index 38704c9..e154899 100644 +--- a/src/defrag.c ++++ b/src/defrag.c +@@ -295,10 +295,20 @@ Defrag4Reassemble(ThreadVars *tv, DefragTracker *tracker, Packet *p) + uint16_t hlen = 0; + int ip_hdr_offset = 0; + ++ /* Assume more frags. */ ++ uint16_t prev_offset = 0; ++ bool more_frags = 1; ++ + RB_FOREACH(frag, IP_FRAGMENTS, &tracker->fragment_tree) { + SCLogDebug("frag %p, data_len %u, offset %u, pcap_cnt %"PRIu64, + frag, frag->data_len, frag->offset, frag->pcap_cnt); + ++ /* Previous fragment has no more fragments, and this packet ++ * doesn't overlap. We're done. */ ++ if (!more_frags && frag->offset > prev_offset) { ++ break; ++ } ++ + if (frag->skip) + continue; + if (frag->ltrim >= frag->data_len) +@@ -339,9 +349,16 @@ Defrag4Reassemble(ThreadVars *tv, DefragTracker *tracker, Packet *p) + fragmentable_len = frag->offset + frag->data_len; + } + +- if (!frag->more_frags) { +- break; +- } ++ /* Even if this fragment is flagged as having no more ++ * fragments, still continue. The next fragment may have the ++ * same offset with data that is preferred. ++ * ++ * For example, DefragBsdFragmentAfterNoMfIpv{4,6}Test ++ * ++ * This is due to not all fragments being completely trimmed, ++ * but relying on the copy ordering. */ ++ more_frags = frag->more_frags; ++ prev_offset = frag->offset; + } + + SCLogDebug("ip_hdr_offset %u, hlen %" PRIu16 ", fragmentable_len %" PRIu16, ip_hdr_offset, hlen, +@@ -436,7 +453,15 @@ Defrag6Reassemble(ThreadVars *tv, DefragTracker *tracker, Packet *p) + uint16_t fragmentable_len = 0; + int ip_hdr_offset = 0; + uint8_t next_hdr = 0; ++ ++ /* Assume more frags. */ ++ uint16_t prev_offset = 0; ++ bool more_frags = 1; ++ + RB_FOREACH(frag, IP_FRAGMENTS, &tracker->fragment_tree) { ++ if (!more_frags && frag->offset > prev_offset) { ++ break; ++ } + if (frag->skip) + continue; + if (frag->data_len - frag->ltrim <= 0) +@@ -481,9 +506,16 @@ Defrag6Reassemble(ThreadVars *tv, DefragTracker *tracker, Packet *p) + fragmentable_len = frag->offset + frag->data_len; + } + +- if (!frag->more_frags) { +- break; +- } ++ /* Even if this fragment is flagged as having no more ++ * fragments, still continue. The next fragment may have the ++ * same offset with data that is preferred. ++ * ++ * For example, DefragBsdFragmentAfterNoMfIpv{4,6}Test ++ * ++ * This is due to not all fragments being completely trimmed, ++ * but relying on the copy ordering. */ ++ more_frags = frag->more_frags; ++ prev_offset = frag->offset; + } + + rp->ip6h = (IPV6Hdr *)(GET_PKT_DATA(rp) + ip_hdr_offset); +@@ -2374,6 +2406,10 @@ static int DefragMfIpv4Test(void) + * fragments should be in the re-assembled packet. */ + FAIL_IF(IPV4_GET_IPLEN(p) != 36); + ++ /* Verify the payload of the IPv4 packet. */ ++ uint8_t expected_payload[] = "AAAAAAAABBBBBBBB"; ++ FAIL_IF(memcmp(GET_PKT_DATA(p) + sizeof(IPV4Hdr), expected_payload, sizeof(expected_payload))); ++ + SCFree(p1); + SCFree(p2); + SCFree(p3); +@@ -2417,6 +2453,10 @@ static int DefragMfIpv6Test(void) + * of 2 fragments, so 16. */ + FAIL_IF(IPV6_GET_PLEN(p) != 16); + ++ /* Verify the payload of the IPv4 packet. */ ++ uint8_t expected_payload[] = "AAAAAAAABBBBBBBB"; ++ FAIL_IF(memcmp(GET_PKT_DATA(p) + sizeof(IPV6Hdr), expected_payload, sizeof(expected_payload))); ++ + SCFree(p1); + SCFree(p2); + SCFree(p3); +@@ -2510,6 +2550,96 @@ static int DefragTestJeremyLinux(void) + PASS; + } + ++static int DefragBsdFragmentAfterNoMfIpv4Test(void) ++{ ++ DefragInit(); ++ default_policy = DEFRAG_POLICY_BSD; ++ Packet *packets[4]; ++ ++ packets[0] = BuildIpv4TestPacket(IPPROTO_ICMP, 0x96, 24 >> 3, 0, 'A', 16); ++ packets[1] = BuildIpv4TestPacket(IPPROTO_ICMP, 0x96, 8 >> 3, 1, 'B', 16); ++ packets[2] = BuildIpv4TestPacket(IPPROTO_ICMP, 0x96, 16 >> 3, 1, 'C', 16); ++ packets[3] = BuildIpv4TestPacket(IPPROTO_ICMP, 0x96, 0, 1, 'D', 8); ++ ++ Packet *r = Defrag(NULL, NULL, packets[0]); ++ FAIL_IF_NOT_NULL(r); ++ ++ r = Defrag(NULL, NULL, packets[1]); ++ FAIL_IF_NOT_NULL(r); ++ ++ r = Defrag(NULL, NULL, packets[2]); ++ FAIL_IF_NOT_NULL(r); ++ ++ r = Defrag(NULL, NULL, packets[3]); ++ FAIL_IF_NULL(r); ++ ++ // clang-format off ++ uint8_t expected[] = { ++ 'D', 'D', 'D', 'D', 'D', 'D', 'D', 'D', ++ 'B', 'B', 'B', 'B', 'B', 'B', 'B', 'B', ++ 'B', 'B', 'B', 'B', 'B', 'B', 'B', 'B', ++ 'C', 'C', 'C', 'C', 'C', 'C', 'C', 'C', ++ 'A', 'A', 'A', 'A', 'A', 'A', 'A', 'A', ++ }; ++ // clang-format on ++ ++ if (memcmp(expected, GET_PKT_DATA(r) + 20, sizeof(expected)) != 0) { ++ printf("Expected:\n"); ++ PrintRawDataFp(stdout, expected, sizeof(expected)); ++ printf("Got:\n"); ++ PrintRawDataFp(stdout, GET_PKT_DATA(r) + 20, GET_PKT_LEN(r) - 20); ++ FAIL; ++ } ++ ++ DefragDestroy(); ++ PASS; ++} ++ ++static int DefragBsdFragmentAfterNoMfIpv6Test(void) ++{ ++ DefragInit(); ++ default_policy = DEFRAG_POLICY_BSD; ++ Packet *packets[4]; ++ ++ packets[0] = BuildIpv6TestPacket(IPPROTO_ICMP, 0x96, 24 >> 3, 0, 'A', 16); ++ packets[1] = BuildIpv6TestPacket(IPPROTO_ICMP, 0x96, 8 >> 3, 1, 'B', 16); ++ packets[2] = BuildIpv6TestPacket(IPPROTO_ICMP, 0x96, 16 >> 3, 1, 'C', 16); ++ packets[3] = BuildIpv6TestPacket(IPPROTO_ICMP, 0x96, 0, 1, 'D', 8); ++ ++ Packet *r = Defrag(NULL, NULL, packets[0]); ++ FAIL_IF_NOT_NULL(r); ++ ++ r = Defrag(NULL, NULL, packets[1]); ++ FAIL_IF_NOT_NULL(r); ++ ++ r = Defrag(NULL, NULL, packets[2]); ++ FAIL_IF_NOT_NULL(r); ++ ++ r = Defrag(NULL, NULL, packets[3]); ++ FAIL_IF_NULL(r); ++ ++ // clang-format off ++ uint8_t expected[] = { ++ 'D', 'D', 'D', 'D', 'D', 'D', 'D', 'D', ++ 'B', 'B', 'B', 'B', 'B', 'B', 'B', 'B', ++ 'B', 'B', 'B', 'B', 'B', 'B', 'B', 'B', ++ 'C', 'C', 'C', 'C', 'C', 'C', 'C', 'C', ++ 'A', 'A', 'A', 'A', 'A', 'A', 'A', 'A', ++ }; ++ // clang-format on ++ ++ if (memcmp(expected, GET_PKT_DATA(r) + 40, sizeof(expected)) != 0) { ++ printf("Expected:\n"); ++ PrintRawDataFp(stdout, expected, sizeof(expected)); ++ printf("Got:\n"); ++ PrintRawDataFp(stdout, GET_PKT_DATA(r) + 40, GET_PKT_LEN(r) - 40); ++ FAIL; ++ } ++ ++ DefragDestroy(); ++ PASS; ++} ++ + #endif /* UNITTESTS */ + + void DefragRegisterTests(void) +@@ -2555,5 +2685,8 @@ void DefragRegisterTests(void) + UtRegisterTest("DefragTestBadProto", DefragTestBadProto); + + UtRegisterTest("DefragTestJeremyLinux", DefragTestJeremyLinux); ++ ++ UtRegisterTest("DefragBsdFragmentAfterNoMfIpv4Test", DefragBsdFragmentAfterNoMfIpv4Test); ++ UtRegisterTest("DefragBsdFragmentAfterNoMfIpv6Test", DefragBsdFragmentAfterNoMfIpv6Test); + #endif /* UNITTESTS */ + } +-- +2.50.1 + diff --git a/recipes-ids/suricata/files/CVE-2024-32867-002.patch b/recipes-ids/suricata/files/CVE-2024-32867-002.patch new file mode 100644 index 0000000..cfddce2 --- /dev/null +++ b/recipes-ids/suricata/files/CVE-2024-32867-002.patch @@ -0,0 +1,591 @@ +From 7137d5e7ab5500f1b7f3391f8ab55a59f1e4cbd7 Mon Sep 17 00:00:00 2001 +From: Jason Ish +Date: Mon, 27 Nov 2023 16:27:27 -0600 +Subject: [PATCH] defrag: consistent unit test naming + +Use a more consistent naming scheme between ipv4 and ipv6. + +(cherry picked from commit 2f00b5870abc6053fca8271a0a827babc03d56f0) + +CVE: CVE-2024-32867 +Upstream-Status: Backport [https://github.com/OISF/suricata/commit/7137d5e7ab5500f1b7f3391f8ab55a59f1e4cbd7] +Signed-off-by: Hitendra Prajapati +--- + src/defrag.c | 217 ++++++++++++++++++++++++--------------------------- + 1 file changed, 102 insertions(+), 115 deletions(-) + +diff --git a/src/defrag.c b/src/defrag.c +index e154899..99fbab3 100644 +--- a/src/defrag.c ++++ b/src/defrag.c +@@ -1125,8 +1125,8 @@ void DefragDestroy(void) + * Allocate a test packet. Nothing to fancy, just a simple IP packet + * with some payload of no particular protocol. + */ +-static Packet *BuildTestPacket(uint8_t proto, uint16_t id, uint16_t off, int mf, +- const char content, int content_len) ++static Packet *BuildIpv4TestPacket( ++ uint8_t proto, uint16_t id, uint16_t off, int mf, const char content, int content_len) + { + Packet *p = NULL; + int hlen = 20; +@@ -1199,8 +1199,8 @@ error: + return NULL; + } + +-static Packet *IPV6BuildTestPacket(uint8_t proto, uint32_t id, uint16_t off, +- int mf, const char content, int content_len) ++static Packet *BuildIpv6TestPacket( ++ uint8_t proto, uint32_t id, uint16_t off, int mf, const char content, int content_len) + { + Packet *p = NULL; + uint8_t *pcontent; +@@ -1283,11 +1283,11 @@ static int DefragInOrderSimpleTest(void) + + DefragInit(); + +- p1 = BuildTestPacket(IPPROTO_ICMP, id, 0, 1, 'A', 8); ++ p1 = BuildIpv4TestPacket(IPPROTO_ICMP, id, 0, 1, 'A', 8); + FAIL_IF_NULL(p1); +- p2 = BuildTestPacket(IPPROTO_ICMP, id, 1, 1, 'B', 8); ++ p2 = BuildIpv4TestPacket(IPPROTO_ICMP, id, 1, 1, 'B', 8); + FAIL_IF_NULL(p2); +- p3 = BuildTestPacket(IPPROTO_ICMP, id, 2, 0, 'C', 3); ++ p3 = BuildIpv4TestPacket(IPPROTO_ICMP, id, 2, 0, 'C', 3); + FAIL_IF_NULL(p3); + + FAIL_IF(Defrag(NULL, NULL, p1) != NULL); +@@ -1335,11 +1335,11 @@ static int DefragReverseSimpleTest(void) + + DefragInit(); + +- p1 = BuildTestPacket(IPPROTO_ICMP, id, 0, 1, 'A', 8); ++ p1 = BuildIpv4TestPacket(IPPROTO_ICMP, id, 0, 1, 'A', 8); + FAIL_IF_NULL(p1); +- p2 = BuildTestPacket(IPPROTO_ICMP, id, 1, 1, 'B', 8); ++ p2 = BuildIpv4TestPacket(IPPROTO_ICMP, id, 1, 1, 'B', 8); + FAIL_IF_NULL(p2); +- p3 = BuildTestPacket(IPPROTO_ICMP, id, 2, 0, 'C', 3); ++ p3 = BuildIpv4TestPacket(IPPROTO_ICMP, id, 2, 0, 'C', 3); + FAIL_IF_NULL(p3); + + FAIL_IF(Defrag(NULL, NULL, p3) != NULL); +@@ -1379,7 +1379,7 @@ static int DefragReverseSimpleTest(void) + * Test the simplest possible re-assembly scenario. All packet in + * order and no overlaps. + */ +-static int IPV6DefragInOrderSimpleTest(void) ++static int DefragInOrderSimpleIpv6Test(void) + { + Packet *p1 = NULL, *p2 = NULL, *p3 = NULL; + Packet *reassembled = NULL; +@@ -1388,11 +1388,11 @@ static int IPV6DefragInOrderSimpleTest(void) + + DefragInit(); + +- p1 = IPV6BuildTestPacket(IPPROTO_ICMPV6, id, 0, 1, 'A', 8); ++ p1 = BuildIpv6TestPacket(IPPROTO_ICMPV6, id, 0, 1, 'A', 8); + FAIL_IF_NULL(p1); +- p2 = IPV6BuildTestPacket(IPPROTO_ICMPV6, id, 1, 1, 'B', 8); ++ p2 = BuildIpv6TestPacket(IPPROTO_ICMPV6, id, 1, 1, 'B', 8); + FAIL_IF_NULL(p2); +- p3 = IPV6BuildTestPacket(IPPROTO_ICMPV6, id, 2, 0, 'C', 3); ++ p3 = BuildIpv6TestPacket(IPPROTO_ICMPV6, id, 2, 0, 'C', 3); + FAIL_IF_NULL(p3); + + FAIL_IF(Defrag(NULL, NULL, p1) != NULL); +@@ -1426,7 +1426,7 @@ static int IPV6DefragInOrderSimpleTest(void) + PASS; + } + +-static int IPV6DefragReverseSimpleTest(void) ++static int DefragReverseSimpleIpv6Test(void) + { + DefragContext *dc = NULL; + Packet *p1 = NULL, *p2 = NULL, *p3 = NULL; +@@ -1439,11 +1439,11 @@ static int IPV6DefragReverseSimpleTest(void) + dc = DefragContextNew(); + FAIL_IF_NULL(dc); + +- p1 = IPV6BuildTestPacket(IPPROTO_ICMPV6, id, 0, 1, 'A', 8); ++ p1 = BuildIpv6TestPacket(IPPROTO_ICMPV6, id, 0, 1, 'A', 8); + FAIL_IF_NULL(p1); +- p2 = IPV6BuildTestPacket(IPPROTO_ICMPV6, id, 1, 1, 'B', 8); ++ p2 = BuildIpv6TestPacket(IPPROTO_ICMPV6, id, 1, 1, 'B', 8); + FAIL_IF_NULL(p2); +- p3 = IPV6BuildTestPacket(IPPROTO_ICMPV6, id, 2, 0, 'C', 3); ++ p3 = BuildIpv6TestPacket(IPPROTO_ICMPV6, id, 2, 0, 'C', 3); + FAIL_IF_NULL(p3); + + FAIL_IF(Defrag(NULL, NULL, p3) != NULL); +@@ -1496,59 +1496,59 @@ static int DefragDoSturgesNovakTest(int policy, u_char *expected, + */ + + /* A*24 at 0. */ +- packets[0] = BuildTestPacket(IPPROTO_ICMP, id, 0, 1, 'A', 24); ++ packets[0] = BuildIpv4TestPacket(IPPROTO_ICMP, id, 0, 1, 'A', 24); + + /* B*15 at 32. */ +- packets[1] = BuildTestPacket(IPPROTO_ICMP, id, 32 >> 3, 1, 'B', 16); ++ packets[1] = BuildIpv4TestPacket(IPPROTO_ICMP, id, 32 >> 3, 1, 'B', 16); + + /* C*24 at 48. */ +- packets[2] = BuildTestPacket(IPPROTO_ICMP, id, 48 >> 3, 1, 'C', 24); ++ packets[2] = BuildIpv4TestPacket(IPPROTO_ICMP, id, 48 >> 3, 1, 'C', 24); + + /* D*8 at 80. */ +- packets[3] = BuildTestPacket(IPPROTO_ICMP, id, 80 >> 3, 1, 'D', 8); ++ packets[3] = BuildIpv4TestPacket(IPPROTO_ICMP, id, 80 >> 3, 1, 'D', 8); + + /* E*16 at 104. */ +- packets[4] = BuildTestPacket(IPPROTO_ICMP, id, 104 >> 3, 1, 'E', 16); ++ packets[4] = BuildIpv4TestPacket(IPPROTO_ICMP, id, 104 >> 3, 1, 'E', 16); + + /* F*24 at 120. */ +- packets[5] = BuildTestPacket(IPPROTO_ICMP, id, 120 >> 3, 1, 'F', 24); ++ packets[5] = BuildIpv4TestPacket(IPPROTO_ICMP, id, 120 >> 3, 1, 'F', 24); + + /* G*16 at 144. */ +- packets[6] = BuildTestPacket(IPPROTO_ICMP, id, 144 >> 3, 1, 'G', 16); ++ packets[6] = BuildIpv4TestPacket(IPPROTO_ICMP, id, 144 >> 3, 1, 'G', 16); + + /* H*16 at 160. */ +- packets[7] = BuildTestPacket(IPPROTO_ICMP, id, 160 >> 3, 1, 'H', 16); ++ packets[7] = BuildIpv4TestPacket(IPPROTO_ICMP, id, 160 >> 3, 1, 'H', 16); + + /* I*8 at 176. */ +- packets[8] = BuildTestPacket(IPPROTO_ICMP, id, 176 >> 3, 1, 'I', 8); ++ packets[8] = BuildIpv4TestPacket(IPPROTO_ICMP, id, 176 >> 3, 1, 'I', 8); + + /* + * Overlapping subsequent fragments. + */ + + /* J*32 at 8. */ +- packets[9] = BuildTestPacket(IPPROTO_ICMP, id, 8 >> 3, 1, 'J', 32); ++ packets[9] = BuildIpv4TestPacket(IPPROTO_ICMP, id, 8 >> 3, 1, 'J', 32); + + /* K*24 at 48. */ +- packets[10] = BuildTestPacket(IPPROTO_ICMP, id, 48 >> 3, 1, 'K', 24); ++ packets[10] = BuildIpv4TestPacket(IPPROTO_ICMP, id, 48 >> 3, 1, 'K', 24); + + /* L*24 at 72. */ +- packets[11] = BuildTestPacket(IPPROTO_ICMP, id, 72 >> 3, 1, 'L', 24); ++ packets[11] = BuildIpv4TestPacket(IPPROTO_ICMP, id, 72 >> 3, 1, 'L', 24); + + /* M*24 at 96. */ +- packets[12] = BuildTestPacket(IPPROTO_ICMP, id, 96 >> 3, 1, 'M', 24); ++ packets[12] = BuildIpv4TestPacket(IPPROTO_ICMP, id, 96 >> 3, 1, 'M', 24); + + /* N*8 at 128. */ +- packets[13] = BuildTestPacket(IPPROTO_ICMP, id, 128 >> 3, 1, 'N', 8); ++ packets[13] = BuildIpv4TestPacket(IPPROTO_ICMP, id, 128 >> 3, 1, 'N', 8); + + /* O*8 at 152. */ +- packets[14] = BuildTestPacket(IPPROTO_ICMP, id, 152 >> 3, 1, 'O', 8); ++ packets[14] = BuildIpv4TestPacket(IPPROTO_ICMP, id, 152 >> 3, 1, 'O', 8); + + /* P*8 at 160. */ +- packets[15] = BuildTestPacket(IPPROTO_ICMP, id, 160 >> 3, 1, 'P', 8); ++ packets[15] = BuildIpv4TestPacket(IPPROTO_ICMP, id, 160 >> 3, 1, 'P', 8); + + /* Q*16 at 176. */ +- packets[16] = BuildTestPacket(IPPROTO_ICMP, id, 176 >> 3, 0, 'Q', 16); ++ packets[16] = BuildIpv4TestPacket(IPPROTO_ICMP, id, 176 >> 3, 0, 'Q', 16); + + default_policy = policy; + +@@ -1588,8 +1588,7 @@ static int DefragDoSturgesNovakTest(int policy, u_char *expected, + PASS; + } + +-static int IPV6DefragDoSturgesNovakTest(int policy, u_char *expected, +- size_t expected_len) ++static int DefragDoSturgesNovakIpv6Test(int policy, u_char *expected, size_t expected_len) + { + int i; + +@@ -1608,59 +1607,59 @@ static int IPV6DefragDoSturgesNovakTest(int policy, u_char *expected, + */ + + /* A*24 at 0. */ +- packets[0] = IPV6BuildTestPacket(IPPROTO_ICMPV6, id, 0, 1, 'A', 24); ++ packets[0] = BuildIpv6TestPacket(IPPROTO_ICMPV6, id, 0, 1, 'A', 24); + + /* B*15 at 32. */ +- packets[1] = IPV6BuildTestPacket(IPPROTO_ICMPV6, id, 32 >> 3, 1, 'B', 16); ++ packets[1] = BuildIpv6TestPacket(IPPROTO_ICMPV6, id, 32 >> 3, 1, 'B', 16); + + /* C*24 at 48. */ +- packets[2] = IPV6BuildTestPacket(IPPROTO_ICMPV6, id, 48 >> 3, 1, 'C', 24); ++ packets[2] = BuildIpv6TestPacket(IPPROTO_ICMPV6, id, 48 >> 3, 1, 'C', 24); + + /* D*8 at 80. */ +- packets[3] = IPV6BuildTestPacket(IPPROTO_ICMPV6, id, 80 >> 3, 1, 'D', 8); ++ packets[3] = BuildIpv6TestPacket(IPPROTO_ICMPV6, id, 80 >> 3, 1, 'D', 8); + + /* E*16 at 104. */ +- packets[4] = IPV6BuildTestPacket(IPPROTO_ICMPV6, id, 104 >> 3, 1, 'E', 16); ++ packets[4] = BuildIpv6TestPacket(IPPROTO_ICMPV6, id, 104 >> 3, 1, 'E', 16); + + /* F*24 at 120. */ +- packets[5] = IPV6BuildTestPacket(IPPROTO_ICMPV6, id, 120 >> 3, 1, 'F', 24); ++ packets[5] = BuildIpv6TestPacket(IPPROTO_ICMPV6, id, 120 >> 3, 1, 'F', 24); + + /* G*16 at 144. */ +- packets[6] = IPV6BuildTestPacket(IPPROTO_ICMPV6, id, 144 >> 3, 1, 'G', 16); ++ packets[6] = BuildIpv6TestPacket(IPPROTO_ICMPV6, id, 144 >> 3, 1, 'G', 16); + + /* H*16 at 160. */ +- packets[7] = IPV6BuildTestPacket(IPPROTO_ICMPV6, id, 160 >> 3, 1, 'H', 16); ++ packets[7] = BuildIpv6TestPacket(IPPROTO_ICMPV6, id, 160 >> 3, 1, 'H', 16); + + /* I*8 at 176. */ +- packets[8] = IPV6BuildTestPacket(IPPROTO_ICMPV6, id, 176 >> 3, 1, 'I', 8); ++ packets[8] = BuildIpv6TestPacket(IPPROTO_ICMPV6, id, 176 >> 3, 1, 'I', 8); + + /* + * Overlapping subsequent fragments. + */ + + /* J*32 at 8. */ +- packets[9] = IPV6BuildTestPacket(IPPROTO_ICMPV6, id, 8 >> 3, 1, 'J', 32); ++ packets[9] = BuildIpv6TestPacket(IPPROTO_ICMPV6, id, 8 >> 3, 1, 'J', 32); + + /* K*24 at 48. */ +- packets[10] = IPV6BuildTestPacket(IPPROTO_ICMPV6, id, 48 >> 3, 1, 'K', 24); ++ packets[10] = BuildIpv6TestPacket(IPPROTO_ICMPV6, id, 48 >> 3, 1, 'K', 24); + + /* L*24 at 72. */ +- packets[11] = IPV6BuildTestPacket(IPPROTO_ICMPV6, id, 72 >> 3, 1, 'L', 24); ++ packets[11] = BuildIpv6TestPacket(IPPROTO_ICMPV6, id, 72 >> 3, 1, 'L', 24); + + /* M*24 at 96. */ +- packets[12] = IPV6BuildTestPacket(IPPROTO_ICMPV6, id, 96 >> 3, 1, 'M', 24); ++ packets[12] = BuildIpv6TestPacket(IPPROTO_ICMPV6, id, 96 >> 3, 1, 'M', 24); + + /* N*8 at 128. */ +- packets[13] = IPV6BuildTestPacket(IPPROTO_ICMPV6, id, 128 >> 3, 1, 'N', 8); ++ packets[13] = BuildIpv6TestPacket(IPPROTO_ICMPV6, id, 128 >> 3, 1, 'N', 8); + + /* O*8 at 152. */ +- packets[14] = IPV6BuildTestPacket(IPPROTO_ICMPV6, id, 152 >> 3, 1, 'O', 8); ++ packets[14] = BuildIpv6TestPacket(IPPROTO_ICMPV6, id, 152 >> 3, 1, 'O', 8); + + /* P*8 at 160. */ +- packets[15] = IPV6BuildTestPacket(IPPROTO_ICMPV6, id, 160 >> 3, 1, 'P', 8); ++ packets[15] = BuildIpv6TestPacket(IPPROTO_ICMPV6, id, 160 >> 3, 1, 'P', 8); + + /* Q*16 at 176. */ +- packets[16] = IPV6BuildTestPacket(IPPROTO_ICMPV6, id, 176 >> 3, 0, 'Q', 16); ++ packets[16] = BuildIpv6TestPacket(IPPROTO_ICMPV6, id, 176 >> 3, 0, 'Q', 16); + + default_policy = policy; + +@@ -1735,7 +1734,7 @@ DefragSturgesNovakBsdTest(void) + PASS; + } + +-static int IPV6DefragSturgesNovakBsdTest(void) ++static int DefragSturgesNovakBsdIpv6Test(void) + { + /* Expected data. */ + u_char expected[] = { +@@ -1765,8 +1764,7 @@ static int IPV6DefragSturgesNovakBsdTest(void) + "QQQQQQQQ" + }; + +- FAIL_IF_NOT(IPV6DefragDoSturgesNovakTest(DEFRAG_POLICY_BSD, expected, +- sizeof(expected))); ++ FAIL_IF_NOT(DefragDoSturgesNovakIpv6Test(DEFRAG_POLICY_BSD, expected, sizeof(expected))); + PASS; + } + +@@ -1805,7 +1803,7 @@ static int DefragSturgesNovakLinuxIpv4Test(void) + PASS; + } + +-static int IPV6DefragSturgesNovakLinuxTest(void) ++static int DefragSturgesNovakLinuxIpv6Test(void) + { + /* Expected data. */ + u_char expected[] = { +@@ -1835,8 +1833,7 @@ static int IPV6DefragSturgesNovakLinuxTest(void) + "QQQQQQQQ" + }; + +- FAIL_IF_NOT(IPV6DefragDoSturgesNovakTest(DEFRAG_POLICY_LINUX, expected, +- sizeof(expected))); ++ FAIL_IF_NOT(DefragDoSturgesNovakIpv6Test(DEFRAG_POLICY_LINUX, expected, sizeof(expected))); + PASS; + } + +@@ -1875,7 +1872,7 @@ static int DefragSturgesNovakWindowsIpv4Test(void) + PASS; + } + +-static int IPV6DefragSturgesNovakWindowsTest(void) ++static int DefragSturgesNovakWindowsIpv6Test(void) + { + /* Expected data. */ + u_char expected[] = { +@@ -1905,8 +1902,7 @@ static int IPV6DefragSturgesNovakWindowsTest(void) + "QQQQQQQQ" + }; + +- FAIL_IF_NOT(IPV6DefragDoSturgesNovakTest(DEFRAG_POLICY_WINDOWS, expected, +- sizeof(expected))); ++ FAIL_IF_NOT(DefragDoSturgesNovakIpv6Test(DEFRAG_POLICY_WINDOWS, expected, sizeof(expected))); + PASS; + } + +@@ -1945,7 +1941,7 @@ static int DefragSturgesNovakSolarisTest(void) + PASS; + } + +-static int IPV6DefragSturgesNovakSolarisTest(void) ++static int DefragSturgesNovakSolarisIpv6Test(void) + { + /* Expected data. */ + u_char expected[] = { +@@ -1975,8 +1971,7 @@ static int IPV6DefragSturgesNovakSolarisTest(void) + "QQQQQQQQ" + }; + +- FAIL_IF_NOT(IPV6DefragDoSturgesNovakTest(DEFRAG_POLICY_SOLARIS, expected, +- sizeof(expected))); ++ FAIL_IF_NOT(DefragDoSturgesNovakIpv6Test(DEFRAG_POLICY_SOLARIS, expected, sizeof(expected))); + PASS; + } + +@@ -2015,7 +2010,7 @@ static int DefragSturgesNovakFirstTest(void) + PASS; + } + +-static int IPV6DefragSturgesNovakFirstTest(void) ++static int DefragSturgesNovakFirstIpv6Test(void) + { + /* Expected data. */ + u_char expected[] = { +@@ -2045,8 +2040,7 @@ static int IPV6DefragSturgesNovakFirstTest(void) + "QQQQQQQQ" + }; + +- return IPV6DefragDoSturgesNovakTest(DEFRAG_POLICY_FIRST, expected, +- sizeof(expected)); ++ return DefragDoSturgesNovakIpv6Test(DEFRAG_POLICY_FIRST, expected, sizeof(expected)); + } + + static int +@@ -2085,7 +2079,7 @@ DefragSturgesNovakLastTest(void) + PASS; + } + +-static int IPV6DefragSturgesNovakLastTest(void) ++static int DefragSturgesNovakLastIpv6Test(void) + { + /* Expected data. */ + u_char expected[] = { +@@ -2115,8 +2109,7 @@ static int IPV6DefragSturgesNovakLastTest(void) + "QQQQQQQQ" + }; + +- FAIL_IF_NOT(IPV6DefragDoSturgesNovakTest(DEFRAG_POLICY_LAST, expected, +- sizeof(expected))); ++ FAIL_IF_NOT(DefragDoSturgesNovakIpv6Test(DEFRAG_POLICY_LAST, expected, sizeof(expected))); + PASS; + } + +@@ -2131,7 +2124,7 @@ static int DefragTimeoutTest(void) + + /* Load in 16 packets. */ + for (i = 0; i < 16; i++) { +- Packet *p = BuildTestPacket(IPPROTO_ICMP,i, 0, 1, 'A' + i, 16); ++ Packet *p = BuildIpv4TestPacket(IPPROTO_ICMP, i, 0, 1, 'A' + i, 16); + FAIL_IF_NULL(p); + + Packet *tp = Defrag(NULL, NULL, p); +@@ -2141,7 +2134,7 @@ static int DefragTimeoutTest(void) + + /* Build a new packet but push the timestamp out by our timeout. + * This should force our previous fragments to be timed out. */ +- Packet *p = BuildTestPacket(IPPROTO_ICMP, 99, 0, 1, 'A' + i, 16); ++ Packet *p = BuildIpv4TestPacket(IPPROTO_ICMP, 99, 0, 1, 'A' + i, 16); + FAIL_IF_NULL(p); + + p->ts = SCTIME_ADD_SECS(p->ts, defrag_context->timeout + 1); +@@ -2166,7 +2159,7 @@ static int DefragTimeoutTest(void) + * fail. The fix was simple, but this unit test is just to make sure + * its not introduced. + */ +-static int DefragIPv4NoDataTest(void) ++static int DefragNoDataIpv4Test(void) + { + DefragContext *dc = NULL; + Packet *p = NULL; +@@ -2178,7 +2171,7 @@ static int DefragIPv4NoDataTest(void) + FAIL_IF_NULL(dc); + + /* This packet has an offset > 0, more frags set to 0 and no data. */ +- p = BuildTestPacket(IPPROTO_ICMP, id, 1, 0, 'A', 0); ++ p = BuildIpv4TestPacket(IPPROTO_ICMP, id, 1, 0, 'A', 0); + FAIL_IF_NULL(p); + + /* We do not expect a packet returned. */ +@@ -2195,7 +2188,7 @@ static int DefragIPv4NoDataTest(void) + PASS; + } + +-static int DefragIPv4TooLargeTest(void) ++static int DefragTooLargeIpv4Test(void) + { + DefragContext *dc = NULL; + Packet *p = NULL; +@@ -2207,7 +2200,7 @@ static int DefragIPv4TooLargeTest(void) + + /* Create a fragment that would extend past the max allowable size + * for an IPv4 packet. */ +- p = BuildTestPacket(IPPROTO_ICMP, 1, 8183, 0, 'A', 71); ++ p = BuildIpv4TestPacket(IPPROTO_ICMP, 1, 8183, 0, 'A', 71); + FAIL_IF_NULL(p); + + /* We do not expect a packet returned. */ +@@ -2238,9 +2231,9 @@ static int DefragVlanTest(void) + + DefragInit(); + +- p1 = BuildTestPacket(IPPROTO_ICMP, 1, 0, 1, 'A', 8); ++ p1 = BuildIpv4TestPacket(IPPROTO_ICMP, 1, 0, 1, 'A', 8); + FAIL_IF_NULL(p1); +- p2 = BuildTestPacket(IPPROTO_ICMP, 1, 1, 0, 'B', 8); ++ p2 = BuildIpv4TestPacket(IPPROTO_ICMP, 1, 1, 0, 'B', 8); + FAIL_IF_NULL(p2); + + /* With no VLAN IDs set, packets should re-assemble. */ +@@ -2270,9 +2263,9 @@ static int DefragVlanQinQTest(void) + + DefragInit(); + +- p1 = BuildTestPacket(IPPROTO_ICMP, 1, 0, 1, 'A', 8); ++ p1 = BuildIpv4TestPacket(IPPROTO_ICMP, 1, 0, 1, 'A', 8); + FAIL_IF_NULL(p1); +- p2 = BuildTestPacket(IPPROTO_ICMP, 1, 1, 0, 'B', 8); ++ p2 = BuildIpv4TestPacket(IPPROTO_ICMP, 1, 1, 0, 'B', 8); + FAIL_IF_NULL(p2); + + /* With no VLAN IDs set, packets should re-assemble. */ +@@ -2304,9 +2297,9 @@ static int DefragVlanQinQinQTest(void) + + DefragInit(); + +- Packet *p1 = BuildTestPacket(IPPROTO_ICMP, 1, 0, 1, 'A', 8); ++ Packet *p1 = BuildIpv4TestPacket(IPPROTO_ICMP, 1, 0, 1, 'A', 8); + FAIL_IF_NULL(p1); +- Packet *p2 = BuildTestPacket(IPPROTO_ICMP, 1, 1, 0, 'B', 8); ++ Packet *p2 = BuildIpv4TestPacket(IPPROTO_ICMP, 1, 1, 0, 'B', 8); + FAIL_IF_NULL(p2); + + /* With no VLAN IDs set, packets should re-assemble. */ +@@ -2340,7 +2333,7 @@ static int DefragTrackerReuseTest(void) + + /* Build a packet, its not a fragment but shouldn't matter for + * this test. */ +- p1 = BuildTestPacket(IPPROTO_ICMP, id, 0, 0, 'A', 8); ++ p1 = BuildIpv4TestPacket(IPPROTO_ICMP, id, 0, 0, 'A', 8); + FAIL_IF_NULL(p1); + + /* Get a tracker. It shouldn't look like its already in use. */ +@@ -2387,9 +2380,9 @@ static int DefragMfIpv4Test(void) + + DefragInit(); + +- Packet *p1 = BuildTestPacket(IPPROTO_ICMP, ip_id, 2, 1, 'C', 8); +- Packet *p2 = BuildTestPacket(IPPROTO_ICMP, ip_id, 0, 1, 'A', 8); +- Packet *p3 = BuildTestPacket(IPPROTO_ICMP, ip_id, 1, 0, 'B', 8); ++ Packet *p1 = BuildIpv4TestPacket(IPPROTO_ICMP, ip_id, 2, 1, 'C', 8); ++ Packet *p2 = BuildIpv4TestPacket(IPPROTO_ICMP, ip_id, 0, 1, 'A', 8); ++ Packet *p3 = BuildIpv4TestPacket(IPPROTO_ICMP, ip_id, 1, 0, 'B', 8); + FAIL_IF(p1 == NULL || p2 == NULL || p3 == NULL); + + p = Defrag(NULL, NULL, p1); +@@ -2434,9 +2427,9 @@ static int DefragMfIpv6Test(void) + + DefragInit(); + +- Packet *p1 = IPV6BuildTestPacket(IPPROTO_ICMPV6, ip_id, 2, 1, 'C', 8); +- Packet *p2 = IPV6BuildTestPacket(IPPROTO_ICMPV6, ip_id, 0, 1, 'A', 8); +- Packet *p3 = IPV6BuildTestPacket(IPPROTO_ICMPV6, ip_id, 1, 0, 'B', 8); ++ Packet *p1 = BuildIpv6TestPacket(IPPROTO_ICMPV6, ip_id, 2, 1, 'C', 8); ++ Packet *p2 = BuildIpv6TestPacket(IPPROTO_ICMPV6, ip_id, 0, 1, 'A', 8); ++ Packet *p3 = BuildIpv6TestPacket(IPPROTO_ICMPV6, ip_id, 1, 0, 'B', 8); + FAIL_IF(p1 == NULL || p2 == NULL || p3 == NULL); + + p = Defrag(NULL, NULL, p1); +@@ -2476,11 +2469,11 @@ static int DefragTestBadProto(void) + + DefragInit(); + +- p1 = BuildTestPacket(IPPROTO_ICMP, id, 0, 1, 'A', 8); ++ p1 = BuildIpv4TestPacket(IPPROTO_ICMP, id, 0, 1, 'A', 8); + FAIL_IF_NULL(p1); +- p2 = BuildTestPacket(IPPROTO_UDP, id, 1, 1, 'B', 8); ++ p2 = BuildIpv4TestPacket(IPPROTO_UDP, id, 1, 1, 'B', 8); + FAIL_IF_NULL(p2); +- p3 = BuildTestPacket(IPPROTO_ICMP, id, 2, 0, 'C', 3); ++ p3 = BuildIpv4TestPacket(IPPROTO_ICMP, id, 2, 0, 'C', 3); + FAIL_IF_NULL(p3); + + FAIL_IF_NOT_NULL(Defrag(NULL, NULL, p1)); +@@ -2522,10 +2515,10 @@ static int DefragTestJeremyLinux(void) + Packet *packets[4]; + int i = 0; + +- packets[0] = BuildTestPacket(IPPROTO_ICMP, id, 0, 1, 'A', 24); +- packets[1] = BuildTestPacket(IPPROTO_ICMP, id, 40 >> 3, 1, 'B', 48); +- packets[2] = BuildTestPacket(IPPROTO_ICMP, id, 24 >> 3, 1, 'C', 48); +- packets[3] = BuildTestPacket(IPPROTO_ICMP, id, 88 >> 3, 0, 'D', 14); ++ packets[0] = BuildIpv4TestPacket(IPPROTO_ICMP, id, 0, 1, 'A', 24); ++ packets[1] = BuildIpv4TestPacket(IPPROTO_ICMP, id, 40 >> 3, 1, 'B', 48); ++ packets[2] = BuildIpv4TestPacket(IPPROTO_ICMP, id, 24 >> 3, 1, 'C', 48); ++ packets[3] = BuildIpv4TestPacket(IPPROTO_ICMP, id, 88 >> 3, 0, 'D', 14); + + Packet *r = Defrag(NULL, NULL, packets[0]); + FAIL_IF_NOT_NULL(r); +@@ -2657,23 +2650,17 @@ void DefragRegisterTests(void) + UtRegisterTest("DefragSturgesNovakFirstTest", DefragSturgesNovakFirstTest); + UtRegisterTest("DefragSturgesNovakLastTest", DefragSturgesNovakLastTest); + +- UtRegisterTest("DefragIPv4NoDataTest", DefragIPv4NoDataTest); +- UtRegisterTest("DefragIPv4TooLargeTest", DefragIPv4TooLargeTest); +- +- UtRegisterTest("IPV6DefragInOrderSimpleTest", IPV6DefragInOrderSimpleTest); +- UtRegisterTest("IPV6DefragReverseSimpleTest", IPV6DefragReverseSimpleTest); +- UtRegisterTest("IPV6DefragSturgesNovakBsdTest", +- IPV6DefragSturgesNovakBsdTest); +- UtRegisterTest("IPV6DefragSturgesNovakLinuxTest", +- IPV6DefragSturgesNovakLinuxTest); +- UtRegisterTest("IPV6DefragSturgesNovakWindowsTest", +- IPV6DefragSturgesNovakWindowsTest); +- UtRegisterTest("IPV6DefragSturgesNovakSolarisTest", +- IPV6DefragSturgesNovakSolarisTest); +- UtRegisterTest("IPV6DefragSturgesNovakFirstTest", +- IPV6DefragSturgesNovakFirstTest); +- UtRegisterTest("IPV6DefragSturgesNovakLastTest", +- IPV6DefragSturgesNovakLastTest); ++ UtRegisterTest("DefragNoDataIpv4Test", DefragNoDataIpv4Test); ++ UtRegisterTest("DefragTooLargeIpv4Test", DefragTooLargeIpv4Test); ++ ++ UtRegisterTest("DefragInOrderSimpleIpv6Test", DefragInOrderSimpleIpv6Test); ++ UtRegisterTest("DefragReverseSimpleIpv6Test", DefragReverseSimpleIpv6Test); ++ UtRegisterTest("DefragSturgesNovakBsdIpv6Test", DefragSturgesNovakBsdIpv6Test); ++ UtRegisterTest("DefragSturgesNovakLinuxIpv6Test", DefragSturgesNovakLinuxIpv6Test); ++ UtRegisterTest("DefragSturgesNovakWindowsIpv6Test", DefragSturgesNovakWindowsIpv6Test); ++ UtRegisterTest("DefragSturgesNovakSolarisIpv6Test", DefragSturgesNovakSolarisIpv6Test); ++ UtRegisterTest("DefragSturgesNovakFirstIpv6Test", DefragSturgesNovakFirstIpv6Test); ++ UtRegisterTest("DefragSturgesNovakLastIpv6Test", DefragSturgesNovakLastIpv6Test); + + UtRegisterTest("DefragVlanTest", DefragVlanTest); + UtRegisterTest("DefragVlanQinQTest", DefragVlanQinQTest); +-- +2.50.1 + diff --git a/recipes-ids/suricata/files/CVE-2024-32867-003.patch b/recipes-ids/suricata/files/CVE-2024-32867-003.patch new file mode 100644 index 0000000..15ee1f4 --- /dev/null +++ b/recipes-ids/suricata/files/CVE-2024-32867-003.patch @@ -0,0 +1,472 @@ +From 1e110d0a71db46571040b937e17a4bc9f91d6de9 Mon Sep 17 00:00:00 2001 +From: Jason Ish +Date: Thu, 7 Dec 2023 16:44:56 -0600 +Subject: [PATCH] defrag: fix subsequent overlap of start of original (bsd) + +Fix the BSD policy case where a subsequent fragment starts before an +original fragment and overlaps the beginning of the original +fragment. In this case the overlapping data from the new fragment is +preferred. + +Suricata was preferring the data from the original fragment, but it +should only do that when the original fragment has an offset <= to the +new fragment. + +- Adds test for this case + +Bug: #6669 +(cherry picked from commit f1709ea551124e1a64fdc509993ad022ab27aa77) + +CVE: CVE-2024-32867 +Upstream-Status: Backport [https://github.com/OISF/suricata/commit/1e110d0a71db46571040b937e17a4bc9f91d6de9] +Signed-off-by: Hitendra Prajapati +--- + src/defrag.c | 387 ++++++++++++++++++++++++++++++++++++++++++++++++++- + 1 file changed, 380 insertions(+), 7 deletions(-) + +diff --git a/src/defrag.c b/src/defrag.c +index 99fbab3..28d085d 100644 +--- a/src/defrag.c ++++ b/src/defrag.c +@@ -692,16 +692,45 @@ DefragInsertFrag(ThreadVars *tv, DecodeThreadVars *dtv, DefragTracker *tracker, + switch (tracker->policy) { + case DEFRAG_POLICY_BSD: + if (frag_offset < prev->offset + prev->data_len) { +- if (frag_offset >= prev->offset) { +- ltrim = prev->offset + prev->data_len - frag_offset; ++ if (prev->offset <= frag_offset) { ++ /* We prefer the data from the previous ++ * fragment, so trim off the data in the new ++ * fragment that exists in the previous ++ * fragment. */ ++ uint16_t prev_end = prev->offset + prev->data_len; ++ if (prev_end > frag_end) { ++ /* Just skip. */ ++ /* TODO: Set overlap flag. */ ++ goto done; ++ } ++ ltrim = prev_end - frag_offset; ++ ++ if ((next != NULL) && (frag_end > next->offset)) { ++ next->ltrim = frag_end - next->offset; ++ } ++ ++ goto insert; + } ++ ++ /* If the end of this fragment overlaps the start ++ * of the previous fragment, then trim up the ++ * start of previous fragment so this fragment is ++ * used. ++ * ++ * See: ++ * DefragBsdSubsequentOverlapsStartOfOriginal. ++ */ ++ if (frag_offset <= prev->offset && frag_end > prev->offset + prev->ltrim) { ++ uint16_t prev_ltrim = frag_end - prev->offset; ++ if (prev_ltrim > prev->ltrim) { ++ prev->ltrim = prev_ltrim; ++ } ++ } ++ + if ((next != NULL) && (frag_end > next->offset)) { + next->ltrim = frag_end - next->offset; + } +- if ((frag_offset < prev->offset) && +- (frag_end >= prev->offset + prev->data_len)) { +- prev->skip = 1; +- } ++ + goto insert; + } + break; +@@ -1199,6 +1228,77 @@ error: + return NULL; + } + ++/** ++ * Allocate a test packet, much like BuildIpv4TestPacket, but with ++ * the full content provided by the caller. ++ */ ++static Packet *BuildIpv4TestPacketWithContent( ++ uint8_t proto, uint16_t id, uint16_t off, int mf, const uint8_t *content, int content_len) ++{ ++ Packet *p = NULL; ++ int hlen = 20; ++ int ttl = 64; ++ IPV4Hdr ip4h; ++ ++ p = SCCalloc(1, sizeof(*p) + default_packet_size); ++ if (unlikely(p == NULL)) ++ return NULL; ++ ++ PacketInit(p); ++ ++ struct timeval tval; ++ gettimeofday(&tval, NULL); ++ p->ts = SCTIME_FROM_TIMEVAL(&tval); ++ ip4h.ip_verhl = 4 << 4; ++ ip4h.ip_verhl |= hlen >> 2; ++ ip4h.ip_len = htons(hlen + content_len); ++ ip4h.ip_id = htons(id); ++ if (mf) ++ ip4h.ip_off = htons(IP_MF | off); ++ else ++ ip4h.ip_off = htons(off); ++ ip4h.ip_ttl = ttl; ++ ip4h.ip_proto = proto; ++ ++ ip4h.s_ip_src.s_addr = 0x01010101; /* 1.1.1.1 */ ++ ip4h.s_ip_dst.s_addr = 0x02020202; /* 2.2.2.2 */ ++ ++ /* copy content_len crap, we need full length */ ++ PacketCopyData(p, (uint8_t *)&ip4h, sizeof(ip4h)); ++ p->ip4h = (IPV4Hdr *)GET_PKT_DATA(p); ++ SET_IPV4_SRC_ADDR(p, &p->src); ++ SET_IPV4_DST_ADDR(p, &p->dst); ++ ++ PacketCopyDataOffset(p, hlen, content, content_len); ++ SET_PKT_LEN(p, hlen + content_len); ++ ++ p->ip4h->ip_csum = IPV4Checksum((uint16_t *)GET_PKT_DATA(p), hlen, 0); ++ ++ /* Self test. */ ++ if (IPV4_GET_VER(p) != 4) ++ goto error; ++ if (IPV4_GET_HLEN(p) != hlen) ++ goto error; ++ if (IPV4_GET_IPLEN(p) != hlen + content_len) ++ goto error; ++ if (IPV4_GET_IPID(p) != id) ++ goto error; ++ if (IPV4_GET_IPOFFSET(p) != off) ++ goto error; ++ if (IPV4_GET_MF(p) != mf) ++ goto error; ++ if (IPV4_GET_IPTTL(p) != ttl) ++ goto error; ++ if (IPV4_GET_IPPROTO(p) != proto) ++ goto error; ++ ++ return p; ++error: ++ if (p != NULL) ++ SCFree(p); ++ return NULL; ++} ++ + static Packet *BuildIpv6TestPacket( + uint8_t proto, uint32_t id, uint16_t off, int mf, const char content, int content_len) + { +@@ -1270,6 +1370,71 @@ error: + return NULL; + } + ++static Packet *BuildIpv6TestPacketWithContent( ++ uint8_t proto, uint32_t id, uint16_t off, int mf, const uint8_t *content, int content_len) ++{ ++ Packet *p = NULL; ++ IPV6Hdr ip6h; ++ ++ p = SCCalloc(1, sizeof(*p) + default_packet_size); ++ if (unlikely(p == NULL)) ++ return NULL; ++ ++ PacketInit(p); ++ ++ struct timeval tval; ++ gettimeofday(&tval, NULL); ++ p->ts = SCTIME_FROM_TIMEVAL(&tval); ++ ++ ip6h.s_ip6_nxt = 44; ++ ip6h.s_ip6_hlim = 2; ++ ++ /* Source and dest address - very bogus addresses. */ ++ ip6h.s_ip6_src[0] = 0x01010101; ++ ip6h.s_ip6_src[1] = 0x01010101; ++ ip6h.s_ip6_src[2] = 0x01010101; ++ ip6h.s_ip6_src[3] = 0x01010101; ++ ip6h.s_ip6_dst[0] = 0x02020202; ++ ip6h.s_ip6_dst[1] = 0x02020202; ++ ip6h.s_ip6_dst[2] = 0x02020202; ++ ip6h.s_ip6_dst[3] = 0x02020202; ++ ++ /* copy content_len crap, we need full length */ ++ PacketCopyData(p, (uint8_t *)&ip6h, sizeof(IPV6Hdr)); ++ ++ p->ip6h = (IPV6Hdr *)GET_PKT_DATA(p); ++ IPV6_SET_RAW_VER(p->ip6h, 6); ++ /* Fragmentation header. */ ++ IPV6FragHdr *fh = (IPV6FragHdr *)(GET_PKT_DATA(p) + sizeof(IPV6Hdr)); ++ fh->ip6fh_nxt = proto; ++ fh->ip6fh_ident = htonl(id); ++ fh->ip6fh_offlg = htons((off << 3) | mf); ++ ++ DecodeIPV6FragHeader(p, (uint8_t *)fh, 8, 8 + content_len, 0); ++ ++ PacketCopyDataOffset(p, sizeof(IPV6Hdr) + sizeof(IPV6FragHdr), content, content_len); ++ SET_PKT_LEN(p, sizeof(IPV6Hdr) + sizeof(IPV6FragHdr) + content_len); ++ ++ p->ip6h->s_ip6_plen = htons(sizeof(IPV6FragHdr) + content_len); ++ ++ SET_IPV6_SRC_ADDR(p, &p->src); ++ SET_IPV6_DST_ADDR(p, &p->dst); ++ ++ /* Self test. */ ++ if (IPV6_GET_VER(p) != 6) ++ goto error; ++ if (IPV6_GET_NH(p) != 44) ++ goto error; ++ if (IPV6_GET_PLEN(p) != sizeof(IPV6FragHdr) + content_len) ++ goto error; ++ ++ return p; ++error: ++ if (p != NULL) ++ SCFree(p); ++ return NULL; ++} ++ + /** + * Test the simplest possible re-assembly scenario. All packet in + * order and no overlaps. +@@ -1575,7 +1740,13 @@ static int DefragDoSturgesNovakTest(int policy, u_char *expected, + FAIL_IF(IPV4_GET_HLEN(reassembled) != 20); + FAIL_IF(IPV4_GET_IPLEN(reassembled) != 20 + 192); + +- FAIL_IF(memcmp(GET_PKT_DATA(reassembled) + 20, expected, expected_len) != 0); ++ if (memcmp(expected, GET_PKT_DATA(reassembled) + 20, expected_len) != 0) { ++ printf("Expected:\n"); ++ PrintRawDataFp(stdout, expected, expected_len); ++ printf("Got:\n"); ++ PrintRawDataFp(stdout, GET_PKT_DATA(reassembled) + 20, GET_PKT_LEN(reassembled) - 20); ++ FAIL; ++ } + SCFree(reassembled); + + /* Make sure all frags were returned back to the pool. */ +@@ -2543,6 +2714,16 @@ static int DefragTestJeremyLinux(void) + PASS; + } + ++/** ++ * | 0 | 8 | 16 | 24 | 32 | ++ * |----------|----------|----------|----------|----------| ++ * | AAAAAAAA | AAAAAAAA | ++ * | | BBBBBBBB | BBBBBBBB | | | ++ * | | | CCCCCCCC | CCCCCCCC | | ++ * | DDDDDDDD | | | | | ++ * ++ * | DDDDDDDD | BBBBBBBB | BBBBBBBB | CCCCCCCC | AAAAAAAA | ++ */ + static int DefragBsdFragmentAfterNoMfIpv4Test(void) + { + DefragInit(); +@@ -2633,6 +2814,192 @@ static int DefragBsdFragmentAfterNoMfIpv6Test(void) + PASS; + } + ++static int DefragBsdSubsequentOverlapsStartOfOriginalIpv4Test_2(void) ++{ ++ DefragInit(); ++ default_policy = DEFRAG_POLICY_BSD; ++ Packet *packets[4]; ++ ++ /* Packet 1: off=16, mf=1 */ ++ packets[0] = BuildIpv4TestPacketWithContent( ++ IPPROTO_ICMP, 6, 16 >> 3, 1, (uint8_t *)"AABBCCDDAABBDDCC", 16); ++ ++ /* Packet 2: off=8, mf=1 */ ++ packets[1] = BuildIpv4TestPacketWithContent( ++ IPPROTO_ICMP, 6, 8 >> 3, 1, (uint8_t *)"AACCBBDDAACCDDBB", 16); ++ ++ /* Packet 3: off=0, mf=1: IP and ICMP header. */ ++ packets[2] = BuildIpv4TestPacketWithContent(IPPROTO_ICMP, 6, 0, 1, (uint8_t *)"ZZZZZZZZ", 8); ++ ++ /* Packet 4: off=8, mf=1 */ ++ packets[3] = ++ BuildIpv4TestPacketWithContent(IPPROTO_ICMP, 6, 32 >> 3, 0, (uint8_t *)"DDCCBBAA", 8); ++ ++ Packet *r = Defrag(NULL, NULL, packets[0]); ++ FAIL_IF_NOT_NULL(r); ++ ++ r = Defrag(NULL, NULL, packets[1]); ++ FAIL_IF_NOT_NULL(r); ++ ++ r = Defrag(NULL, NULL, packets[2]); ++ FAIL_IF_NOT_NULL(r); ++ ++ r = Defrag(NULL, NULL, packets[3]); ++ FAIL_IF_NULL(r); ++ ++ // clang-format off ++ const uint8_t expected[] = { ++ // AACCBBDD ++ // AACCDDBB ++ // AABBDDCC ++ // DDCCBBAA ++ 'A', 'A', 'C', 'C', 'B', 'B', 'D', 'D', ++ 'A', 'A', 'C', 'C', 'D', 'D', 'B', 'B', ++ 'A', 'A', 'B', 'B', 'D', 'D', 'C', 'C', ++ 'D', 'D', 'C', 'C', 'B', 'B', 'A', 'A', ++ }; ++ // clang-format on ++ ++ FAIL_IF(memcmp(expected, GET_PKT_DATA(r) + 20 + 8, sizeof(expected)) != 0); ++ ++ DefragDestroy(); ++ PASS; ++} ++ ++static int DefragBsdSubsequentOverlapsStartOfOriginalIpv6Test_2(void) ++{ ++ DefragInit(); ++ default_policy = DEFRAG_POLICY_BSD; ++ Packet *packets[4]; ++ ++ /* Packet 1: off=16, mf=1 */ ++ packets[0] = BuildIpv6TestPacketWithContent( ++ IPPROTO_ICMP, 6, 16 >> 3, 1, (uint8_t *)"AABBCCDDAABBDDCC", 16); ++ ++ /* Packet 2: off=8, mf=1 */ ++ packets[1] = BuildIpv6TestPacketWithContent( ++ IPPROTO_ICMP, 6, 8 >> 3, 1, (uint8_t *)"AACCBBDDAACCDDBB", 16); ++ ++ /* Packet 3: off=0, mf=1: IP and ICMP header. */ ++ packets[2] = BuildIpv6TestPacketWithContent(IPPROTO_ICMP, 6, 0, 1, (uint8_t *)"ZZZZZZZZ", 8); ++ ++ /* Packet 4: off=8, mf=1 */ ++ packets[3] = ++ BuildIpv6TestPacketWithContent(IPPROTO_ICMP, 6, 32 >> 3, 0, (uint8_t *)"DDCCBBAA", 8); ++ ++ Packet *r = Defrag(NULL, NULL, packets[0]); ++ FAIL_IF_NOT_NULL(r); ++ ++ r = Defrag(NULL, NULL, packets[1]); ++ FAIL_IF_NOT_NULL(r); ++ ++ r = Defrag(NULL, NULL, packets[2]); ++ FAIL_IF_NOT_NULL(r); ++ ++ r = Defrag(NULL, NULL, packets[3]); ++ FAIL_IF_NULL(r); ++ ++ // clang-format off ++ const uint8_t expected[] = { ++ // AACCBBDD ++ // AACCDDBB ++ // AABBDDCC ++ // DDCCBBAA ++ 'A', 'A', 'C', 'C', 'B', 'B', 'D', 'D', ++ 'A', 'A', 'C', 'C', 'D', 'D', 'B', 'B', ++ 'A', 'A', 'B', 'B', 'D', 'D', 'C', 'C', ++ 'D', 'D', 'C', 'C', 'B', 'B', 'A', 'A', ++ }; ++ // clang-format on ++ ++ FAIL_IF(memcmp(expected, GET_PKT_DATA(r) + 40 + 8, sizeof(expected)) != 0); ++ ++ DefragDestroy(); ++ PASS; ++} ++ ++/** ++ * #### Input ++ * ++ * | 96 (0) | 104 (8) | 112 (16) | 120 (24) | ++ * |----------|----------|----------|----------| ++ * | | EEEEEEEE | EEEEEEEE | EEEEEEEE | ++ * | MMMMMMMM | MMMMMMMM | MMMMMMMM | | ++ * ++ * #### Expected Output ++ * ++ * | MMMMMMMM | MMMMMMMM | MMMMMMMM | EEEEEEEE | ++ */ ++static int DefragBsdSubsequentOverlapsStartOfOriginalIpv4Test(void) ++{ ++ DefragInit(); ++ default_policy = DEFRAG_POLICY_BSD; ++ Packet *packets[2]; ++ ++ packets[0] = BuildIpv4TestPacket(IPPROTO_ICMP, 1, 8 >> 3, 0, 'E', 24); ++ packets[1] = BuildIpv4TestPacket(IPPROTO_ICMP, 1, 0, 1, 'M', 24); ++ ++ Packet *r = Defrag(NULL, NULL, packets[0]); ++ FAIL_IF_NOT_NULL(r); ++ ++ r = Defrag(NULL, NULL, packets[1]); ++ FAIL_IF_NULL(r); ++ ++ // clang-format off ++ const uint8_t expected[] = { ++ 'M', 'M', 'M', 'M', 'M', 'M', 'M', 'M', ++ 'M', 'M', 'M', 'M', 'M', 'M', 'M', 'M', ++ 'M', 'M', 'M', 'M', 'M', 'M', 'M', 'M', ++ 'E', 'E', 'E', 'E', 'E', 'E', 'E', 'E', ++ }; ++ // clang-format on ++ ++ if (memcmp(expected, GET_PKT_DATA(r) + 20, sizeof(expected)) != 0) { ++ printf("Expected:\n"); ++ PrintRawDataFp(stdout, expected, sizeof(expected)); ++ printf("Got:\n"); ++ PrintRawDataFp(stdout, GET_PKT_DATA(r) + 20, GET_PKT_LEN(r) - 20); ++ FAIL; ++ } ++ ++ PASS; ++} ++ ++static int DefragBsdSubsequentOverlapsStartOfOriginalIpv6Test(void) ++{ ++ DefragInit(); ++ default_policy = DEFRAG_POLICY_BSD; ++ Packet *packets[2]; ++ ++ packets[0] = BuildIpv6TestPacket(IPPROTO_ICMP, 1, 8 >> 3, 0, 'E', 24); ++ packets[1] = BuildIpv6TestPacket(IPPROTO_ICMP, 1, 0, 1, 'M', 24); ++ ++ Packet *r = Defrag(NULL, NULL, packets[0]); ++ FAIL_IF_NOT_NULL(r); ++ ++ r = Defrag(NULL, NULL, packets[1]); ++ FAIL_IF_NULL(r); ++ ++ // clang-format off ++ const uint8_t expected[] = { ++ 'M', 'M', 'M', 'M', 'M', 'M', 'M', 'M', ++ 'M', 'M', 'M', 'M', 'M', 'M', 'M', 'M', ++ 'M', 'M', 'M', 'M', 'M', 'M', 'M', 'M', ++ 'E', 'E', 'E', 'E', 'E', 'E', 'E', 'E', ++ }; ++ // clang-format on ++ ++ if (memcmp(expected, GET_PKT_DATA(r) + 40, sizeof(expected)) != 0) { ++ printf("Expected:\n"); ++ PrintRawDataFp(stdout, expected, sizeof(expected)); ++ printf("Got:\n"); ++ PrintRawDataFp(stdout, GET_PKT_DATA(r) + 40, GET_PKT_LEN(r) - 40); ++ FAIL; ++ } ++ ++ PASS; ++} ++ + #endif /* UNITTESTS */ + + void DefragRegisterTests(void) +@@ -2675,5 +3042,11 @@ void DefragRegisterTests(void) + + UtRegisterTest("DefragBsdFragmentAfterNoMfIpv4Test", DefragBsdFragmentAfterNoMfIpv4Test); + UtRegisterTest("DefragBsdFragmentAfterNoMfIpv6Test", DefragBsdFragmentAfterNoMfIpv6Test); ++ UtRegisterTest("DefragBsdSubsequentOverlapsStartOfOriginalIpv4Test", ++ DefragBsdSubsequentOverlapsStartOfOriginalIpv4Test); ++ UtRegisterTest("DefragBsdSubsequentOverlapsStartOfOriginalIpv6Test", ++ DefragBsdSubsequentOverlapsStartOfOriginalIpv6Test); ++ UtRegisterTest("DefragBsdSubsequentOverlapsStartOfOriginalIpv4Test_2", DefragBsdSubsequentOverlapsStartOfOriginalIpv4Test_2); ++ UtRegisterTest("DefragBsdSubsequentOverlapsStartOfOriginalIpv6Test_2", DefragBsdSubsequentOverlapsStartOfOriginalIpv6Test_2); + #endif /* UNITTESTS */ + } +-- +2.50.1 + diff --git a/recipes-ids/suricata/files/CVE-2024-32867-004.patch b/recipes-ids/suricata/files/CVE-2024-32867-004.patch new file mode 100644 index 0000000..7edb3b3 --- /dev/null +++ b/recipes-ids/suricata/files/CVE-2024-32867-004.patch @@ -0,0 +1,169 @@ +From e6267758ed5da27f804f0c1c07f9423bdf4d72b8 Mon Sep 17 00:00:00 2001 +From: Jason Ish +Date: Fri, 12 Jan 2024 11:09:59 -0600 +Subject: [PATCH] defrag: fix check for complete packet + +The list of fragments may still contain overlaps, so adding up the +fragment lengths is flawed. Instead track the largest size of +contiguous data that can be re-assembled. + +Bug: #6675 +(cherry picked from commit d226d0a3fce8837936e1bdfaee496c80d417e0a5) + +CVE: CVE-2024-32867 +Upstream-Status: Backport [https://github.com/OISF/suricata/commit/e6267758ed5da27f804f0c1c07f9423bdf4d72b8] +Signed-off-by: Hitendra Prajapati +--- + src/defrag.c | 116 ++++++++++++++++++++++++++++++++++++++++++++++++++- + 1 file changed, 114 insertions(+), 2 deletions(-) + +diff --git a/src/defrag.c b/src/defrag.c +index 28d085d..fc46411 100644 +--- a/src/defrag.c ++++ b/src/defrag.c +@@ -276,7 +276,8 @@ Defrag4Reassemble(ThreadVars *tv, DefragTracker *tracker, Packet *p) + goto done; + } + else { +- len += frag->data_len; ++ /* Update the packet length to the largest known data offset. */ ++ len = MAX(len, frag->offset + frag->data_len); + } + } + +@@ -434,7 +435,7 @@ Defrag6Reassemble(ThreadVars *tv, DefragTracker *tracker, Packet *p) + goto done; + } + else { +- len += frag->data_len; ++ len = MAX(len, frag->offset + frag->data_len); + } + } + } +@@ -3000,6 +3001,115 @@ static int DefragBsdSubsequentOverlapsStartOfOriginalIpv6Test(void) + PASS; + } + ++/** ++ * Reassembly should fail. ++ * ++ * |0 |8 |16 |24 |32 |40 |48 | ++ * |========|========|========|========|========|========|========| ++ * | | |AABBCCDD|AABBDDCC| | | | ++ * | | | | | |AACCBBDD| | ++ * | |AACCDDBB|AADDBBCC| | | | | ++ * |ZZZZZZZZ| | | | | | | ++ * | | | | | | |DDCCBBAA| ++ */ ++static int DefragBsdMissingFragmentIpv4Test(void) ++{ ++ DefragInit(); ++ default_policy = DEFRAG_POLICY_BSD; ++ Packet *packets[5]; ++ ++ packets[0] = BuildIpv4TestPacketWithContent( ++ IPPROTO_ICMP, 189, 16 >> 3, 1, (uint8_t *)"AABBCCDDAABBDDCC", 16); ++ ++ packets[1] = ++ BuildIpv4TestPacketWithContent(IPPROTO_ICMP, 189, 40 >> 3, 1, (uint8_t *)"AACCBBDD", 8); ++ ++ packets[2] = BuildIpv4TestPacketWithContent( ++ IPPROTO_ICMP, 189, 8 >> 3, 1, (uint8_t *)"AACCDDBBAADDBBCC", 16); ++ ++ /* ICMP header. */ ++ packets[3] = BuildIpv4TestPacketWithContent(IPPROTO_ICMP, 189, 0, 1, (uint8_t *)"ZZZZZZZZ", 8); ++ ++ packets[4] = ++ BuildIpv4TestPacketWithContent(IPPROTO_ICMP, 189, 48 >> 3, 0, (uint8_t *)"DDCCBBAA", 8); ++ ++ Packet *r = Defrag(NULL, NULL, packets[0]); ++ FAIL_IF_NOT_NULL(r); ++ ++ r = Defrag(NULL, NULL, packets[1]); ++ FAIL_IF_NOT_NULL(r); ++ ++ r = Defrag(NULL, NULL, packets[2]); ++ FAIL_IF_NOT_NULL(r); ++ ++ r = Defrag(NULL, NULL, packets[3]); ++ FAIL_IF_NOT_NULL(r); ++ ++ r = Defrag(NULL, NULL, packets[4]); ++ FAIL_IF_NOT_NULL(r); ++ ++#if 0 ++ PrintRawDataFp(stdout, GET_PKT_DATA(r) + 20, GET_PKT_LEN(r) - 20); ++#endif ++ ++ for (int i = 0; i < 5; i++) { ++ SCFree(packets[i]); ++ } ++ ++ DefragDestroy(); ++ ++ PASS; ++} ++ ++static int DefragBsdMissingFragmentIpv6Test(void) ++{ ++ DefragInit(); ++ default_policy = DEFRAG_POLICY_BSD; ++ Packet *packets[5]; ++ ++ packets[0] = BuildIpv6TestPacketWithContent( ++ IPPROTO_ICMP, 189, 16 >> 3, 1, (uint8_t *)"AABBCCDDAABBDDCC", 16); ++ ++ packets[1] = ++ BuildIpv6TestPacketWithContent(IPPROTO_ICMP, 189, 40 >> 3, 1, (uint8_t *)"AACCBBDD", 8); ++ ++ packets[2] = BuildIpv6TestPacketWithContent( ++ IPPROTO_ICMP, 189, 8 >> 3, 1, (uint8_t *)"AACCDDBBAADDBBCC", 16); ++ ++ /* ICMP header. */ ++ packets[3] = BuildIpv6TestPacketWithContent(IPPROTO_ICMP, 189, 0, 1, (uint8_t *)"ZZZZZZZZ", 8); ++ ++ packets[4] = ++ BuildIpv6TestPacketWithContent(IPPROTO_ICMP, 189, 48 >> 3, 0, (uint8_t *)"DDCCBBAA", 8); ++ ++ Packet *r = Defrag(NULL, NULL, packets[0]); ++ FAIL_IF_NOT_NULL(r); ++ ++ r = Defrag(NULL, NULL, packets[1]); ++ FAIL_IF_NOT_NULL(r); ++ ++ r = Defrag(NULL, NULL, packets[2]); ++ FAIL_IF_NOT_NULL(r); ++ ++ r = Defrag(NULL, NULL, packets[3]); ++ FAIL_IF_NOT_NULL(r); ++ ++ r = Defrag(NULL, NULL, packets[4]); ++ FAIL_IF_NOT_NULL(r); ++ ++#if 0 ++ PrintRawDataFp(stdout, GET_PKT_DATA(r) + 40, GET_PKT_LEN(r) - 40); ++#endif ++ ++ for (int i = 0; i < 5; i++) { ++ SCFree(packets[i]); ++ } ++ ++ DefragDestroy(); ++ ++ PASS; ++} ++ + #endif /* UNITTESTS */ + + void DefragRegisterTests(void) +@@ -3048,5 +3158,7 @@ void DefragRegisterTests(void) + DefragBsdSubsequentOverlapsStartOfOriginalIpv6Test); + UtRegisterTest("DefragBsdSubsequentOverlapsStartOfOriginalIpv4Test_2", DefragBsdSubsequentOverlapsStartOfOriginalIpv4Test_2); + UtRegisterTest("DefragBsdSubsequentOverlapsStartOfOriginalIpv6Test_2", DefragBsdSubsequentOverlapsStartOfOriginalIpv6Test_2); ++ UtRegisterTest("DefragBsdMissingFragmentIpv4Test", DefragBsdMissingFragmentIpv4Test); ++ UtRegisterTest("DefragBsdMissingFragmentIpv6Test", DefragBsdMissingFragmentIpv6Test); + #endif /* UNITTESTS */ + } +-- +2.50.1 + diff --git a/recipes-ids/suricata/suricata_7.0.0.bb b/recipes-ids/suricata/suricata_7.0.0.bb index 9618c45..4a1857e 100644 --- a/recipes-ids/suricata/suricata_7.0.0.bb +++ b/recipes-ids/suricata/suricata_7.0.0.bb @@ -24,6 +24,13 @@ SRC_URI += " \ file://CVE-2025-29916-03.patch \ file://CVE-2025-29917.patch \ file://CVE-2025-29918.patch \ + file://CVE-2024-32663-001.patch \ + file://CVE-2024-32663-002.patch \ + file://CVE-2024-32664.patch \ + file://CVE-2024-32867-001.patch \ + file://CVE-2024-32867-002.patch \ + file://CVE-2024-32867-003.patch \ + file://CVE-2024-32867-004.patch \ " inherit autotools pkgconfig python3native systemd ptest cargo cargo-update-recipe-crates From patchwork Sun Nov 23 23:45:03 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Scott Murray X-Patchwork-Id: 75297 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id DF1DECFD341 for ; Sun, 23 Nov 2025 23:45:53 +0000 (UTC) Received: from mail-qk1-f170.google.com (mail-qk1-f170.google.com [209.85.222.170]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.4867.1763941544117041766 for ; Sun, 23 Nov 2025 15:45:44 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@konsulko.com header.s=google header.b=TqAebzJb; spf=pass (domain: konsulko.com, ip: 209.85.222.170, mailfrom: scott.murray@konsulko.com) Received: by mail-qk1-f170.google.com with SMTP id af79cd13be357-8b2d56eaaceso385348485a.0 for ; Sun, 23 Nov 2025 15:45:43 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=konsulko.com; s=google; t=1763941543; x=1764546343; darn=lists.yoctoproject.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=rDQNKIZt7UM5aKa/a7dXAO1VJZHmCYw3Wy3ztpWmIeI=; b=TqAebzJbCs4HqfczPF1hA7XGV0Qlcz2YYlQyUuRtRCgbBBjDNbg1PvL6LvUrAUdsWD kqm6KVKxtqVC3tUpZNrCPG+CA3VIpgw26pcxs0+KgPPTLQJrTdi15QD64Yu0MweKxBlv X5mjIFPUEbS89DtCZbUDqcL51CoxwrBWHwl1E= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1763941543; x=1764546343; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=rDQNKIZt7UM5aKa/a7dXAO1VJZHmCYw3Wy3ztpWmIeI=; b=ZZQkHvhQa3f4iz72QVbDG0Xlo5S3fNNiyv2oRXoVH+4i5LT9EHI/dBG9EkrZyUL6B+ DgFqJ4BOYrGUEbKJ/Zosvw1XLaMAVEz/ZrYNJHDPezJSdxiHrsinF6/VKGJ5Oy+Eqert D+zIp5decIDCWTPE0l8XHxni+BAbwyy7BR7MZ/38+T2GX8brDASIUHkLtZp80PKcUW3r 6G5j1SHVCv0Qxg1Zpl2fJauxiM0FRpGdgyWgAypl5J6cNHxsAyXJxUucreBKtLZe0MW2 FyTm7kWu4S8Sf5TeV/TdWGV7LSeY1KqJu4aHlLegYK/taBSaRQZzTkwhnkbkdvayEFWD XwRQ== X-Gm-Message-State: AOJu0YwoT5440LDiI0TvfNDGAu7M1Z4USIYobPLb0Wi7Kh3tYoSDz+mV NA7GygYIn8bQ93gfO+3lydrZcW1+/N9LIy+HCpAXDWbmftlNS+qrW4mrWAx2Kjw8MxhBXiB6LfH tyOxg X-Gm-Gg: ASbGncttx7gZB0ydQIAyDgcXU8AtZ85bY6XVneUorXJM0DyryTOQru7jpcHkSv/6dVU oHpBMAozQmwmGXsv/XwHo7ssdd9IpZjqYYhPYOUL5kFolTDiMGb7rDHZxj08h/vwwQBYQ2HmPdo kTP3vB/io8K5YowMUjDNodmzb2tkh6omup4EmE98u6MHEg4K5kohDlBjOteUIC0j9KP0PLKDAoj xNynoZHPY/hS4ArSjyl8OxvEYApFOBSi9bEE1IjQExOBWSHWDW5Bwst5afig9Xl6yjmDG2bvheT a8Hm7KXcAFKUTgW0PZLw/geIoMCnQvX8G9Vi74YRnWktu7mxV+VtbjR7egB4gclLuoyjlbe2DC6 XlorjIercliYETf+X6fTtAuLGYBqkKGSFvj4Sh7XV7N7jvbfK1wdQY2icNZxsE2Tn9YvrZ5G29S wS7hSHuStqWAHrSWV529EOcjL3A9WfcsV6t1IiHQLPOL26Qh/PciPjXjWus+Pb8XM= X-Google-Smtp-Source: AGHT+IGT7sdHAPS36hMpsHoomJopJQWWp3Tid1W2cm5hau3KP6Z4qc9XlxL8FhOx/8Hp8ZcXACc0yw== X-Received: by 2002:a05:620a:319c:b0:8b2:dec9:f1b0 with SMTP id af79cd13be357-8b33d268309mr1290650985a.54.1763941541644; Sun, 23 Nov 2025 15:45:41 -0800 (PST) Received: from ghidorah.spiteful.org (107-179-213-3.cpe.teksavvy.com. [107.179.213.3]) by smtp.gmail.com with ESMTPSA id af79cd13be357-8b32932db59sm843706585a.1.2025.11.23.15.45.40 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 23 Nov 2025 15:45:40 -0800 (PST) From: Scott Murray To: yocto-patches@lists.yoctoproject.org Subject: [meta-security][scarthgap][PATCH 23/32] suricata: fix CVE-2024-55627 && CVE-2024-55628 Date: Sun, 23 Nov 2025 18:45:03 -0500 Message-ID: X-Mailer: git-send-email 2.51.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 23 Nov 2025 23:45:53 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto-patches/message/2682 From: Hitendra Prajapati Backport fixes for: * CVE-2024-55627 - Upstream-Status: Backport from https://github.com/OISF/suricata/commit/0dc364aef2dec122fc0e7ee4c190864f4cc5f1bd && https://github.com/OISF/suricata/commit/949bfeca0e5f92212dc3d79f4a87c7c482d376aa && https://github.com/OISF/suricata/commit/7d47fcf7f7fefacd2b0d8f482534a83b35a3c45e * CVE-2024-55628 - Upstream-Status: Backport from https://github.com/OISF/suricata/commit/58c41a7fa99f62d9a8688e970ab1a9b09c79723a && https://github.com/OISF/suricata/commit/284ad462fcb2e47f1518a1abc19e27ca84c6972e && https://github.com/OISF/suricata/commit/5edb84fe234f47a0fedfbf9b10b49699152fe8cb && https://github.com/OISF/suricata/commit/71212b78bd1b7b841c9d9a907d0b3eea71a54060 Signed-off-by: Hitendra Prajapati Signed-off-by: Scott Murray --- .../suricata/files/CVE-2024-55627-001.patch | 59 + .../suricata/files/CVE-2024-55627-002.patch | 44 + .../suricata/files/CVE-2024-55627-003.patch | 41 + .../suricata/files/CVE-2024-55628-001.patch | 738 +++ .../suricata/files/CVE-2024-55628-002.patch | 4877 +++++++++++++++++ .../suricata/files/CVE-2024-55628-003.patch | 114 + .../suricata/files/CVE-2024-55628-004.patch | 510 ++ recipes-ids/suricata/suricata_7.0.0.bb | 7 + 8 files changed, 6390 insertions(+) create mode 100644 recipes-ids/suricata/files/CVE-2024-55627-001.patch create mode 100644 recipes-ids/suricata/files/CVE-2024-55627-002.patch create mode 100644 recipes-ids/suricata/files/CVE-2024-55627-003.patch create mode 100644 recipes-ids/suricata/files/CVE-2024-55628-001.patch create mode 100644 recipes-ids/suricata/files/CVE-2024-55628-002.patch create mode 100644 recipes-ids/suricata/files/CVE-2024-55628-003.patch create mode 100644 recipes-ids/suricata/files/CVE-2024-55628-004.patch diff --git a/recipes-ids/suricata/files/CVE-2024-55627-001.patch b/recipes-ids/suricata/files/CVE-2024-55627-001.patch new file mode 100644 index 0000000..50b4f06 --- /dev/null +++ b/recipes-ids/suricata/files/CVE-2024-55627-001.patch @@ -0,0 +1,59 @@ +From 0dc364aef2dec122fc0e7ee4c190864f4cc5f1bd Mon Sep 17 00:00:00 2001 +From: Philippe Antoine +Date: Thu, 21 Nov 2024 14:55:32 +0100 +Subject: [PATCH] util/streaming-buffer: fix regions intersection + +This was not a problem for current callers in Suricata, +as RegionsIntersect is only called through StreamingBufferInsertAt +which is only used by TCP... + +And TCP uses default region gap = 256kb, and only calls +StreamingBufferInsertAt with a u16, so TCP never inserts a new +data that will strictly contain an existing region augmented +with region gap, which was the only case where RegionsIntersect +returned the wrong result, which could later lead to a +buffer overflow. + +Ticket: 7393 +(cherry picked from commit 282509f70c4ce805098e59535af445362e3e9ebd) + +CVE: CVE-2024-55627 +Upstream-Status: Backport [https://github.com/OISF/suricata/commit/0dc364aef2dec122fc0e7ee4c190864f4cc5f1bd] +Signed-off-by: Hitendra Prajapati +--- + src/util-streaming-buffer.c | 19 ++++++++----------- + 1 file changed, 8 insertions(+), 11 deletions(-) + +diff --git a/src/util-streaming-buffer.c b/src/util-streaming-buffer.c +index 7608b50..d1d20e8 100644 +--- a/src/util-streaming-buffer.c ++++ b/src/util-streaming-buffer.c +@@ -133,17 +133,14 @@ static inline bool RegionsIntersect(const StreamingBuffer *sb, const StreamingBu + SCLogDebug("r %p: %" PRIu64 "/%" PRIu64 " - adjusted %" PRIu64 "/%" PRIu64, r, r->stream_offset, + r->stream_offset + r->buf_size, reg_o, reg_re); + /* check if data range intersects with region range */ +- if (offset >= reg_o && offset <= reg_re) { +- SCLogDebug("r %p is in-scope", r); +- return true; +- } +- if (re >= reg_o && re <= reg_re) { +- SCLogDebug("r %p is in-scope: %" PRIu64 " >= %" PRIu64 " && %" PRIu64 " <= %" PRIu64, r, re, +- reg_o, re, reg_re); +- return true; +- } +- SCLogDebug("r %p is out of scope: %" PRIu64 "/%" PRIu64, r, offset, re); +- return false; ++ /* [offset:re] and [reg_o:reg_re] do not intersect if and only if ++ * re < reg_o or if reg_re < offset (one segment is strictly before the other) ++ * trusting that offset<=re and reg_o<=reg_re ++ */ ++ if (re < reg_o || reg_re < offset) { ++ return false; ++ } ++ return true; + } + + /** \internal +-- +2.50.1 + diff --git a/recipes-ids/suricata/files/CVE-2024-55627-002.patch b/recipes-ids/suricata/files/CVE-2024-55627-002.patch new file mode 100644 index 0000000..8e2ca6b --- /dev/null +++ b/recipes-ids/suricata/files/CVE-2024-55627-002.patch @@ -0,0 +1,44 @@ +From 949bfeca0e5f92212dc3d79f4a87c7c482d376aa Mon Sep 17 00:00:00 2001 +From: Philippe Antoine +Date: Thu, 21 Nov 2024 15:17:21 +0100 +Subject: [PATCH] util/streaming-buffer: check need to grow region + +Ticket: 7393 + +As it was possible before earlier patches to get here +with mem_size lesser than start->buf_size, +which caused then an unsigned underflow and a buffer overflow. + +(cherry picked from commit 8900041405dbb5f9584edae994af2100733fb4be) + +CVE: CVE-2024-55627 +Upstream-Status: Backport [https://github.com/OISF/suricata/commit/949bfeca0e5f92212dc3d79f4a87c7c482d376aa] +Signed-off-by: Hitendra Prajapati +--- + src/util-streaming-buffer.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/src/util-streaming-buffer.c b/src/util-streaming-buffer.c +index d1d20e8..2625e49 100644 +--- a/src/util-streaming-buffer.c ++++ b/src/util-streaming-buffer.c +@@ -931,9 +931,13 @@ static inline void StreamingBufferSlideToOffsetWithRegions( + goto done; + } else { + /* using "main", expand to include "next" */ +- if (GrowRegionToSize(sb, cfg, start, mem_size) != 0) { +- new_mem_size = new_data_size; +- goto just_main; ++ if (mem_size > start->buf_size) { ++ // Check that start->buf_size is actually not big enough ++ // As mem_size computation and earlier checks do not make it clear. ++ if (GrowRegionToSize(sb, cfg, start, mem_size) != 0) { ++ new_mem_size = new_data_size; ++ goto just_main; ++ } + } + SCLogDebug("start->buf now size %u", mem_size); + +-- +2.50.1 + diff --git a/recipes-ids/suricata/files/CVE-2024-55627-003.patch b/recipes-ids/suricata/files/CVE-2024-55627-003.patch new file mode 100644 index 0000000..63d5016 --- /dev/null +++ b/recipes-ids/suricata/files/CVE-2024-55627-003.patch @@ -0,0 +1,41 @@ +From 7d47fcf7f7fefacd2b0d8f482534a83b35a3c45e Mon Sep 17 00:00:00 2001 +From: Philippe Antoine +Date: Thu, 21 Nov 2024 15:20:44 +0100 +Subject: [PATCH] util/streaming-buffer: add extra safety check + +Ticket: 7393 + +Check if GrowRegionToSize is called with an argument +trying to shrink the region size, and if so do nothing, +ie do not try to shrink, and just return ok. + +This way, we avoid a buffer overflow from memeset using an +unsigned having underflowed. + +(cherry picked from commit 9a53ec43b13f0039a083950511a18bf6f408e432) + +CVE: CVE-2024-55627 +Upstream-Status: Backport [https://github.com/OISF/suricata/commit/7d47fcf7f7fefacd2b0d8f482534a83b35a3c45e] +Signed-off-by: Hitendra Prajapati +--- + src/util-streaming-buffer.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/util-streaming-buffer.c b/src/util-streaming-buffer.c +index 2625e49..077f8af 100644 +--- a/src/util-streaming-buffer.c ++++ b/src/util-streaming-buffer.c +@@ -715,6 +715,10 @@ static inline int WARN_UNUSED GrowRegionToSize(StreamingBuffer *sb, + /* try to grow in multiples of cfg->buf_size */ + const uint32_t grow = ToNextMultipleOf(size, cfg->buf_size); + SCLogDebug("grow %u", grow); ++ if (grow <= region->buf_size) { ++ // do not try to shrink, and do not memset with diff having unsigned underflow ++ return SC_OK; ++ } + + void *ptr = REALLOC(cfg, region->buf, region->buf_size, grow); + if (ptr == NULL) { +-- +2.50.1 + diff --git a/recipes-ids/suricata/files/CVE-2024-55628-001.patch b/recipes-ids/suricata/files/CVE-2024-55628-001.patch new file mode 100644 index 0000000..6371729 --- /dev/null +++ b/recipes-ids/suricata/files/CVE-2024-55628-001.patch @@ -0,0 +1,738 @@ +From 58c41a7fa99f62d9a8688e970ab1a9b09c79723a Mon Sep 17 00:00:00 2001 +From: Jason Ish +Date: Thu, 31 Oct 2024 15:40:40 -0600 +Subject: [PATCH] dns: truncate names larger than 1025 characters + +Once a name has gone over 1025 chars it will be truncated to 1025 +chars and no more labels will be added to it, however the name will +continue to be parsed up to the label limit in attempt to find the end +so parsing can continue. + +This introduces a new struct, DNSName which contains the name and any +flags which indicate any name parsing errors which should not error +out parsing the complete message, for example, infinite recursion +after some labels are parsed can continue, or truncation of name where +compression was used so we know the start of the next data to be +parsed. + +This limits the logged DNS messages from being over our maximum size +of 10Mb in the case of really long names. + +Ticket: #7280 + +CVE: CVE-2024-55628 +Upstream-Status: Backport [https://github.com/OISF/suricata/commit/58c41a7fa99f62d9a8688e970ab1a9b09c79723a] +Signed-off-by: Hitendra Prajapati +--- + rust/src/dns/dns.rs | 41 +++++--- + rust/src/dns/log.rs | 41 ++++---- + rust/src/dns/lua.rs | 36 ++++--- + rust/src/dns/parser.rs | 231 ++++++++++++++++++++++++++++++++++++----- + 4 files changed, 277 insertions(+), 72 deletions(-) + +diff --git a/rust/src/dns/dns.rs b/rust/src/dns/dns.rs +index 382c76a..680bf7e 100644 +--- a/rust/src/dns/dns.rs ++++ b/rust/src/dns/dns.rs +@@ -144,7 +144,7 @@ pub struct DNSHeader { + + #[derive(Debug)] + pub struct DNSQueryEntry { +- pub name: Vec, ++ pub name: DNSName, + pub rrtype: u16, + pub rrclass: u16, + } +@@ -152,9 +152,9 @@ pub struct DNSQueryEntry { + #[derive(Debug, PartialEq, Eq)] + pub struct DNSRDataSOA { + /// Primary name server for this zone +- pub mname: Vec, ++ pub mname: DNSName, + /// Authority's mailbox +- pub rname: Vec, ++ pub rname: DNSName, + /// Serial version number + pub serial: u32, + /// Refresh interval (seconds) +@@ -186,7 +186,22 @@ pub struct DNSRDataSRV { + /// Port + pub port: u16, + /// Target +- pub target: Vec, ++ pub target: DNSName, ++} ++ ++bitflags! { ++ #[derive(Default)] ++ pub struct DNSNameFlags: u8 { ++ const INFINITE_LOOP = 0b0000_0001; ++ const TRUNCATED = 0b0000_0010; ++ const LABEL_LIMIT = 0b0000_0100; ++ } ++} ++ ++#[derive(Debug, Clone, PartialEq, Eq)] ++pub struct DNSName { ++ pub value: Vec, ++ pub flags: DNSNameFlags, + } + + /// Represents RData of various formats +@@ -196,10 +211,10 @@ pub enum DNSRData { + A(Vec), + AAAA(Vec), + // RData is a domain name +- CNAME(Vec), +- PTR(Vec), +- MX(Vec), +- NS(Vec), ++ CNAME(DNSName), ++ PTR(DNSName), ++ MX(DNSName), ++ NS(DNSName), + // RData is text + TXT(Vec), + NULL(Vec), +@@ -213,7 +228,7 @@ pub enum DNSRData { + + #[derive(Debug, PartialEq, Eq)] + pub struct DNSAnswerEntry { +- pub name: Vec, ++ pub name: DNSName, + pub rrtype: u16, + pub rrclass: u16, + pub ttl: u32, +@@ -871,9 +886,9 @@ pub unsafe extern "C" fn rs_dns_tx_get_query_name( + if let Some(request) = &tx.request { + if (i as usize) < request.queries.len() { + let query = &request.queries[i as usize]; +- if !query.name.is_empty() { +- *len = query.name.len() as u32; +- *buf = query.name.as_ptr(); ++ if !query.name.value.is_empty() { ++ *len = query.name.value.len() as u32; ++ *buf = query.name.value.as_ptr(); + return 1; + } + } +@@ -904,7 +919,7 @@ pub unsafe extern "C" fn rs_dns_tx_get_query_rrtype( + if let Some(request) = &tx.request { + if (i as usize) < request.queries.len() { + let query = &request.queries[i as usize]; +- if !query.name.is_empty() { ++ if !query.name.value.is_empty() { + *rrtype = query.rrtype; + return 1; + } +diff --git a/rust/src/dns/log.rs b/rust/src/dns/log.rs +index 5212b1a..6bf9589 100644 +--- a/rust/src/dns/log.rs ++++ b/rust/src/dns/log.rs +@@ -398,8 +398,8 @@ pub fn dns_print_addr(addr: &Vec) -> std::string::String { + fn dns_log_soa(soa: &DNSRDataSOA) -> Result { + let mut js = JsonBuilder::try_new_object()?; + +- js.set_string_from_bytes("mname", &soa.mname)?; +- js.set_string_from_bytes("rname", &soa.rname)?; ++ js.set_string_from_bytes("mname", &soa.mname.value)?; ++ js.set_string_from_bytes("rname", &soa.rname.value)?; + js.set_uint("serial", soa.serial as u64)?; + js.set_uint("refresh", soa.refresh as u64)?; + js.set_uint("retry", soa.retry as u64)?; +@@ -434,7 +434,7 @@ fn dns_log_srv(srv: &DNSRDataSRV) -> Result { + js.set_uint("priority", srv.priority as u64)?; + js.set_uint("weight", srv.weight as u64)?; + js.set_uint("port", srv.port as u64)?; +- js.set_string_from_bytes("name", &srv.target)?; ++ js.set_string_from_bytes("name", &srv.target.value)?; + + js.close()?; + return Ok(js); +@@ -443,7 +443,7 @@ fn dns_log_srv(srv: &DNSRDataSRV) -> Result { + fn dns_log_json_answer_detail(answer: &DNSAnswerEntry) -> Result { + let mut jsa = JsonBuilder::try_new_object()?; + +- jsa.set_string_from_bytes("rrname", &answer.name)?; ++ jsa.set_string_from_bytes("rrname", &answer.name.value)?; + jsa.set_string("rrtype", &dns_rrtype_string(answer.rrtype))?; + jsa.set_uint("ttl", answer.ttl as u64)?; + +@@ -451,12 +451,10 @@ fn dns_log_json_answer_detail(answer: &DNSAnswerEntry) -> Result { + jsa.set_string("rdata", &dns_print_addr(addr))?; + } +- DNSRData::CNAME(bytes) +- | DNSRData::MX(bytes) +- | DNSRData::NS(bytes) +- | DNSRData::TXT(bytes) +- | DNSRData::NULL(bytes) +- | DNSRData::PTR(bytes) => { ++ DNSRData::CNAME(name) | DNSRData::MX(name) | DNSRData::NS(name) | DNSRData::PTR(name) => { ++ jsa.set_string_from_bytes("rdata", &name.value)?; ++ } ++ DNSRData::TXT(bytes) | DNSRData::NULL(bytes) => { + jsa.set_string_from_bytes("rdata", bytes)?; + } + DNSRData::SOA(soa) => { +@@ -507,7 +505,7 @@ fn dns_log_json_answer( + js.set_uint("opcode", opcode as u64)?; + + if let Some(query) = response.queries.first() { +- js.set_string_from_bytes("rrname", &query.name)?; ++ js.set_string_from_bytes("rrname", &query.name.value)?; + js.set_string("rrtype", &dns_rrtype_string(query.rrtype))?; + } + js.set_string("rcode", &dns_rcode_string(header.flags))?; +@@ -530,12 +528,19 @@ fn dns_log_json_answer( + a.append_string(&dns_print_addr(addr))?; + } + } +- DNSRData::CNAME(bytes) +- | DNSRData::MX(bytes) +- | DNSRData::NS(bytes) +- | DNSRData::TXT(bytes) +- | DNSRData::NULL(bytes) +- | DNSRData::PTR(bytes) => { ++ DNSRData::CNAME(name) ++ | DNSRData::MX(name) ++ | DNSRData::NS(name) ++ | DNSRData::PTR(name) => { ++ if !answer_types.contains_key(&type_string) { ++ answer_types ++ .insert(type_string.to_string(), JsonBuilder::try_new_array()?); ++ } ++ if let Some(a) = answer_types.get_mut(&type_string) { ++ a.append_string_from_bytes(&name.value)?; ++ } ++ } ++ DNSRData::TXT(bytes) | DNSRData::NULL(bytes) => { + if !answer_types.contains_key(&type_string) { + answer_types.insert(type_string.to_string(), JsonBuilder::try_new_array()?); + } +@@ -614,7 +619,7 @@ fn dns_log_query( + if dns_log_rrtype_enabled(query.rrtype, flags) { + jb.set_string("type", "query")?; + jb.set_uint("id", request.header.tx_id as u64)?; +- jb.set_string_from_bytes("rrname", &query.name)?; ++ jb.set_string_from_bytes("rrname", &query.name.value)?; + jb.set_string("rrtype", &dns_rrtype_string(query.rrtype))?; + jb.set_uint("tx_id", tx.id - 1)?; + if request.header.flags & 0x0040 != 0 { +diff --git a/rust/src/dns/lua.rs b/rust/src/dns/lua.rs +index b9935f8..f7b0c15 100644 +--- a/rust/src/dns/lua.rs ++++ b/rust/src/dns/lua.rs +@@ -34,12 +34,12 @@ pub extern "C" fn rs_dns_lua_get_rrname(clua: &mut CLuaState, tx: &mut DNSTransa + + if let Some(request) = &tx.request { + if let Some(query) = request.queries.first() { +- lua.pushstring(&String::from_utf8_lossy(&query.name)); ++ lua.pushstring(&String::from_utf8_lossy(&query.name.value)); + return 1; + } + } else if let Some(response) = &tx.response { + if let Some(query) = response.queries.first() { +- lua.pushstring(&String::from_utf8_lossy(&query.name)); ++ lua.pushstring(&String::from_utf8_lossy(&query.name.value)); + return 1; + } + } +@@ -86,7 +86,7 @@ pub extern "C" fn rs_dns_lua_get_query_table( + lua.settable(-3); + + lua.pushstring("rrname"); +- lua.pushstring(&String::from_utf8_lossy(&query.name)); ++ lua.pushstring(&String::from_utf8_lossy(&query.name.value)); + lua.settable(-3); + + lua.settable(-3); +@@ -103,7 +103,7 @@ pub extern "C" fn rs_dns_lua_get_query_table( + lua.settable(-3); + + lua.pushstring("rrname"); +- lua.pushstring(&String::from_utf8_lossy(&query.name)); ++ lua.pushstring(&String::from_utf8_lossy(&query.name.value)); + lua.settable(-3); + + lua.settable(-3); +@@ -142,11 +142,11 @@ pub extern "C" fn rs_dns_lua_get_answer_table( + lua.settable(-3); + + lua.pushstring("rrname"); +- lua.pushstring(&String::from_utf8_lossy(&answer.name)); ++ lua.pushstring(&String::from_utf8_lossy(&answer.name.value)); + lua.settable(-3); + + // All rdata types are pushed to "addr" for backwards compatibility +- match answer.data { ++ match &answer.data { + DNSRData::A(ref bytes) | DNSRData::AAAA(ref bytes) => { + if !bytes.is_empty() { + lua.pushstring("addr"); +@@ -154,12 +154,18 @@ pub extern "C" fn rs_dns_lua_get_answer_table( + lua.settable(-3); + } + } +- DNSRData::CNAME(ref bytes) +- | DNSRData::MX(ref bytes) +- | DNSRData::NS(ref bytes) +- | DNSRData::TXT(ref bytes) ++ DNSRData::CNAME(name) ++ | DNSRData::MX(name) ++ | DNSRData::NS(name) ++ | DNSRData::PTR(name) => { ++ if !name.value.is_empty() { ++ lua.pushstring("addr"); ++ lua.pushstring(&String::from_utf8_lossy(&name.value)); ++ lua.settable(-3); ++ } ++ } ++ DNSRData::TXT(ref bytes) + | DNSRData::NULL(ref bytes) +- | DNSRData::PTR(ref bytes) + | DNSRData::Unknown(ref bytes) => { + if !bytes.is_empty() { + lua.pushstring("addr"); +@@ -168,9 +174,9 @@ pub extern "C" fn rs_dns_lua_get_answer_table( + } + } + DNSRData::SOA(ref soa) => { +- if !soa.mname.is_empty() { ++ if !soa.mname.value.is_empty() { + lua.pushstring("addr"); +- lua.pushstring(&String::from_utf8_lossy(&soa.mname)); ++ lua.pushstring(&String::from_utf8_lossy(&soa.mname.value)); + lua.settable(-3); + } + } +@@ -181,7 +187,7 @@ pub extern "C" fn rs_dns_lua_get_answer_table( + } + DNSRData::SRV(ref srv) => { + lua.pushstring("addr"); +- lua.pushstring(&String::from_utf8_lossy(&srv.target)); ++ lua.pushstring(&String::from_utf8_lossy(&srv.target.value)); + lua.settable(-3); + } + } +@@ -221,7 +227,7 @@ pub extern "C" fn rs_dns_lua_get_authority_table( + lua.settable(-3); + + lua.pushstring("rrname"); +- lua.pushstring(&String::from_utf8_lossy(&answer.name)); ++ lua.pushstring(&String::from_utf8_lossy(&answer.name.value)); + lua.settable(-3); + + lua.settable(-3); +diff --git a/rust/src/dns/parser.rs b/rust/src/dns/parser.rs +index a1d97a5..12929bc 100644 +--- a/rust/src/dns/parser.rs ++++ b/rust/src/dns/parser.rs +@@ -45,16 +45,48 @@ pub fn dns_parse_header(i: &[u8]) -> IResult<&[u8], DNSHeader> { + )) + } + ++// Set a maximum assembled hostname length of 1025, this value was ++// chosen as its what DNSMasq uses, a popular DNS server, even if most ++// tooling limits names to 256 chars without special options. ++static MAX_NAME_LEN: usize = 1025; ++ + /// Parse a DNS name. + /// ++/// Names are parsed with the following restrictions: ++/// ++/// - Only 255 segments will be processed, if more the parser may ++/// error out. This is also our safeguard against an infinite loop. If ++/// a pointer had been followed a truncated name will be ++/// returned. However if pointer has been processed we error out as we ++/// don't know where the next data point starts without more ++/// iterations. ++/// ++/// - The maximum name parsed in representation format is MAX_NAME_LEN ++/// characters. Once larger, the truncated name will be returned with ++/// a flag specifying the name was truncated. Note that parsing ++/// continues if no pointer has been used as we still need to find the ++/// start of the next protocol unit. ++/// ++/// As some error in parsing the name are recoverable, a DNSName ++/// object is returned with flags signifying a recoverable ++/// error. These errors include: ++/// ++/// - infinite loop: as we know the end of the name in the input ++/// stream, we can return what we've parsed with the remain data. ++/// ++/// - maximum number of segments/labels parsed ++/// ++/// - truncation of name when too long ++/// + /// Parameters: + /// start: the start of the name + /// message: the complete message that start is a part of with the DNS header +-pub fn dns_parse_name<'b>(start: &'b [u8], message: &'b [u8]) -> IResult<&'b [u8], Vec> { ++pub fn dns_parse_name<'b>(start: &'b [u8], message: &'b [u8]) -> IResult<&'b [u8], DNSName> { + let mut pos = start; + let mut pivot = start; + let mut name: Vec = Vec::with_capacity(32); + let mut count = 0; ++ let mut flags = DNSNameFlags::default(); + + loop { + if pos.is_empty() { +@@ -68,10 +100,12 @@ pub fn dns_parse_name<'b>(start: &'b [u8], message: &'b [u8]) -> IResult<&'b [u8 + break; + } else if len & 0b1100_0000 == 0 { + let (rem, label) = length_data(be_u8)(pos)?; +- if !name.is_empty() { +- name.push(b'.'); ++ if !flags.contains(DNSNameFlags::TRUNCATED) { ++ if !name.is_empty() { ++ name.push(b'.'); ++ } ++ name.extend(label); + } +- name.extend(label); + pos = rem; + } else if len & 0b1100_0000 == 0b1100_0000 { + let (rem, leader) = be_u16(pos)?; +@@ -79,6 +113,21 @@ pub fn dns_parse_name<'b>(start: &'b [u8], message: &'b [u8]) -> IResult<&'b [u8 + if offset > message.len() { + return Err(Err::Error(error_position!(pos, ErrorKind::OctDigit))); + } ++ ++ if &message[offset..] == pos { ++ // Self reference, immedate infinite loop. ++ flags.insert(DNSNameFlags::INFINITE_LOOP); ++ ++ // If we have followed a pointer, we can just break as ++ // we've already found the end of the input. But if we ++ // have not followed a pointer yet return a parse ++ // error. ++ if pivot != start { ++ break; ++ } ++ return Err(Err::Error(error_position!(pos, ErrorKind::OctDigit))); ++ } ++ + pos = &message[offset..]; + if pivot == start { + pivot = rem; +@@ -89,19 +138,43 @@ pub fn dns_parse_name<'b>(start: &'b [u8], message: &'b [u8]) -> IResult<&'b [u8 + + // Return error if we've looped a certain number of times. + count += 1; ++ + if count > 255 { ++ flags.insert(DNSNameFlags::LABEL_LIMIT); ++ ++ // Our segment limit has been reached, if we have hit a ++ // pointer we can just return the truncated name. If we ++ // have not hit a pointer, we need to bail with an error. ++ if pivot != start { ++ flags.insert(DNSNameFlags::TRUNCATED); ++ break; ++ } + return Err(Err::Error(error_position!(pos, ErrorKind::OctDigit))); + } ++ ++ if name.len() > MAX_NAME_LEN { ++ name.truncate(MAX_NAME_LEN); ++ flags.insert(DNSNameFlags::TRUNCATED); ++ ++ // If we have pivoted due to a pointer we know where the ++ // end of the data is, so we can break early. Otherwise ++ // we'll keep parsing in hopes to find the end of the name ++ // so parsing can continue. ++ if pivot != start { ++ break; ++ } ++ } + } + + // If we followed a pointer we return the position after the first + // pointer followed. Is there a better way to see if these slices + // diverged from each other? A straight up comparison would + // actually check the contents. +- if pivot.len() != start.len() { +- return Ok((pivot, name)); ++ if pivot != start { ++ Ok((pivot, DNSName { value: name, flags })) ++ } else { ++ Ok((pos, DNSName { value: name, flags })) + } +- return Ok((pos, name)); + } + + /// Parse answer entries. +@@ -121,7 +194,7 @@ fn dns_parse_answer<'a>( + let mut input = slice; + + struct Answer<'a> { +- name: Vec, ++ name: DNSName, + rrtype: u16, + rrclass: u16, + ttl: u32, +@@ -375,7 +448,7 @@ mod tests { + ]; + let expected_remainder: &[u8] = &[0x00, 0x01, 0x00]; + let (remainder, name) = dns_parse_name(buf, buf).unwrap(); +- assert_eq!("client-cf.dropbox.com".as_bytes(), &name[..]); ++ assert_eq!("client-cf.dropbox.com".as_bytes(), &name.value[..]); + assert_eq!(remainder, expected_remainder); + } + +@@ -411,7 +484,13 @@ mod tests { + let res1 = dns_parse_name(start1, message); + assert_eq!( + res1, +- Ok((&start1[22..], "www.suricata-ids.org".as_bytes().to_vec())) ++ Ok(( ++ &start1[22..], ++ DNSName { ++ value: "www.suricata-ids.org".as_bytes().to_vec(), ++ flags: DNSNameFlags::default(), ++ } ++ )) + ); + + // The second name starts at offset 80, but is just a pointer +@@ -420,7 +499,13 @@ mod tests { + let res2 = dns_parse_name(start2, message); + assert_eq!( + res2, +- Ok((&start2[2..], "www.suricata-ids.org".as_bytes().to_vec())) ++ Ok(( ++ &start2[2..], ++ DNSName { ++ value: "www.suricata-ids.org".as_bytes().to_vec(), ++ flags: DNSNameFlags::default() ++ } ++ )) + ); + + // The third name starts at offset 94, but is a pointer to a +@@ -429,7 +514,13 @@ mod tests { + let res3 = dns_parse_name(start3, message); + assert_eq!( + res3, +- Ok((&start3[2..], "suricata-ids.org".as_bytes().to_vec())) ++ Ok(( ++ &start3[2..], ++ DNSName { ++ value: "suricata-ids.org".as_bytes().to_vec(), ++ flags: DNSNameFlags::default() ++ } ++ )) + ); + + // The fourth name starts at offset 110, but is a pointer to a +@@ -438,7 +529,13 @@ mod tests { + let res4 = dns_parse_name(start4, message); + assert_eq!( + res4, +- Ok((&start4[2..], "suricata-ids.org".as_bytes().to_vec())) ++ Ok(( ++ &start4[2..], ++ DNSName { ++ value: "suricata-ids.org".as_bytes().to_vec(), ++ flags: DNSNameFlags::default() ++ } ++ )) + ); + } + +@@ -473,7 +570,13 @@ mod tests { + let res = dns_parse_name(start, message); + assert_eq!( + res, +- Ok((&start[2..], "block.g1.dropbox.com".as_bytes().to_vec())) ++ Ok(( ++ &start[2..], ++ DNSName { ++ value: "block.g1.dropbox.com".as_bytes().to_vec(), ++ flags: DNSNameFlags::default() ++ } ++ )) + ); + } + +@@ -512,7 +615,7 @@ mod tests { + assert_eq!(request.queries.len(), 1); + + let query = &request.queries[0]; +- assert_eq!(query.name, "www.suricata-ids.org".as_bytes().to_vec()); ++ assert_eq!(query.name.value, "www.suricata-ids.org".as_bytes().to_vec()); + assert_eq!(query.rrtype, 1); + assert_eq!(query.rrclass, 1); + } +@@ -569,20 +672,26 @@ mod tests { + assert_eq!(response.answers.len(), 3); + + let answer1 = &response.answers[0]; +- assert_eq!(answer1.name, "www.suricata-ids.org".as_bytes().to_vec()); ++ assert_eq!(answer1.name.value, "www.suricata-ids.org".as_bytes().to_vec()); + assert_eq!(answer1.rrtype, 5); + assert_eq!(answer1.rrclass, 1); + assert_eq!(answer1.ttl, 3544); + assert_eq!( + answer1.data, +- DNSRData::CNAME("suricata-ids.org".as_bytes().to_vec()) ++ DNSRData::CNAME(DNSName { ++ value: "suricata-ids.org".as_bytes().to_vec(), ++ flags: Default::default(), ++ }) + ); + + let answer2 = &response.answers[1]; + assert_eq!( + answer2, + &DNSAnswerEntry { +- name: "suricata-ids.org".as_bytes().to_vec(), ++ name: DNSName { ++ value: "suricata-ids.org".as_bytes().to_vec(), ++ flags: Default::default(), ++ }, + rrtype: 1, + rrclass: 1, + ttl: 244, +@@ -594,7 +703,10 @@ mod tests { + assert_eq!( + answer3, + &DNSAnswerEntry { +- name: "suricata-ids.org".as_bytes().to_vec(), ++ name: DNSName { ++ value: "suricata-ids.org".as_bytes().to_vec(), ++ flags: Default::default(), ++ }, + rrtype: 1, + rrclass: 1, + ttl: 244, +@@ -653,15 +765,21 @@ mod tests { + assert_eq!(response.authorities.len(), 1); + + let authority = &response.authorities[0]; +- assert_eq!(authority.name, "oisf.net".as_bytes().to_vec()); ++ assert_eq!(authority.name.value, "oisf.net".as_bytes().to_vec()); + assert_eq!(authority.rrtype, 6); + assert_eq!(authority.rrclass, 1); + assert_eq!(authority.ttl, 899); + assert_eq!( + authority.data, + DNSRData::SOA(DNSRDataSOA { +- mname: "ns-110.awsdns-13.com".as_bytes().to_vec(), +- rname: "awsdns-hostmaster.amazon.com".as_bytes().to_vec(), ++ mname: DNSName { ++ value: "ns-110.awsdns-13.com".as_bytes().to_vec(), ++ flags: DNSNameFlags::default() ++ }, ++ rname: DNSName { ++ value: "awsdns-hostmaster.amazon.com".as_bytes().to_vec(), ++ flags: DNSNameFlags::default() ++ }, + serial: 1, + refresh: 7200, + retry: 900, +@@ -712,14 +830,14 @@ mod tests { + + assert_eq!(response.queries.len(), 1); + let query = &response.queries[0]; +- assert_eq!(query.name, "vaaaakardli.pirate.sea".as_bytes().to_vec()); ++ assert_eq!(query.name.value, "vaaaakardli.pirate.sea".as_bytes().to_vec()); + assert_eq!(query.rrtype, DNS_RECORD_TYPE_NULL); + assert_eq!(query.rrclass, 1); + + assert_eq!(response.answers.len(), 1); + + let answer = &response.answers[0]; +- assert_eq!(answer.name, "vaaaakardli.pirate.sea".as_bytes().to_vec()); ++ assert_eq!(answer.name.value, "vaaaakardli.pirate.sea".as_bytes().to_vec()); + assert_eq!(answer.rrtype, DNS_RECORD_TYPE_NULL); + assert_eq!(answer.rrclass, 1); + assert_eq!(answer.ttl, 0); +@@ -819,7 +937,7 @@ mod tests { + assert_eq!(srv.weight, 1); + assert_eq!(srv.port, 5060); + assert_eq!( +- srv.target, ++ srv.target.value, + "sip-anycast-2.voice.google.com".as_bytes().to_vec() + ); + } +@@ -834,7 +952,7 @@ mod tests { + assert_eq!(srv.weight, 1); + assert_eq!(srv.port, 5060); + assert_eq!( +- srv.target, ++ srv.target.value, + "sip-anycast-1.voice.google.com".as_bytes().to_vec() + ); + } +@@ -848,4 +966,65 @@ mod tests { + } + } + } ++ ++ #[test] ++ fn test_dns_parse_name_truncated() { ++ // Generate a non-compressed hostname over our maximum of 1024. ++ let mut buf: Vec = vec![]; ++ for _ in 0..17 { ++ buf.push(0b0011_1111); ++ for _ in 0..63 { ++ buf.push(b'a'); ++ } ++ } ++ ++ let (rem, name) = dns_parse_name(&buf, &buf).unwrap(); ++ assert_eq!(name.value.len(), MAX_NAME_LEN); ++ assert!(name.flags.contains(DNSNameFlags::TRUNCATED)); ++ assert!(rem.is_empty()); ++ } ++ ++ #[test] ++ fn test_dns_parse_name_truncated_max_segments_no_pointer() { ++ let mut buf: Vec = vec![]; ++ for _ in 0..256 { ++ buf.push(0b0000_0001); ++ buf.push(b'a'); ++ } ++ ++ // This should fail as we've hit the segment limit without a ++ // pointer, we'd need to keep parsing more segments to figure ++ // out where the next data point lies. ++ assert!(dns_parse_name(&buf, &buf).is_err()); ++ } ++ ++ #[test] ++ fn test_dns_parse_name_truncated_max_segments_with_pointer() { ++ let mut buf: Vec = vec![]; ++ ++ // "a" at the beginning of the buffer. ++ buf.push(0b0000_0001); ++ buf.push(b'a'); ++ ++ // Followed by a pointer back to the beginning. ++ buf.push(0b1100_0000); ++ buf.push(0b0000_0000); ++ ++ // The start of the name, which is pointer to the beginning of ++ // the buffer. ++ buf.push(0b1100_0000); ++ buf.push(0b000_0000); ++ ++ let (_rem, name) = dns_parse_name(&buf[4..], &buf).unwrap(); ++ assert_eq!(name.value.len(), 255); ++ assert!(name.flags.contains(DNSNameFlags::TRUNCATED)); ++ } ++ ++ #[test] ++ fn test_dns_parse_name_self_reference() { ++ let mut buf = vec![]; ++ buf.push(0b1100_0000); ++ buf.push(0b0000_0000); ++ assert!(dns_parse_name(&buf, &buf).is_err()); ++ } + } +-- +2.50.1 + diff --git a/recipes-ids/suricata/files/CVE-2024-55628-002.patch b/recipes-ids/suricata/files/CVE-2024-55628-002.patch new file mode 100644 index 0000000..7bade5d --- /dev/null +++ b/recipes-ids/suricata/files/CVE-2024-55628-002.patch @@ -0,0 +1,4877 @@ +From 284ad462fcb2e47f1518a1abc19e27ca84c6972e Mon Sep 17 00:00:00 2001 +From: Philippe Antoine +Date: Thu, 12 May 2022 20:31:25 +0200 +Subject: [PATCH] output: adds schema.json + +Ticket: #1369 + +CVE: CVE-2024-55628 +Upstream-Status: Backport [https://github.com/OISF/suricata/commit/284ad462fcb2e47f1518a1abc19e27ca84c6972e] +Signed-off-by: Hitendra Prajapati +--- + etc/schema.json | 4853 +++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 4853 insertions(+) + create mode 100644 etc/schema.json + +diff --git a/etc/schema.json b/etc/schema.json +new file mode 100644 +index 0000000..99f419f +--- /dev/null ++++ b/etc/schema.json +@@ -0,0 +1,4853 @@ ++{ ++ "type": "object", ++ "properties": { ++ "app_proto": { ++ "type": "string", ++ "optional": true ++ }, ++ "app_proto_expected": { ++ "type": "string" ++ }, ++ "app_proto_orig": { ++ "type": "string" ++ }, ++ "app_proto_tc": { ++ "type": "string" ++ }, ++ "app_proto_ts": { ++ "type": "string" ++ }, ++ "community_id": { ++ "type": "string" ++ }, ++ "dest_ip": { ++ "type": "string", ++ "optional": true ++ }, ++ "dest_port": { ++ "type": "integer", ++ "optional": true ++ }, ++ "event_type": { ++ "type": "string", ++ "optional": false ++ }, ++ "flow_id": { ++ "type": "integer", ++ "optional": true ++ }, ++ "icmp_code": { ++ "type": "integer" ++ }, ++ "icmp_type": { ++ "type": "integer" ++ }, ++ "log_level": { ++ "type": "string" ++ }, ++ "packet": { ++ "type": "string" ++ }, ++ "parent_id": { ++ "type": "integer" ++ }, ++ "payload": { ++ "type": "string" ++ }, ++ "payload_printable": { ++ "type": "string" ++ }, ++ "pcap_cnt": { ++ "type": "integer", ++ "optional": true ++ }, ++ "pkt_src": { ++ "type": "string" ++ }, ++ "proto": { ++ "type": "string", ++ "optional": true ++ }, ++ "response_icmp_code": { ++ "type": "integer" ++ }, ++ "response_icmp_type": { ++ "type": "integer" ++ }, ++ "spi": { ++ "type": "integer" ++ }, ++ "src_ip": { ++ "type": "string", ++ "optional": true ++ }, ++ "src_port": { ++ "type": "integer", ++ "optional": true ++ }, ++ "stream": { ++ "type": "integer" ++ }, ++ "timestamp": { ++ "type": "string", ++ "pattern": "^\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}\\.\\d+[+\\-]\\d+$", ++ "optional": false ++ }, ++ "tx_id": { ++ "type": "integer", ++ "optional": true ++ }, ++ "files": { ++ "type": "array", ++ "items": { ++ "type": "object", ++ "optional": true, ++ "properties": { ++ "end": { ++ "type": "integer" ++ }, ++ "filename": { ++ "type": "string" ++ }, ++ "gaps": { ++ "type": "boolean" ++ }, ++ "md5": { ++ "type": "string" ++ }, ++ "sha1": { ++ "type": "string" ++ }, ++ "sha256": { ++ "type": "string" ++ }, ++ "size": { ++ "type": "integer" ++ }, ++ "start": { ++ "type": "integer" ++ }, ++ "state": { ++ "type": "string" ++ }, ++ "stored": { ++ "type": "boolean" ++ }, ++ "tx_id": { ++ "type": "integer" ++ }, ++ "sid": { ++ "type": "array", ++ "items": { ++ "type": "integer" ++ } ++ } ++ }, ++ "additionalProperties": false ++ } ++ }, ++ "vlan": { ++ "type": "array", ++ "items": { ++ "type": "number" ++ } ++ }, ++ "alert": { ++ "type": "object", ++ "optional": true, ++ "properties": { ++ "action": { ++ "type": "string" ++ }, ++ "category": { ++ "type": "string" ++ }, ++ "gid": { ++ "type": "integer" ++ }, ++ "rev": { ++ "type": "integer" ++ }, ++ "rule": { ++ "type": "string" ++ }, ++ "severity": { ++ "type": "integer" ++ }, ++ "signature": { ++ "type": "string" ++ }, ++ "signature_id": { ++ "type": "integer" ++ }, ++ "xff": { ++ "type": "string" ++ }, ++ "metadata": { ++ "type": "object", ++ "properties": { ++ "affected_product": { ++ "type": "array", ++ "items": { ++ "type": "string" ++ } ++ }, ++ "attack_target": { ++ "type": "array", ++ "items": { ++ "type": "string" ++ } ++ }, ++ "created_at": { ++ "type": "array", ++ "items": { ++ "type": "string" ++ } ++ }, ++ "deployment": { ++ "type": "array", ++ "items": { ++ "type": "string" ++ } ++ }, ++ "signature_severity": { ++ "type": "array", ++ "items": { ++ "type": "string" ++ } ++ }, ++ "tag": { ++ "type": "array", ++ "items": { ++ "type": "string" ++ } ++ }, ++ "updated_at": { ++ "type": "array", ++ "items": { ++ "type": "string" ++ } ++ } ++ }, ++ "additionalProperties": false ++ }, ++ "source": { ++ "type": "object", ++ "properties": { ++ "ip": { ++ "type": "string" ++ } ++ }, ++ "additionalProperties": false ++ }, ++ "target": { ++ "type": "object", ++ "properties": { ++ "ip": { ++ "type": "string" ++ } ++ }, ++ "additionalProperties": false ++ } ++ }, ++ "additionalProperties": false ++ }, ++ "anomaly": { ++ "type": "object", ++ "optional": true, ++ "properties": { ++ "app_proto": { ++ "type": "string" ++ }, ++ "event": { ++ "type": "string" ++ }, ++ "layer": { ++ "type": "string" ++ }, ++ "type": { ++ "type": "string" ++ } ++ }, ++ "additionalProperties": false ++ }, ++ "dcerpc": { ++ "type": "object", ++ "optional": true, ++ "properties": { ++ "activityuuid": { ++ "type": "string" ++ }, ++ "call_id": { ++ "type": "integer" ++ }, ++ "request": { ++ "type": "string" ++ }, ++ "response": { ++ "type": "string" ++ }, ++ "rpc_version": { ++ "type": "string" ++ }, ++ "seqnum": { ++ "type": "integer" ++ }, ++ "interfaces": { ++ "type": "array", ++ "items": { ++ "type": "object", ++ "properties": { ++ "ack_result": { ++ "type": "integer" ++ }, ++ "uuid": { ++ "type": "string" ++ }, ++ "version": { ++ "type": "string" ++ } ++ }, ++ "additionalProperties": false ++ } ++ }, ++ "req": { ++ "type": "object", ++ "optional": true, ++ "properties": { ++ "frag_cnt": { ++ "type": "integer" ++ }, ++ "opnum": { ++ "type": "integer" ++ }, ++ "stub_data_size": { ++ "type": "integer" ++ } ++ }, ++ "additionalProperties": false ++ }, ++ "res": { ++ "type": "object", ++ "optional": true, ++ "properties": { ++ "frag_cnt": { ++ "type": "integer" ++ }, ++ "stub_data_size": { ++ "type": "integer" ++ } ++ }, ++ "additionalProperties": false ++ } ++ }, ++ "additionalProperties": false ++ }, ++ "dhcp": { ++ "type": "object", ++ "optional": true, ++ "properties": { ++ "assigned_ip": { ++ "type": "string" ++ }, ++ "client_id": { ++ "type": "string" ++ }, ++ "client_ip": { ++ "type": "string" ++ }, ++ "client_mac": { ++ "type": "string" ++ }, ++ "dhcp_type": { ++ "type": "string" ++ }, ++ "hostname": { ++ "type": "string" ++ }, ++ "id": { ++ "type": "integer" ++ }, ++ "lease_time": { ++ "type": "integer" ++ }, ++ "next_server_ip": { ++ "type": "string" ++ }, ++ "rebinding_time": { ++ "type": "integer" ++ }, ++ "relay_ip": { ++ "type": "string" ++ }, ++ "renewal_time": { ++ "type": "integer" ++ }, ++ "subnet_mask": { ++ "type": "string" ++ }, ++ "type": { ++ "type": "string" ++ }, ++ "dns_servers": { ++ "type": "array", ++ "items": { ++ "type": "string" ++ } ++ }, ++ "params": { ++ "type": "array", ++ "items": { ++ "type": "string" ++ } ++ }, ++ "routers": { ++ "type": "array", ++ "items": { ++ "type": "string" ++ } ++ } ++ }, ++ "additionalProperties": false ++ }, ++ "dnp3": { ++ "type": "object", ++ "optional": true, ++ "properties": { ++ "dst": { ++ "type": "integer" ++ }, ++ "src": { ++ "type": "integer" ++ }, ++ "type": { ++ "type": "string" ++ }, ++ "application": { ++ "type": "object", ++ "properties": { ++ "complete": { ++ "type": "boolean" ++ }, ++ "function_code": { ++ "type": "integer" ++ }, ++ "objects": { ++ "type": "array", ++ "items": { ++ "type": "object", ++ "properties": { ++ "count": { ++ "type": "integer" ++ }, ++ "group": { ++ "type": "integer" ++ }, ++ "prefix_code": { ++ "type": "integer" ++ }, ++ "qualifier": { ++ "type": "integer" ++ }, ++ "range_code": { ++ "type": "integer" ++ }, ++ "start": { ++ "type": "integer" ++ }, ++ "stop": { ++ "type": "integer" ++ }, ++ "variation": { ++ "type": "integer" ++ }, ++ "points": { ++ "type": "array", ++ "items": { ++ "type": "object", ++ "additionalProperties": true ++ } ++ } ++ }, ++ "additionalProperties": false ++ } ++ }, ++ "control": { ++ "type": "object", ++ "properties": { ++ "con": { ++ "type": "boolean" ++ }, ++ "fin": { ++ "type": "boolean" ++ }, ++ "fir": { ++ "type": "boolean" ++ }, ++ "sequence": { ++ "type": "integer" ++ }, ++ "uns": { ++ "type": "boolean" ++ } ++ }, ++ "additionalProperties": false ++ } ++ }, ++ "additionalProperties": false ++ }, ++ "control": { ++ "type": "object", ++ "properties": { ++ "dir": { ++ "type": "boolean" ++ }, ++ "fcb": { ++ "type": "boolean" ++ }, ++ "fcv": { ++ "type": "boolean" ++ }, ++ "function_code": { ++ "type": "integer" ++ }, ++ "pri": { ++ "type": "boolean" ++ } ++ }, ++ "additionalProperties": false ++ }, ++ "iin": { ++ "type": "object", ++ "properties": { ++ "indicators": { ++ "type": "array", ++ "items": { ++ "type": "string" ++ } ++ } ++ }, ++ "additionalProperties": false ++ }, ++ "request": { ++ "type": "object", ++ "properties": { ++ "dst": { ++ "type": "integer" ++ }, ++ "src": { ++ "type": "integer" ++ }, ++ "type": { ++ "type": "string" ++ }, ++ "application": { ++ "type": "object", ++ "properties": { ++ "complete": { ++ "type": "boolean" ++ }, ++ "function_code": { ++ "type": "integer" ++ }, ++ "objects": { ++ "type": "array", ++ "items": { ++ "type": "object", ++ "properties": { ++ "count": { ++ "type": "integer" ++ }, ++ "group": { ++ "type": "integer" ++ }, ++ "prefix_code": { ++ "type": "integer" ++ }, ++ "qualifier": { ++ "type": "integer" ++ }, ++ "range_code": { ++ "type": "integer" ++ }, ++ "start": { ++ "type": "integer" ++ }, ++ "stop": { ++ "type": "integer" ++ }, ++ "variation": { ++ "type": "integer" ++ }, ++ "points": { ++ "type": "array", ++ "items": { ++ "type": "object", ++ "additionalProperties": true ++ } ++ } ++ }, ++ "additionalProperties": false ++ } ++ }, ++ "control": { ++ "type": "object", ++ "properties": { ++ "con": { ++ "type": "boolean" ++ }, ++ "fin": { ++ "type": "boolean" ++ }, ++ "fir": { ++ "type": "boolean" ++ }, ++ "sequence": { ++ "type": "integer" ++ }, ++ "uns": { ++ "type": "boolean" ++ } ++ }, ++ "additionalProperties": false ++ } ++ }, ++ "additionalProperties": false ++ }, ++ "control": { ++ "type": "object", ++ "properties": { ++ "dir": { ++ "type": "boolean" ++ }, ++ "fcb": { ++ "type": "boolean" ++ }, ++ "fcv": { ++ "type": "boolean" ++ }, ++ "function_code": { ++ "type": "integer" ++ }, ++ "pri": { ++ "type": "boolean" ++ } ++ }, ++ "additionalProperties": false ++ } ++ }, ++ "additionalProperties": false ++ }, ++ "response": { ++ "type": "object", ++ "properties": { ++ "dst": { ++ "type": "integer" ++ }, ++ "src": { ++ "type": "integer" ++ }, ++ "type": { ++ "type": "string" ++ }, ++ "application": { ++ "type": "object", ++ "properties": { ++ "complete": { ++ "type": "boolean" ++ }, ++ "function_code": { ++ "type": "integer" ++ }, ++ "objects": { ++ "type": "array", ++ "items": { ++ "type": "object", ++ "properties": { ++ "count": { ++ "type": "integer" ++ }, ++ "group": { ++ "type": "integer" ++ }, ++ "prefix_code": { ++ "type": "integer" ++ }, ++ "qualifier": { ++ "type": "integer" ++ }, ++ "range_code": { ++ "type": "integer" ++ }, ++ "start": { ++ "type": "integer" ++ }, ++ "stop": { ++ "type": "integer" ++ }, ++ "variation": { ++ "type": "integer" ++ }, ++ "points": { ++ "type": "array", ++ "items": { ++ "type": "object", ++ "additionalProperties": true ++ } ++ } ++ }, ++ "additionalProperties": false ++ } ++ }, ++ "control": { ++ "type": "object", ++ "properties": { ++ "con": { ++ "type": "boolean" ++ }, ++ "fin": { ++ "type": "boolean" ++ }, ++ "fir": { ++ "type": "boolean" ++ }, ++ "sequence": { ++ "type": "integer" ++ }, ++ "uns": { ++ "type": "boolean" ++ } ++ }, ++ "additionalProperties": false ++ } ++ }, ++ "additionalProperties": false ++ }, ++ "control": { ++ "type": "object", ++ "properties": { ++ "dir": { ++ "type": "boolean" ++ }, ++ "fcb": { ++ "type": "boolean" ++ }, ++ "fcv": { ++ "type": "boolean" ++ }, ++ "function_code": { ++ "type": "integer" ++ }, ++ "pri": { ++ "type": "boolean" ++ } ++ }, ++ "additionalProperties": false ++ }, ++ "iin": { ++ "type": "object", ++ "properties": { ++ "indicators": { ++ "type": "array", ++ "items": { ++ "type": "string" ++ } ++ } ++ }, ++ "additionalProperties": false ++ } ++ }, ++ "additionalProperties": false ++ } ++ }, ++ "additionalProperties": false ++ }, ++ "dns": { ++ "type": "object", ++ "optional": true, ++ "properties": { ++ "aa": { ++ "type": "boolean" ++ }, ++ "flags": { ++ "type": "string" ++ }, ++ "id": { ++ "type": "integer" ++ }, ++ "qr": { ++ "type": "boolean" ++ }, ++ "ra": { ++ "type": "boolean" ++ }, ++ "rcode": { ++ "type": "string" ++ }, ++ "rd": { ++ "type": "boolean" ++ }, ++ "rrname": { ++ "type": "string" ++ }, ++ "rrtype": { ++ "type": "string" ++ }, ++ "tx_id": { ++ "type": "integer" ++ }, ++ "type": { ++ "type": "string" ++ }, ++ "version": { ++ "type": "integer" ++ }, ++ "answers": { ++ "type": "array", ++ "items": { ++ "type": "object", ++ "optional": true, ++ "properties": { ++ "rdata": { ++ "type": "string" ++ }, ++ "rrname": { ++ "type": "string" ++ }, ++ "rrtype": { ++ "type": "string" ++ }, ++ "ttl": { ++ "type": "integer" ++ }, ++ "srv": { ++ "type": "object", ++ "optional": true, ++ "properties": { ++ "name": { ++ "type": "string" ++ }, ++ "port": { ++ "type": "integer" ++ }, ++ "priority": { ++ "type": "integer" ++ }, ++ "weight": { ++ "type": "integer" ++ } ++ }, ++ "additionalProperties": false ++ } ++ }, ++ "additionalProperties": false ++ } ++ }, ++ "authorities": { ++ "type": "array", ++ "items": { ++ "type": "object", ++ "optional": true, ++ "properties": { ++ "rdata": { ++ "type": "string" ++ }, ++ "rrname": { ++ "type": "string" ++ }, ++ "rrtype": { ++ "type": "string" ++ }, ++ "ttl": { ++ "type": "integer" ++ }, ++ "soa": { ++ "type": "object", ++ "optional": true, ++ "properties": { ++ "expire": { ++ "type": "integer" ++ }, ++ "minimum": { ++ "type": "integer" ++ }, ++ "mname": { ++ "type": "string" ++ }, ++ "refresh": { ++ "type": "integer" ++ }, ++ "retry": { ++ "type": "integer" ++ }, ++ "rname": { ++ "type": "string" ++ }, ++ "serial": { ++ "type": "integer" ++ } ++ }, ++ "additionalProperties": false ++ } ++ }, ++ "additionalProperties": false ++ } ++ }, ++ "query": { ++ "type": "array", ++ "items": { ++ "type": "object", ++ "optional": true, ++ "properties": { ++ "id": { ++ "type": "integer" ++ }, ++ "rrname": { ++ "type": "string" ++ }, ++ "rrtype": { ++ "type": "string" ++ }, ++ "tx_id": { ++ "type": "integer" ++ }, ++ "type": { ++ "type": "string" ++ }, ++ "z": { ++ "type": "boolean" ++ } ++ }, ++ "additionalProperties": false ++ } ++ }, ++ "answer": { ++ "type": "object", ++ "properties": { ++ "flags": { ++ "type": "string" ++ }, ++ "id": { ++ "type": "integer" ++ }, ++ "qr": { ++ "type": "boolean" ++ }, ++ "ra": { ++ "type": "boolean" ++ }, ++ "rcode": { ++ "type": "string" ++ }, ++ "rd": { ++ "type": "boolean" ++ }, ++ "rrname": { ++ "type": "string" ++ }, ++ "rrtype": { ++ "type": "string" ++ }, ++ "type": { ++ "type": "string" ++ }, ++ "version": { ++ "type": "integer" ++ } ++ }, ++ "additionalProperties": false ++ }, ++ "grouped": { ++ "type": "object", ++ "optional": true, ++ "properties": { ++ "A": { ++ "type": "array", ++ "items": { ++ "type": "string" ++ } ++ }, ++ "AAAA": { ++ "type": "array", ++ "items": { ++ "type": "string" ++ } ++ }, ++ "CNAME": { ++ "type": "array", ++ "items": { ++ "type": "string" ++ } ++ }, ++ "MX": { ++ "type": "array", ++ "items": { ++ "type": "string" ++ } ++ }, ++ "NULL": { ++ "type": "array", ++ "items": { ++ "type": "string" ++ } ++ }, ++ "PTR": { ++ "type": "array", ++ "items": { ++ "type": "string" ++ } ++ }, ++ "SRV": { ++ "type": "array", ++ "items": { ++ "type": "object", ++ "optional": true, ++ "properties": { ++ "name": { ++ "type": "string" ++ }, ++ "port": { ++ "type": "integer" ++ }, ++ "priority": { ++ "type": "integer" ++ }, ++ "weight": { ++ "type": "integer" ++ } ++ }, ++ "additionalProperties": false ++ } ++ }, ++ "TXT": { ++ "type": "array", ++ "items": { ++ "type": "string" ++ } ++ } ++ }, ++ "additionalProperties": false ++ }, ++ "z": { ++ "type": "boolean" ++ } ++ }, ++ "additionalProperties": false ++ }, ++ "drop": { ++ "type": "object", ++ "optional": true, ++ "properties": { ++ "ack": { ++ "type": "boolean" ++ }, ++ "fin": { ++ "type": "boolean" ++ }, ++ "icmp_id": { ++ "type": "integer" ++ }, ++ "icmp_seq": { ++ "type": "integer" ++ }, ++ "ipid": { ++ "type": "integer" ++ }, ++ "len": { ++ "type": "integer" ++ }, ++ "psh": { ++ "type": "boolean" ++ }, ++ "rst": { ++ "type": "boolean" ++ }, ++ "syn": { ++ "type": "boolean" ++ }, ++ "tcpack": { ++ "type": "integer" ++ }, ++ "tcpres": { ++ "type": "integer" ++ }, ++ "tcpseq": { ++ "type": "integer" ++ }, ++ "tcpurgp": { ++ "type": "integer" ++ }, ++ "tcpwin": { ++ "type": "integer" ++ }, ++ "tos": { ++ "type": "integer" ++ }, ++ "ttl": { ++ "type": "integer" ++ }, ++ "urg": { ++ "type": "boolean" ++ } ++ }, ++ "additionalProperties": false ++ }, ++ "email": { ++ "type": "object", ++ "optional": true, ++ "properties": { ++ "body_md5": { ++ "type": "string" ++ }, ++ "from": { ++ "type": "string" ++ }, ++ "status": { ++ "type": "string" ++ }, ++ "subject": { ++ "type": "string" ++ }, ++ "subject_md5": { ++ "type": "string" ++ }, ++ "url": { ++ "type": "array", ++ "items": { ++ "type": "string" ++ } ++ }, ++ "attachment": { ++ "type": "array", ++ "items": { ++ "type": "string" ++ } ++ }, ++ "to": { ++ "type": "array", ++ "items": { ++ "type": "string" ++ } ++ } ++ }, ++ "additionalProperties": false ++ }, ++ "engine": { ++ "type": "object", ++ "optional": true, ++ "properties": { ++ "error": { ++ "type": "string" ++ }, ++ "error_code": { ++ "type": "integer" ++ }, ++ "message": { ++ "type": "string" ++ } ++ }, ++ "additionalProperties": false ++ }, ++ "ether": { ++ "type": "object", ++ "optional": true, ++ "properties": { ++ "dest_mac": { ++ "type": "string" ++ }, ++ "src_mac": { ++ "type": "string" ++ }, ++ "dest_macs": { ++ "type": "array", ++ "items": { ++ "type": "string" ++ } ++ }, ++ "src_macs": { ++ "type": "array", ++ "items": { ++ "type": "string" ++ } ++ } ++ }, ++ "additionalProperties": false ++ }, ++ "fileinfo": { ++ "type": "object", ++ "optional": true, ++ "properties": { ++ "end": { ++ "type": "integer" ++ }, ++ "file_id": { ++ "type": "integer" ++ }, ++ "filename": { ++ "type": "string" ++ }, ++ "gaps": { ++ "type": "boolean" ++ }, ++ "magic": { ++ "type": "string" ++ }, ++ "md5": { ++ "type": "string" ++ }, ++ "sha1": { ++ "type": "string" ++ }, ++ "sha256": { ++ "type": "string" ++ }, ++ "size": { ++ "type": "integer" ++ }, ++ "start": { ++ "type": "integer" ++ }, ++ "state": { ++ "type": "string" ++ }, ++ "stored": { ++ "type": "boolean" ++ }, ++ "tx_id": { ++ "type": "integer" ++ }, ++ "sid": { ++ "type": "array", ++ "items": { ++ "type": "integer" ++ } ++ } ++ }, ++ "additionalProperties": false ++ }, ++ "flow": { ++ "type": "object", ++ "optional": true, ++ "properties": { ++ "action": { ++ "type": "string" ++ }, ++ "age": { ++ "type": "integer" ++ }, ++ "alerted": { ++ "type": "boolean" ++ }, ++ "bypass": { ++ "type": "string" ++ }, ++ "bypassed": { ++ "type": "object", ++ "optional": false, ++ "properties": { ++ "pkts_toserver": { ++ "type": "integer" ++ }, ++ "pkts_toclient": { ++ "type": "integer" ++ }, ++ "bytes_toserver": { ++ "type": "integer" ++ }, ++ "bytes_toclient": { ++ "type": "integer" ++ } ++ }, ++ "additionalProperites": false ++ }, ++ "bytes_toclient": { ++ "type": "integer" ++ }, ++ "bytes_toserver": { ++ "type": "integer" ++ }, ++ "end": { ++ "type": "string" ++ }, ++ "pkts_toclient": { ++ "type": "integer" ++ }, ++ "pkts_toserver": { ++ "type": "integer" ++ }, ++ "reason": { ++ "type": "string" ++ }, ++ "start": { ++ "type": "string" ++ }, ++ "state": { ++ "type": "string" ++ } ++ }, ++ "additionalProperties": false ++ }, ++ "frame": { ++ "type": "object", ++ "properties": { ++ "type": { ++ "type": "string" ++ }, ++ "id": { ++ "type": "integer" ++ }, ++ "direction": { ++ "type": "string" ++ }, ++ "stream_offset": { ++ "type": "integer" ++ }, ++ "length": { ++ "type": "integer" ++ }, ++ "complete": { ++ "type": "boolean" ++ }, ++ "payload": { ++ "type": "string" ++ }, ++ "payload_printable": { ++ "type": "string" ++ }, ++ "tx_id": { ++ "type": "integer" ++ } ++ }, ++ "additionalProperties": false ++ }, ++ "ftp": { ++ "type": "object", ++ "optional": true, ++ "properties": { ++ "command": { ++ "type": "string" ++ }, ++ "command_data": { ++ "type": "string" ++ }, ++ "command_truncated": { ++ "type": "boolean" ++ }, ++ "dynamic_port": { ++ "type": "integer" ++ }, ++ "mode": { ++ "type": "string" ++ }, ++ "reply_received": { ++ "type": "string" ++ }, ++ "reply_truncated": { ++ "type": "boolean" ++ }, ++ "completion_code": { ++ "type": "array", ++ "items": { ++ "type": "string" ++ } ++ }, ++ "reply": { ++ "type": "array", ++ "items": { ++ "type": "string" ++ } ++ } ++ }, ++ "additionalProperties": false ++ }, ++ "ftp_data": { ++ "type": "object", ++ "optional": true, ++ "properties": { ++ "command": { ++ "type": "string" ++ }, ++ "filename": { ++ "type": "string" ++ } ++ }, ++ "additionalProperties": false ++ }, ++ "http": { ++ "type": "object", ++ "optional": true, ++ "properties": { ++ "hostname": { ++ "type": "string" ++ }, ++ "http_content_type": { ++ "type": "string" ++ }, ++ "http_method": { ++ "type": "string" ++ }, ++ "http_port": { ++ "type": "integer" ++ }, ++ "http_refer": { ++ "type": "string" ++ }, ++ "http_user_agent": { ++ "type": "string" ++ }, ++ "length": { ++ "type": "integer" ++ }, ++ "protocol": { ++ "type": "string" ++ }, ++ "redirect": { ++ "type": "string" ++ }, ++ "status": { ++ "type": "integer" ++ }, ++ "url": { ++ "type": "string" ++ }, ++ "version": { ++ "type": "string" ++ }, ++ "xff": { ++ "type": "string" ++ }, ++ "request_headers": { ++ "type": "array", ++ "items": { ++ "type": "object", ++ "properties": { ++ "name": { ++ "type": "string" ++ }, ++ "table_size_update": { ++ "type": "integer" ++ }, ++ "value": { ++ "type": "string" ++ } ++ }, ++ "additionalProperties": false ++ } ++ }, ++ "response_headers": { ++ "type": "array", ++ "items": { ++ "type": "object", ++ "properties": { ++ "name": { ++ "type": "string" ++ }, ++ "table_size_update": { ++ "type": "integer" ++ }, ++ "value": { ++ "type": "string" ++ } ++ }, ++ "additionalProperties": false ++ } ++ }, ++ "content_range": { ++ "type": "object", ++ "properties": { ++ "end": { ++ "type": "integer" ++ }, ++ "raw": { ++ "type": "string" ++ }, ++ "size": { ++ "type": "integer" ++ }, ++ "start": { ++ "type": "integer" ++ } ++ }, ++ "additionalProperties": false ++ }, ++ "http2": { ++ "type": "object", ++ "properties": { ++ "stream_id": { ++ "type": "integer" ++ }, ++ "request": { ++ "type": "object", ++ "properties": { ++ "error_code": { ++ "type": "string" ++ }, ++ "priority": { ++ "type": "integer" ++ }, ++ "settings": { ++ "type": "array", ++ "items": { ++ "type": "object", ++ "properties": { ++ "settings_id": { ++ "type": "string" ++ }, ++ "settings_value": { ++ "type": "integer" ++ } ++ }, ++ "additionalProperties": false ++ } ++ } ++ }, ++ "additionalProperties": false ++ }, ++ "response": { ++ "type": "object", ++ "properties": { ++ "error_code": { ++ "type": "string" ++ }, ++ "settings": { ++ "type": "array", ++ "items": { ++ "type": "object", ++ "properties": { ++ "settings_id": { ++ "type": "string" ++ }, ++ "settings_value": { ++ "type": "integer" ++ } ++ }, ++ "additionalProperties": false ++ } ++ } ++ }, ++ "additionalProperties": false ++ } ++ }, ++ "additionalProperties": false ++ } ++ }, ++ "additionalProperties": false ++ }, ++ "http2": { ++ "type": "object", ++ "optional": true, ++ "properties": { ++ "http_method": { ++ "type": "string" ++ }, ++ "http_user_agent": { ++ "type": "string" ++ }, ++ "length": { ++ "type": "integer" ++ }, ++ "status": { ++ "type": "integer" ++ }, ++ "url": { ++ "type": "string" ++ }, ++ "version": { ++ "type": "string" ++ }, ++ "request_headers": { ++ "type": "array", ++ "items": { ++ "type": "object", ++ "properties": { ++ "name": { ++ "type": "string" ++ }, ++ "table_size_update": { ++ "type": "integer" ++ }, ++ "value": { ++ "type": "string" ++ } ++ }, ++ "additionalProperties": false ++ } ++ }, ++ "response_headers": { ++ "type": "array", ++ "items": { ++ "type": "object", ++ "properties": { ++ "name": { ++ "type": "string" ++ }, ++ "table_size_update": { ++ "type": "integer" ++ }, ++ "value": { ++ "type": "string" ++ } ++ }, ++ "additionalProperties": false ++ } ++ }, ++ "http2": { ++ "type": "object", ++ "properties": { ++ "stream_id": { ++ "type": "integer" ++ }, ++ "request": { ++ "type": "object", ++ "properties": { ++ "priority": { ++ "type": "integer" ++ } ++ }, ++ "additionalProperties": false ++ }, ++ "response": { ++ "type": "object", ++ "properties": { ++ "error_code": { ++ "type": "string" ++ } ++ }, ++ "additionalProperties": false ++ } ++ }, ++ "additionalProperties": false ++ } ++ }, ++ "additionalProperties": false ++ }, ++ "ike": { ++ "type": "object", ++ "optional": true, ++ "properties": { ++ "alg_auth": { ++ "type": "string" ++ }, ++ "alg_auth_raw": { ++ "type": "integer" ++ }, ++ "alg_dh": { ++ "type": "string" ++ }, ++ "alg_dh_raw": { ++ "type": "integer" ++ }, ++ "alg_enc": { ++ "type": "string" ++ }, ++ "alg_enc_raw": { ++ "type": "integer" ++ }, ++ "alg_hash": { ++ "type": "string" ++ }, ++ "alg_hash_raw": { ++ "type": "integer" ++ }, ++ "exchange_type": { ++ "type": "integer" ++ }, ++ "exchange_type_verbose": { ++ "type": "string" ++ }, ++ "init_spi": { ++ "type": "string" ++ }, ++ "message_id": { ++ "type": "integer" ++ }, ++ "resp_spi": { ++ "type": "string" ++ }, ++ "role": { ++ "type": "string" ++ }, ++ "sa_key_length": { ++ "type": "string" ++ }, ++ "sa_key_length_raw": { ++ "type": "integer" ++ }, ++ "sa_life_duration": { ++ "type": "string" ++ }, ++ "sa_life_duration_raw": { ++ "type": "integer" ++ }, ++ "sa_life_type": { ++ "type": "string" ++ }, ++ "sa_life_type_raw": { ++ "type": "integer" ++ }, ++ "version_major": { ++ "type": "integer" ++ }, ++ "version_minor": { ++ "type": "integer" ++ }, ++ "payload": { ++ "type": "array", ++ "items": { ++ "type": "string" ++ } ++ }, ++ "ikev1": { ++ "type": "object", ++ "properties": { ++ "doi": { ++ "type": "integer" ++ }, ++ "encrypted_payloads": { ++ "type": "boolean" ++ }, ++ "vendor_ids": { ++ "type": "array", ++ "items": { ++ "type": "string" ++ } ++ }, ++ "client": { ++ "type": "object", ++ "properties": { ++ "key_exchange_payload": { ++ "type": "string" ++ }, ++ "key_exchange_payload_length": { ++ "type": "integer" ++ }, ++ "nonce_payload": { ++ "type": "string" ++ }, ++ "nonce_payload_length": { ++ "type": "integer" ++ }, ++ "proposals": { ++ "type": "array", ++ "items": { ++ "type": "object", ++ "properties": { ++ "alg_auth": { ++ "type": "string" ++ }, ++ "alg_auth_raw": { ++ "type": "integer" ++ }, ++ "alg_dh": { ++ "type": "string" ++ }, ++ "alg_dh_raw": { ++ "type": "integer" ++ }, ++ "alg_enc": { ++ "type": "string" ++ }, ++ "alg_enc_raw": { ++ "type": "integer" ++ }, ++ "alg_hash": { ++ "type": "string" ++ }, ++ "alg_hash_raw": { ++ "type": "integer" ++ }, ++ "sa_key_length": { ++ "type": "string" ++ }, ++ "sa_key_length_raw": { ++ "type": "integer" ++ }, ++ "sa_life_duration": { ++ "type": "string" ++ }, ++ "sa_life_duration_raw": { ++ "type": "integer" ++ }, ++ "sa_life_type": { ++ "type": "string" ++ }, ++ "sa_life_type_raw": { ++ "type": "integer" ++ } ++ }, ++ "additionalProperties": false ++ } ++ } ++ }, ++ "additionalProperties": false ++ }, ++ "server": { ++ "type": "object", ++ "properties": { ++ "key_exchange_payload": { ++ "type": "string" ++ }, ++ "key_exchange_payload_length": { ++ "type": "integer" ++ }, ++ "nonce_payload": { ++ "type": "string" ++ }, ++ "nonce_payload_length": { ++ "type": "integer" ++ } ++ }, ++ "additionalProperties": false ++ } ++ }, ++ "additionalProperties": false ++ }, ++ "ikev2": { ++ "type": "object", ++ "properties": { ++ "errors": { ++ "type": "integer" ++ }, ++ "notify": { ++ "type": "array" ++ } ++ }, ++ "additionalProperties": false ++ } ++ }, ++ "additionalProperties": false ++ }, ++ "krb5": { ++ "type": "object", ++ "optional": true, ++ "properties": { ++ "cname": { ++ "type": "string" ++ }, ++ "encryption": { ++ "type": "string" ++ }, ++ "error_code": { ++ "type": "string" ++ }, ++ "failed_request": { ++ "type": "string" ++ }, ++ "msg_type": { ++ "type": "string" ++ }, ++ "realm": { ++ "type": "string" ++ }, ++ "sname": { ++ "type": "string" ++ }, ++ "weak_encryption": { ++ "type": "boolean" ++ } ++ }, ++ "additionalProperties": false ++ }, ++ "metadata": { ++ "type": "object", ++ "optional": true, ++ "properties": { ++ "flowbits": { ++ "type": "array", ++ "items": { ++ "type": "string" ++ } ++ }, ++ "flowvars": { ++ "type": "array", ++ "items": { ++ "type": "object", ++ "properties": { ++ "gid": { ++ "type": "string" ++ }, ++ "key": { ++ "type": "string" ++ }, ++ "value": { ++ "type": "string" ++ } ++ }, ++ "additionalProperties": true ++ } ++ }, ++ "pktvars": { ++ "type": "array", ++ "items": { ++ "type": "object", ++ "properties": { ++ "uid": { ++ "type": "string" ++ }, ++ "username": { ++ "type": "string" ++ } ++ }, ++ "additionalProperties": false ++ } ++ }, ++ "flowints": { ++ "type": "object", ++ "additionalProperties": true ++ } ++ }, ++ "additionalProperties": false ++ }, ++ "modbus": { ++ "type": "object", ++ "optional": true, ++ "properties": { ++ "id": { ++ "type": "integer" ++ }, ++ "request": { ++ "type": "object", ++ "properties": { ++ "access_type": { ++ "type": "string" ++ }, ++ "category": { ++ "type": "string" ++ }, ++ "data": { ++ "type": "string" ++ }, ++ "error_flags": { ++ "type": "string" ++ }, ++ "function_code": { ++ "type": "string" ++ }, ++ "function_raw": { ++ "type": "integer" ++ }, ++ "protocol_id": { ++ "type": "integer" ++ }, ++ "transaction_id": { ++ "type": "integer" ++ }, ++ "unit_id": { ++ "type": "integer" ++ }, ++ "diagnostic": { ++ "type": "object", ++ "properties": { ++ "code": { ++ "type": "string" ++ }, ++ "data": { ++ "type": "string" ++ }, ++ "raw": { ++ "type": "integer" ++ } ++ }, ++ "additionalProperties": false ++ }, ++ "mei": { ++ "type": "object", ++ "properties": { ++ "code": { ++ "type": "string" ++ }, ++ "data": { ++ "type": "string" ++ }, ++ "raw": { ++ "type": "integer" ++ } ++ }, ++ "additionalProperties": false ++ }, ++ "read": { ++ "type": "object", ++ "properties": { ++ "address": { ++ "type": "integer" ++ }, ++ "quantity": { ++ "type": "integer" ++ } ++ }, ++ "additionalProperties": false ++ }, ++ "write": { ++ "type": "object", ++ "properties": { ++ "address": { ++ "type": "integer" ++ }, ++ "data": { ++ "type": "integer" ++ } ++ }, ++ "additionalProperties": false ++ } ++ }, ++ "additionalProperties": false ++ }, ++ "response": { ++ "type": "object", ++ "properties": { ++ "access_type": { ++ "type": "string" ++ }, ++ "category": { ++ "type": "string" ++ }, ++ "data": { ++ "type": "string" ++ }, ++ "error_flags": { ++ "type": "string" ++ }, ++ "function_code": { ++ "type": "string" ++ }, ++ "function_raw": { ++ "type": "integer" ++ }, ++ "protocol_id": { ++ "type": "integer" ++ }, ++ "transaction_id": { ++ "type": "integer" ++ }, ++ "unit_id": { ++ "type": "integer" ++ }, ++ "diagnostic": { ++ "type": "object", ++ "properties": { ++ "code": { ++ "type": "string" ++ }, ++ "data": { ++ "type": "string" ++ }, ++ "raw": { ++ "type": "integer" ++ } ++ }, ++ "additionalProperties": false ++ }, ++ "exception": { ++ "type": "object", ++ "properties": { ++ "code": { ++ "type": "string" ++ }, ++ "raw": { ++ "type": "integer" ++ } ++ }, ++ "additionalProperties": false ++ }, ++ "read": { ++ "type": "object", ++ "properties": { ++ "data": { ++ "type": "string" ++ } ++ }, ++ "additionalProperties": false ++ }, ++ "write": { ++ "type": "object", ++ "properties": { ++ "address": { ++ "type": "integer" ++ }, ++ "data": { ++ "type": "integer" ++ } ++ }, ++ "additionalProperties": false ++ } ++ }, ++ "additionalProperties": false ++ } ++ }, ++ "additionalProperties": false ++ }, ++ "mqtt": { ++ "type": "object", ++ "optional": true, ++ "properties": { ++ "connack": { ++ "type": "object", ++ "properties": { ++ "dup": { ++ "type": "boolean" ++ }, ++ "qos": { ++ "type": "integer" ++ }, ++ "retain": { ++ "type": "boolean" ++ }, ++ "return_code": { ++ "type": "integer" ++ }, ++ "session_present": { ++ "type": "boolean" ++ }, ++ "properties": { ++ "type": "object", ++ "additionalProperties": true ++ } ++ }, ++ "additionalProperties": false ++ }, ++ "connect": { ++ "type": "object", ++ "properties": { ++ "client_id": { ++ "type": "string" ++ }, ++ "dup": { ++ "type": "boolean" ++ }, ++ "password": { ++ "type": "string" ++ }, ++ "protocol_string": { ++ "type": "string" ++ }, ++ "protocol_version": { ++ "type": "integer" ++ }, ++ "qos": { ++ "type": "integer" ++ }, ++ "retain": { ++ "type": "boolean" ++ }, ++ "username": { ++ "type": "string" ++ }, ++ "flags": { ++ "type": "object", ++ "properties": { ++ "clean_session": { ++ "type": "boolean" ++ }, ++ "password": { ++ "type": "boolean" ++ }, ++ "username": { ++ "type": "boolean" ++ }, ++ "will": { ++ "type": "boolean" ++ }, ++ "will_retain": { ++ "type": "boolean" ++ } ++ }, ++ "additionalProperties": false ++ }, ++ "properties": { ++ "type": "object", ++ "additionalProperties": true ++ }, ++ "will": { ++ "type": "object", ++ "properties": { ++ "message": { ++ "type": "string" ++ }, ++ "topic": { ++ "type": "string" ++ }, ++ "properties": { ++ "type": "object", ++ "additionalProperties": true ++ } ++ }, ++ "additionalProperties": false ++ } ++ }, ++ "additionalProperties": false ++ }, ++ "disconnect": { ++ "type": "object", ++ "properties": { ++ "dup": { ++ "type": "boolean" ++ }, ++ "qos": { ++ "type": "integer" ++ }, ++ "reason_code": { ++ "type": "integer" ++ }, ++ "retain": { ++ "type": "boolean" ++ }, ++ "properties": { ++ "type": "object", ++ "additionalProperties": true ++ } ++ }, ++ "additionalProperties": false ++ }, ++ "pingreq": { ++ "type": "object", ++ "properties": { ++ "dup": { ++ "type": "boolean" ++ }, ++ "qos": { ++ "type": "integer" ++ }, ++ "retain": { ++ "type": "boolean" ++ } ++ }, ++ "additionalProperties": false ++ }, ++ "pingresp": { ++ "type": "object", ++ "properties": { ++ "dup": { ++ "type": "boolean" ++ }, ++ "qos": { ++ "type": "integer" ++ }, ++ "retain": { ++ "type": "boolean" ++ } ++ }, ++ "additionalProperties": false ++ }, ++ "puback": { ++ "type": "object", ++ "properties": { ++ "dup": { ++ "type": "boolean" ++ }, ++ "message_id": { ++ "type": "integer" ++ }, ++ "qos": { ++ "type": "integer" ++ }, ++ "reason_code": { ++ "type": "integer" ++ }, ++ "retain": { ++ "type": "boolean" ++ } ++ }, ++ "additionalProperties": false ++ }, ++ "pubcomp": { ++ "type": "object", ++ "properties": { ++ "dup": { ++ "type": "boolean" ++ }, ++ "message_id": { ++ "type": "integer" ++ }, ++ "qos": { ++ "type": "integer" ++ }, ++ "reason_code": { ++ "type": "integer" ++ }, ++ "retain": { ++ "type": "boolean" ++ } ++ }, ++ "additionalProperties": false ++ }, ++ "publish": { ++ "type": "object", ++ "properties": { ++ "dup": { ++ "type": "boolean" ++ }, ++ "message": { ++ "type": "string" ++ }, ++ "message_id": { ++ "type": "integer" ++ }, ++ "qos": { ++ "type": "integer" ++ }, ++ "retain": { ++ "type": "boolean" ++ }, ++ "skipped_length": { ++ "type": "integer" ++ }, ++ "topic": { ++ "type": "string" ++ }, ++ "truncated": { ++ "type": "boolean" ++ }, ++ "properties": { ++ "type": "object", ++ "additionalProperties": true ++ } ++ }, ++ "additionalProperties": false ++ }, ++ "pubrec": { ++ "type": "object", ++ "properties": { ++ "dup": { ++ "type": "boolean" ++ }, ++ "message_id": { ++ "type": "integer" ++ }, ++ "qos": { ++ "type": "integer" ++ }, ++ "reason_code": { ++ "type": "integer" ++ }, ++ "retain": { ++ "type": "boolean" ++ } ++ }, ++ "additionalProperties": false ++ }, ++ "pubrel": { ++ "type": "object", ++ "properties": { ++ "dup": { ++ "type": "boolean" ++ }, ++ "message_id": { ++ "type": "integer" ++ }, ++ "qos": { ++ "type": "integer" ++ }, ++ "reason_code": { ++ "type": "integer" ++ }, ++ "retain": { ++ "type": "boolean" ++ } ++ }, ++ "additionalProperties": false ++ }, ++ "suback": { ++ "type": "object", ++ "properties": { ++ "dup": { ++ "type": "boolean" ++ }, ++ "message_id": { ++ "type": "integer" ++ }, ++ "qos": { ++ "type": "integer" ++ }, ++ "retain": { ++ "type": "boolean" ++ }, ++ "qos_granted": { ++ "type": "array", ++ "items": { ++ "type": "integer" ++ } ++ } ++ }, ++ "additionalProperties": false ++ }, ++ "subscribe": { ++ "type": "object", ++ "properties": { ++ "dup": { ++ "type": "boolean" ++ }, ++ "message_id": { ++ "type": "integer" ++ }, ++ "qos": { ++ "type": "integer" ++ }, ++ "retain": { ++ "type": "boolean" ++ }, ++ "topics": { ++ "type": "array", ++ "items": { ++ "type": "object", ++ "properties": { ++ "qos": { ++ "type": "integer" ++ }, ++ "topic": { ++ "type": "string" ++ } ++ }, ++ "additionalProperties": false ++ } ++ } ++ }, ++ "additionalProperties": false ++ }, ++ "unsuback": { ++ "type": "object", ++ "properties": { ++ "dup": { ++ "type": "boolean" ++ }, ++ "message_id": { ++ "type": "integer" ++ }, ++ "qos": { ++ "type": "integer" ++ }, ++ "retain": { ++ "type": "boolean" ++ }, ++ "reason_codes": { ++ "type": "array", ++ "items": { ++ "type": "integer" ++ } ++ } ++ }, ++ "additionalProperties": false ++ }, ++ "unsubscribe": { ++ "type": "object", ++ "properties": { ++ "dup": { ++ "type": "boolean" ++ }, ++ "message_id": { ++ "type": "integer" ++ }, ++ "qos": { ++ "type": "integer" ++ }, ++ "retain": { ++ "type": "boolean" ++ }, ++ "topics": { ++ "type": "array", ++ "items": { ++ "type": "string" ++ } ++ } ++ }, ++ "additionalProperties": false ++ } ++ }, ++ "additionalProperties": false ++ }, ++ "netflow": { ++ "type": "object", ++ "optional": true, ++ "properties": { ++ "age": { ++ "type": "integer" ++ }, ++ "bytes": { ++ "type": "integer" ++ }, ++ "end": { ++ "type": "string" ++ }, ++ "max_ttl": { ++ "type": "integer" ++ }, ++ "min_ttl": { ++ "type": "integer" ++ }, ++ "pkts": { ++ "type": "integer" ++ }, ++ "start": { ++ "type": "string" ++ } ++ }, ++ "additionalProperties": false ++ }, ++ "nfs": { ++ "type": "object", ++ "optional": true, ++ "properties": { ++ "file_tx": { ++ "type": "boolean" ++ }, ++ "filename": { ++ "type": "string" ++ }, ++ "hhash": { ++ "type": "string" ++ }, ++ "id": { ++ "type": "integer" ++ }, ++ "procedure": { ++ "type": "string" ++ }, ++ "status": { ++ "type": "string" ++ }, ++ "type": { ++ "type": "string" ++ }, ++ "version": { ++ "type": "integer" ++ }, ++ "read": { ++ "type": "object", ++ "optional": true, ++ "properties": { ++ "chunks": { ++ "type": "integer" ++ }, ++ "first": { ++ "type": "boolean" ++ }, ++ "last": { ++ "type": "boolean" ++ }, ++ "last_xid": { ++ "type": "integer" ++ } ++ }, ++ "additionalProperties": false ++ }, ++ "rename": { ++ "type": "object", ++ "optional": true, ++ "properties": { ++ "from": { ++ "type": "string" ++ }, ++ "to": { ++ "type": "string" ++ } ++ }, ++ "additionalProperties": false ++ }, ++ "write": { ++ "type": "object", ++ "optional": true, ++ "properties": { ++ "chunks": { ++ "type": "integer" ++ }, ++ "first": { ++ "type": "boolean" ++ }, ++ "last": { ++ "type": "boolean" ++ }, ++ "last_xid": { ++ "type": "integer" ++ } ++ }, ++ "additionalProperties": false ++ } ++ }, ++ "additionalProperties": false ++ }, ++ "packet_info": { ++ "type": "object", ++ "optional": true, ++ "properties": { ++ "linktype": { ++ "type": "integer" ++ } ++ }, ++ "additionalProperties": false ++ }, ++ "pgsql": { ++ "type": "object", ++ "optional": true, ++ "properties": { ++ "request": { ++ "type": "object", ++ "properties": { ++ "message": { ++ "type": "string" ++ }, ++ "password": { ++ "type": "string" ++ }, ++ "password_message": { ++ "type": "string" ++ }, ++ "protocol_version": { ++ "type": "string" ++ }, ++ "sasl_authentication_mechanism": { ++ "type": "string" ++ }, ++ "sasl_param": { ++ "type": "string" ++ }, ++ "sasl_response": { ++ "type": "string" ++ }, ++ "simple_query": { ++ "type": "string" ++ }, ++ "startup_parameters": { ++ "type": "object", ++ "properties": { ++ "database": { ++ "type": "string" ++ }, ++ "optional_parameters": { ++ "type": "array", ++ "items": { ++ "type": "object", ++ "properties": { ++ "application_name": { ++ "type": "string" ++ }, ++ "client_encoding": { ++ "type": "string" ++ }, ++ "replication": { ++ "type": "string" ++ } ++ }, ++ "additionalProperties": false ++ } ++ }, ++ "user": { ++ "type": "string" ++ } ++ }, ++ "additionalProperties": false ++ } ++ }, ++ "additionalProperties": false ++ }, ++ "response": { ++ "type": "object", ++ "properties": { ++ "authentication_md5_password": { ++ "type": "string" ++ }, ++ "authentication_sasl_final": { ++ "type": "string" ++ }, ++ "code": { ++ "type": "string" ++ }, ++ "command_completed": { ++ "type": "string" ++ }, ++ "data_rows": { ++ "type": "integer" ++ }, ++ "data_size": { ++ "type": "integer" ++ }, ++ "field_count": { ++ "type": "integer" ++ }, ++ "file": { ++ "type": "string" ++ }, ++ "line": { ++ "type": "string" ++ }, ++ "message": { ++ "type": "string" ++ }, ++ "parameter_status": { ++ "type": "array", ++ "items": { ++ "type": "object", ++ "properties": { ++ "application_name": { ++ "type": "string" ++ }, ++ "client_encoding": { ++ "type": "string" ++ }, ++ "date_style": { ++ "type": "string" ++ }, ++ "integer_datetimes": { ++ "type": "string" ++ }, ++ "interval_style": { ++ "type": "string" ++ }, ++ "is_superuser": { ++ "type": "string" ++ }, ++ "server_encoding": { ++ "type": "string" ++ }, ++ "server_version": { ++ "type": "string" ++ }, ++ "session_authorization": { ++ "type": "string" ++ }, ++ "standard_conforming_strings": { ++ "type": "string" ++ }, ++ "time_zone": { ++ "type": "string" ++ } ++ }, ++ "additionalProperties": false ++ } ++ }, ++ "process_id": { ++ "type": "integer" ++ }, ++ "routine": { ++ "type": "string" ++ }, ++ "secret_key": { ++ "type": "integer" ++ }, ++ "severity_localizable": { ++ "type": "string" ++ }, ++ "severity_non_localizable": { ++ "type": "string" ++ }, ++ "ssl_accepted": { ++ "type": "boolean" ++ } ++ }, ++ "additionalProperties": false ++ }, ++ "tx_id": { ++ "type": "integer" ++ } ++ }, ++ "additionalProperties": false ++ }, ++ "quic": { ++ "type": "object", ++ "optional": true, ++ "properties": { ++ "cyu": { ++ "type": "array", ++ "items": { ++ "type": "object", ++ "properties": { ++ "hash": { ++ "type": "string" ++ }, ++ "string": { ++ "type": "string" ++ } ++ } ++ }, ++ "additionalProperties": false ++ }, ++ "sni": { ++ "type": "string" ++ }, ++ "ua": { ++ "type": "string" ++ }, ++ "version": { ++ "type": "string" ++ } ++ }, ++ "additionalProperties": false ++ }, ++ "rdp": { ++ "type": "object", ++ "optional": true, ++ "properties": { ++ "cookie": { ++ "type": "string" ++ }, ++ "event_type": { ++ "type": "string" ++ }, ++ "tx_id": { ++ "type": "integer" ++ }, ++ "channels": { ++ "type": "array", ++ "items": { ++ "type": "string" ++ } ++ }, ++ "client": { ++ "type": "object", ++ "properties": { ++ "build": { ++ "type": "string" ++ }, ++ "client_name": { ++ "type": "string" ++ }, ++ "color_depth": { ++ "type": "integer" ++ }, ++ "desktop_height": { ++ "type": "integer" ++ }, ++ "desktop_width": { ++ "type": "integer" ++ }, ++ "function_keys": { ++ "type": "integer" ++ }, ++ "id": { ++ "type": "string" ++ }, ++ "keyboard_layout": { ++ "type": "string" ++ }, ++ "keyboard_type": { ++ "type": "string" ++ }, ++ "product_id": { ++ "type": "integer" ++ }, ++ "version": { ++ "type": "string" ++ }, ++ "capabilities": { ++ "type": "array", ++ "items": { ++ "type": "string" ++ } ++ } ++ }, ++ "additionalProperties": false ++ } ++ }, ++ "additionalProperties": false ++ }, ++ "rfb": { ++ "type": "object", ++ "optional": true, ++ "properties": { ++ "screen_shared": { ++ "type": "boolean" ++ }, ++ "authentication": { ++ "type": "object", ++ "properties": { ++ "security_result": { ++ "type": "string" ++ }, ++ "security_type": { ++ "type": "integer" ++ }, ++ "vnc": { ++ "type": "object", ++ "properties": { ++ "challenge": { ++ "type": "string" ++ }, ++ "response": { ++ "type": "string" ++ } ++ }, ++ "additionalProperties": false ++ } ++ }, ++ "additionalProperties": false ++ }, ++ "client_protocol_version": { ++ "type": "object", ++ "properties": { ++ "major": { ++ "type": "string" ++ }, ++ "minor": { ++ "type": "string" ++ } ++ }, ++ "additionalProperties": false ++ }, ++ "framebuffer": { ++ "type": "object", ++ "properties": { ++ "height": { ++ "type": "integer" ++ }, ++ "name": { ++ "type": "string" ++ }, ++ "width": { ++ "type": "integer" ++ }, ++ "pixel_format": { ++ "type": "object", ++ "properties": { ++ "big_endian": { ++ "type": "boolean" ++ }, ++ "bits_per_pixel": { ++ "type": "integer" ++ }, ++ "blue_max": { ++ "type": "integer" ++ }, ++ "blue_shift": { ++ "type": "integer" ++ }, ++ "depth": { ++ "type": "integer" ++ }, ++ "green_max": { ++ "type": "integer" ++ }, ++ "green_shift": { ++ "type": "integer" ++ }, ++ "red_max": { ++ "type": "integer" ++ }, ++ "red_shift": { ++ "type": "integer" ++ }, ++ "true_color": { ++ "type": "boolean" ++ } ++ }, ++ "additionalProperties": false ++ } ++ }, ++ "additionalProperties": false ++ }, ++ "server_protocol_version": { ++ "type": "object", ++ "properties": { ++ "major": { ++ "type": "string" ++ }, ++ "minor": { ++ "type": "string" ++ } ++ }, ++ "additionalProperties": false ++ } ++ }, ++ "additionalProperties": false ++ }, ++ "rpc": { ++ "type": "object", ++ "optional": true, ++ "properties": { ++ "auth_type": { ++ "type": "string" ++ }, ++ "status": { ++ "type": "string" ++ }, ++ "xid": { ++ "type": "integer" ++ }, ++ "creds": { ++ "type": "object", ++ "optional": true, ++ "properties": { ++ "gid": { ++ "type": "integer" ++ }, ++ "machine_name": { ++ "type": "string" ++ }, ++ "uid": { ++ "type": "integer" ++ } ++ }, ++ "additionalProperties": false ++ } ++ }, ++ "additionalProperties": false ++ }, ++ "sip": { ++ "type": "object", ++ "optional": true, ++ "properties": { ++ "code": { ++ "type": "string" ++ }, ++ "method": { ++ "type": "string" ++ }, ++ "reason": { ++ "type": "string" ++ }, ++ "request_line": { ++ "type": "string" ++ }, ++ "response_line": { ++ "type": "string" ++ }, ++ "uri": { ++ "type": "string" ++ }, ++ "version": { ++ "type": "string" ++ } ++ }, ++ "additionalProperties": false ++ }, ++ "smb": { ++ "type": "object", ++ "optional": true, ++ "properties": { ++ "access": { ++ "type": "string" ++ }, ++ "accessed": { ++ "type": "integer" ++ }, ++ "changed": { ++ "type": "integer" ++ }, ++ "client_guid": { ++ "type": "string" ++ }, ++ "command": { ++ "type": "string" ++ }, ++ "created": { ++ "type": "integer" ++ }, ++ "dialect": { ++ "type": "string" ++ }, ++ "directory": { ++ "type": "string" ++ }, ++ "disposition": { ++ "type": "string" ++ }, ++ "filename": { ++ "type": "string" ++ }, ++ "fuid": { ++ "type": "string" ++ }, ++ "function": { ++ "type": "string" ++ }, ++ "id": { ++ "type": "integer" ++ }, ++ "max_read_size": { ++ "type": "integer" ++ }, ++ "max_write_size": { ++ "type": "integer" ++ }, ++ "modified": { ++ "type": "integer" ++ }, ++ "named_pipe": { ++ "type": "string" ++ }, ++ "request_done": { ++ "type": "boolean" ++ }, ++ "response_done": { ++ "type": "boolean" ++ }, ++ "server_guid": { ++ "type": "string" ++ }, ++ "session_id": { ++ "type": "integer" ++ }, ++ "share": { ++ "type": "string" ++ }, ++ "share_type": { ++ "type": "string" ++ }, ++ "size": { ++ "type": "integer" ++ }, ++ "status": { ++ "type": "string" ++ }, ++ "status_code": { ++ "type": "string" ++ }, ++ "tree_id": { ++ "type": "integer" ++ }, ++ "client_dialects": { ++ "type": "array", ++ "items": { ++ "type": "string" ++ } ++ }, ++ "dcerpc": { ++ "type": "object", ++ "optional": true, ++ "properties": { ++ "call_id": { ++ "type": "integer" ++ }, ++ "opnum": { ++ "type": "integer" ++ }, ++ "request": { ++ "type": "string" ++ }, ++ "response": { ++ "type": "string" ++ }, ++ "interfaces": { ++ "type": "array", ++ "items": { ++ "type": "object", ++ "optional": true, ++ "properties": { ++ "ack_reason": { ++ "type": "integer" ++ }, ++ "ack_result": { ++ "type": "integer" ++ }, ++ "uuid": { ++ "type": "string" ++ }, ++ "version": { ++ "type": "string" ++ } ++ }, ++ "additionalProperties": false ++ } ++ }, ++ "req": { ++ "type": "object", ++ "optional": true, ++ "properties": { ++ "frag_cnt": { ++ "type": "integer" ++ }, ++ "stub_data_size": { ++ "type": "integer" ++ } ++ }, ++ "additionalProperties": false ++ }, ++ "res": { ++ "type": "object", ++ "optional": true, ++ "properties": { ++ "frag_cnt": { ++ "type": "integer" ++ }, ++ "stub_data_size": { ++ "type": "integer" ++ } ++ }, ++ "additionalProperties": false ++ } ++ }, ++ "additionalProperties": false ++ }, ++ "kerberos": { ++ "type": "object", ++ "optional": true, ++ "properties": { ++ "realm": { ++ "type": "string" ++ }, ++ "snames": { ++ "type": "array", ++ "items": { ++ "type": "string" ++ } ++ } ++ }, ++ "additionalProperties": false ++ }, ++ "ntlmssp": { ++ "type": "object", ++ "optional": true, ++ "properties": { ++ "domain": { ++ "type": "string" ++ }, ++ "host": { ++ "type": "string" ++ }, ++ "user": { ++ "type": "string" ++ } ++ }, ++ "additionalProperties": false ++ }, ++ "request": { ++ "type": "object", ++ "optional": true, ++ "properties": { ++ "native_lm": { ++ "type": "string" ++ }, ++ "native_os": { ++ "type": "string" ++ } ++ }, ++ "additionalProperties": false ++ }, ++ "response": { ++ "type": "object", ++ "optional": true, ++ "properties": { ++ "native_lm": { ++ "type": "string" ++ }, ++ "native_os": { ++ "type": "string" ++ } ++ }, ++ "additionalProperties": false ++ }, ++ "service": { ++ "type": "object", ++ "optional": true, ++ "properties": { ++ "request": { ++ "type": "string" ++ }, ++ "response": { ++ "type": "string" ++ } ++ }, ++ "additionalProperties": false ++ } ++ }, ++ "additionalProperties": false ++ }, ++ "smtp": { ++ "type": "object", ++ "optional": true, ++ "properties": { ++ "helo": { ++ "type": "string" ++ }, ++ "mail_from": { ++ "type": "string" ++ }, ++ "rcpt_to": { ++ "type": "array", ++ "items": { ++ "type": "string" ++ } ++ } ++ }, ++ "additionalProperties": false ++ }, ++ "snmp": { ++ "type": "object", ++ "optional": true, ++ "properties": { ++ "community": { ++ "type": "string" ++ }, ++ "pdu_type": { ++ "type": "string" ++ }, ++ "usm": { ++ "type": "string" ++ }, ++ "version": { ++ "type": "integer" ++ }, ++ "vars": { ++ "type": "array", ++ "items": { ++ "type": "string" ++ } ++ } ++ }, ++ "additionalProperties": false ++ }, ++ "ssh": { ++ "type": "object", ++ "optional": true, ++ "properties": { ++ "client": { ++ "type": "object", ++ "properties": { ++ "proto_version": { ++ "type": "string" ++ }, ++ "software_version": { ++ "type": "string" ++ }, ++ "hassh": { ++ "type": "object", ++ "properties": { ++ "hash": { ++ "type": "string" ++ }, ++ "string": { ++ "type": "string" ++ } ++ }, ++ "additionalProperties": false ++ } ++ }, ++ "additionalProperties": false ++ }, ++ "server": { ++ "type": "object", ++ "properties": { ++ "proto_version": { ++ "type": "string" ++ }, ++ "software_version": { ++ "type": "string" ++ }, ++ "hassh": { ++ "type": "object", ++ "properties": { ++ "hash": { ++ "type": "string" ++ }, ++ "string": { ++ "type": "string" ++ } ++ }, ++ "additionalProperties": false ++ } ++ }, ++ "additionalProperties": false ++ } ++ }, ++ "additionalProperties": false ++ }, ++ "stats": { ++ "type": "object", ++ "optional": true, ++ "properties": { ++ "uptime": { ++ "type": "integer" ++ }, ++ "app_layer": { ++ "type": "object", ++ "properties": { ++ "expectations": { ++ "type": "integer" ++ }, ++ "error": { ++ "type": "object", ++ "properties": { ++ "dcerpc_tcp": { "$ref": "#/$defs/stats_applayer_error" }, ++ "dcerpc_udp": { "$ref": "#/$defs/stats_applayer_error" }, ++ "dhcp": { "$ref": "#/$defs/stats_applayer_error" }, ++ "dnp3": { "$ref": "#/$defs/stats_applayer_error" }, ++ "dns_tcp": { "$ref": "#/$defs/stats_applayer_error" }, ++ "dns_udp": { "$ref": "#/$defs/stats_applayer_error" }, ++ "enip_tcp": { "$ref": "#/$defs/stats_applayer_error" }, ++ "enip_udp": { "$ref": "#/$defs/stats_applayer_error" }, ++ "failed_tcp": { "$ref": "#/$defs/stats_applayer_error" }, ++ "ftp": { "$ref": "#/$defs/stats_applayer_error" }, ++ "ftp-data": { "$ref": "#/$defs/stats_applayer_error" }, ++ "http": { "$ref": "#/$defs/stats_applayer_error" }, ++ "http2": { "$ref": "#/$defs/stats_applayer_error" }, ++ "ike": { "$ref": "#/$defs/stats_applayer_error" }, ++ "imap": { "$ref": "#/$defs/stats_applayer_error" }, ++ "krb5_tcp": { "$ref": "#/$defs/stats_applayer_error" }, ++ "krb5_udp": { "$ref": "#/$defs/stats_applayer_error" }, ++ "mqtt": { "$ref": "#/$defs/stats_applayer_error" }, ++ "nfs_tcp": { "$ref": "#/$defs/stats_applayer_error" }, ++ "nfs_udp": { "$ref": "#/$defs/stats_applayer_error" }, ++ "ntp": { "$ref": "#/$defs/stats_applayer_error" }, ++ "pgsql": { "$ref": "#/$defs/stats_applayer_error" }, ++ "quic": { "$ref": "#/$defs/stats_applayer_error" }, ++ "rdp": { "$ref": "#/$defs/stats_applayer_error" }, ++ "rfb": { "$ref": "#/$defs/stats_applayer_error" }, ++ "sip": { "$ref": "#/$defs/stats_applayer_error" }, ++ "smb": { "$ref": "#/$defs/stats_applayer_error" }, ++ "smtp": { "$ref": "#/$defs/stats_applayer_error" }, ++ "snmp": { "$ref": "#/$defs/stats_applayer_error" }, ++ "ssh": { "$ref": "#/$defs/stats_applayer_error" }, ++ "telnet": { "$ref": "#/$defs/stats_applayer_error" }, ++ "tftp": { "$ref": "#/$defs/stats_applayer_error" }, ++ "tls": { "$ref": "#/$defs/stats_applayer_error" } ++ }, ++ "additionalProperties": false ++ }, ++ "flow": { ++ "type": "object", ++ "properties": { ++ "dcerpc_tcp": { ++ "type": "integer" ++ }, ++ "dcerpc_udp": { ++ "type": "integer" ++ }, ++ "dhcp": { ++ "type": "integer" ++ }, ++ "dnp3": { ++ "type": "integer" ++ }, ++ "dns_tcp": { ++ "type": "integer" ++ }, ++ "dns_udp": { ++ "type": "integer" ++ }, ++ "enip_tcp": { ++ "type": "integer" ++ }, ++ "enip_udp": { ++ "type": "integer" ++ }, ++ "failed_tcp": { ++ "type": "integer" ++ }, ++ "failed_udp": { ++ "type": "integer" ++ }, ++ "ftp": { ++ "type": "integer" ++ }, ++ "ftp-data": { ++ "type": "integer" ++ }, ++ "http": { ++ "type": "integer" ++ }, ++ "http2": { ++ "type": "integer" ++ }, ++ "ike": { ++ "type": "integer" ++ }, ++ "ikev2": { ++ "type": "integer" ++ }, ++ "imap": { ++ "type": "integer" ++ }, ++ "krb5_tcp": { ++ "type": "integer" ++ }, ++ "krb5_udp": { ++ "type": "integer" ++ }, ++ "modbus": { ++ "type": "integer" ++ }, ++ "mqtt": { ++ "type": "integer" ++ }, ++ "nfs_tcp": { ++ "type": "integer" ++ }, ++ "nfs_udp": { ++ "type": "integer" ++ }, ++ "ntp": { ++ "type": "integer" ++ }, ++ "pgsql": { ++ "type": "integer" ++ }, ++ "quic": { ++ "type": "integer" ++ }, ++ "rdp": { ++ "type": "integer" ++ }, ++ "rfb": { ++ "type": "integer" ++ }, ++ "sip": { ++ "type": "integer" ++ }, ++ "smb": { ++ "type": "integer" ++ }, ++ "smtp": { ++ "type": "integer" ++ }, ++ "snmp": { ++ "type": "integer" ++ }, ++ "ssh": { ++ "type": "integer" ++ }, ++ "telnet": { ++ "type": "integer" ++ }, ++ "tftp": { ++ "type": "integer" ++ }, ++ "tls": { ++ "type": "integer" ++ } ++ }, ++ "additionalProperties": false ++ }, ++ "tx": { ++ "type": "object", ++ "properties": { ++ "dcerpc_tcp": { ++ "type": "integer" ++ }, ++ "dcerpc_udp": { ++ "type": "integer" ++ }, ++ "dhcp": { ++ "type": "integer" ++ }, ++ "dnp3": { ++ "type": "integer" ++ }, ++ "dns_tcp": { ++ "type": "integer" ++ }, ++ "dns_udp": { ++ "type": "integer" ++ }, ++ "enip_tcp": { ++ "type": "integer" ++ }, ++ "enip_udp": { ++ "type": "integer" ++ }, ++ "ftp": { ++ "type": "integer" ++ }, ++ "ftp-data": { ++ "type": "integer" ++ }, ++ "http": { ++ "type": "integer" ++ }, ++ "http2": { ++ "type": "integer" ++ }, ++ "ike": { ++ "type": "integer" ++ }, ++ "ikev2": { ++ "type": "integer" ++ }, ++ "imap": { ++ "type": "integer" ++ }, ++ "krb5_tcp": { ++ "type": "integer" ++ }, ++ "krb5_udp": { ++ "type": "integer" ++ }, ++ "modbus": { ++ "type": "integer" ++ }, ++ "mqtt": { ++ "type": "integer" ++ }, ++ "nfs_tcp": { ++ "type": "integer" ++ }, ++ "nfs_udp": { ++ "type": "integer" ++ }, ++ "ntp": { ++ "type": "integer" ++ }, ++ "pgsql": { ++ "type": "integer" ++ }, ++ "quic": { ++ "type": "integer" ++ }, ++ "rdp": { ++ "type": "integer" ++ }, ++ "rfb": { ++ "type": "integer" ++ }, ++ "sip": { ++ "type": "integer" ++ }, ++ "smb": { ++ "type": "integer" ++ }, ++ "smtp": { ++ "type": "integer" ++ }, ++ "snmp": { ++ "type": "integer" ++ }, ++ "ssh": { ++ "type": "integer" ++ }, ++ "telnet": { ++ "type": "integer" ++ }, ++ "tftp": { ++ "type": "integer" ++ }, ++ "tls": { ++ "type": "integer" ++ } ++ }, ++ "additionalProperties": false ++ } ++ }, ++ "additionalProperties": false ++ }, ++ "decoder": { ++ "type": "object", ++ "properties": { ++ "avg_pkt_size": { ++ "type": "integer" ++ }, ++ "bytes": { ++ "type": "integer" ++ }, ++ "chdlc": { ++ "type": "integer" ++ }, ++ "erspan": { ++ "type": "integer" ++ }, ++ "esp": { ++ "type": "integer" ++ }, ++ "ethernet": { ++ "type": "integer" ++ }, ++ "geneve": { ++ "type": "integer" ++ }, ++ "gre": { ++ "type": "integer" ++ }, ++ "icmpv4": { ++ "type": "integer" ++ }, ++ "icmpv6": { ++ "type": "integer" ++ }, ++ "ieee8021ah": { ++ "type": "integer" ++ }, ++ "invalid": { ++ "type": "integer" ++ }, ++ "ipv4": { ++ "type": "integer" ++ }, ++ "ipv4_in_ipv6": { ++ "type": "integer" ++ }, ++ "ipv6": { ++ "type": "integer" ++ }, ++ "ipv6_in_ipv6": { ++ "type": "integer" ++ }, ++ "max_mac_addrs_dst": { ++ "type": "integer" ++ }, ++ "max_mac_addrs_src": { ++ "type": "integer" ++ }, ++ "max_pkt_size": { ++ "type": "integer" ++ }, ++ "mpls": { ++ "type": "integer" ++ }, ++ "nsh": { ++ "type": "integer" ++ }, ++ "null": { ++ "type": "integer" ++ }, ++ "pkts": { ++ "type": "integer" ++ }, ++ "ppp": { ++ "type": "integer" ++ }, ++ "pppoe": { ++ "type": "integer" ++ }, ++ "raw": { ++ "type": "integer" ++ }, ++ "sctp": { ++ "type": "integer" ++ }, ++ "sll": { ++ "type": "integer" ++ }, ++ "tcp": { ++ "type": "integer" ++ }, ++ "teredo": { ++ "type": "integer" ++ }, ++ "too_many_layers": { ++ "type": "integer" ++ }, ++ "udp": { ++ "type": "integer" ++ }, ++ "vlan": { ++ "type": "integer" ++ }, ++ "vlan_qinq": { ++ "type": "integer" ++ }, ++ "vntag": { ++ "type": "integer" ++ }, ++ "vxlan": { ++ "type": "integer" ++ }, ++ "event": { ++ "type": "object", ++ "properties": { ++ "chdlc": { ++ "type": "object", ++ "properties": { ++ "pkt_too_small": { ++ "type": "integer" ++ } ++ }, ++ "additionalProperties": false ++ }, ++ "dce": { ++ "type": "object", ++ "properties": { ++ "pkt_too_small": { ++ "type": "integer" ++ } ++ }, ++ "additionalProperties": false ++ }, ++ "erspan": { ++ "type": "object", ++ "properties": { ++ "header_too_small": { ++ "type": "integer" ++ }, ++ "too_many_vlan_layers": { ++ "type": "integer" ++ }, ++ "unsupported_version": { ++ "type": "integer" ++ } ++ }, ++ "additionalProperties": false ++ }, ++ "esp": { ++ "type": "object", ++ "properties": { ++ "pkt_too_small": { ++ "type": "integer" ++ } ++ }, ++ "additionalProperties": false ++ }, ++ "ethernet": { ++ "type": "object", ++ "properties": { ++ "pkt_too_small": { ++ "type": "integer" ++ } ++ }, ++ "additionalProperties": false ++ }, ++ "geneve": { ++ "type": "object", ++ "properties": { ++ "unknown_payload_type": { ++ "type": "integer" ++ } ++ }, ++ "additionalProperties": false ++ }, ++ "gre": { ++ "type": "object", ++ "properties": { ++ "pkt_too_small": { ++ "type": "integer" ++ }, ++ "version0_flags": { ++ "type": "integer" ++ }, ++ "version0_hdr_too_big": { ++ "type": "integer" ++ }, ++ "version0_malformed_sre_hdr": { ++ "type": "integer" ++ }, ++ "version0_recur": { ++ "type": "integer" ++ }, ++ "version1_chksum": { ++ "type": "integer" ++ }, ++ "version1_flags": { ++ "type": "integer" ++ }, ++ "version1_hdr_too_big": { ++ "type": "integer" ++ }, ++ "version1_malformed_sre_hdr": { ++ "type": "integer" ++ }, ++ "version1_no_key": { ++ "type": "integer" ++ }, ++ "version1_recur": { ++ "type": "integer" ++ }, ++ "version1_route": { ++ "type": "integer" ++ }, ++ "version1_ssr": { ++ "type": "integer" ++ }, ++ "version1_wrong_protocol": { ++ "type": "integer" ++ }, ++ "wrong_version": { ++ "type": "integer" ++ } ++ }, ++ "additionalProperties": false ++ }, ++ "icmpv4": { ++ "type": "object", ++ "properties": { ++ "ipv4_trunc_pkt": { ++ "type": "integer" ++ }, ++ "ipv4_unknown_ver": { ++ "type": "integer" ++ }, ++ "pkt_too_small": { ++ "type": "integer" ++ }, ++ "unknown_code": { ++ "type": "integer" ++ }, ++ "unknown_type": { ++ "type": "integer" ++ } ++ }, ++ "additionalProperties": false ++ }, ++ "icmpv6": { ++ "type": "object", ++ "properties": { ++ "experimentation_type": { ++ "type": "integer" ++ }, ++ "ipv6_trunc_pkt": { ++ "type": "integer" ++ }, ++ "ipv6_unknown_version": { ++ "type": "integer" ++ }, ++ "mld_message_with_invalid_hl": { ++ "type": "integer" ++ }, ++ "pkt_too_small": { ++ "type": "integer" ++ }, ++ "unassigned_type": { ++ "type": "integer" ++ }, ++ "unknown_code": { ++ "type": "integer" ++ }, ++ "unknown_type": { ++ "type": "integer" ++ } ++ }, ++ "additionalProperties": false ++ }, ++ "ieee8021ah": { ++ "type": "object", ++ "properties": { ++ "header_too_small": { ++ "type": "integer" ++ } ++ }, ++ "additionalProperties": false ++ }, ++ "ipraw": { ++ "type": "object", ++ "properties": { ++ "invalid_ip_version": { ++ "type": "integer" ++ } ++ }, ++ "additionalProperties": false ++ }, ++ "ipv4": { ++ "type": "object", ++ "properties": { ++ "frag_ignored": { ++ "type": "integer" ++ }, ++ "frag_overlap": { ++ "type": "integer" ++ }, ++ "frag_pkt_too_large": { ++ "type": "integer" ++ }, ++ "hlen_too_small": { ++ "type": "integer" ++ }, ++ "icmpv6": { ++ "type": "integer" ++ }, ++ "iplen_smaller_than_hlen": { ++ "type": "integer" ++ }, ++ "opt_duplicate": { ++ "type": "integer" ++ }, ++ "opt_eol_required": { ++ "type": "integer" ++ }, ++ "opt_invalid": { ++ "type": "integer" ++ }, ++ "opt_invalid_len": { ++ "type": "integer" ++ }, ++ "opt_malformed": { ++ "type": "integer" ++ }, ++ "opt_pad_required": { ++ "type": "integer" ++ }, ++ "opt_unknown": { ++ "type": "integer" ++ }, ++ "pkt_too_small": { ++ "type": "integer" ++ }, ++ "trunc_pkt": { ++ "type": "integer" ++ }, ++ "wrong_ip_version": { ++ "type": "integer" ++ } ++ }, ++ "additionalProperties": false ++ }, ++ "ipv6": { ++ "type": "object", ++ "properties": { ++ "data_after_none_header": { ++ "type": "integer" ++ }, ++ "dstopts_only_padding": { ++ "type": "integer" ++ }, ++ "dstopts_unknown_opt": { ++ "type": "integer" ++ }, ++ "exthdr_ah_res_not_null": { ++ "type": "integer" ++ }, ++ "exthdr_dupl_ah": { ++ "type": "integer" ++ }, ++ "exthdr_dupl_dh": { ++ "type": "integer" ++ }, ++ "exthdr_dupl_eh": { ++ "type": "integer" ++ }, ++ "exthdr_dupl_fh": { ++ "type": "integer" ++ }, ++ "exthdr_dupl_hh": { ++ "type": "integer" ++ }, ++ "exthdr_dupl_rh": { ++ "type": "integer" ++ }, ++ "exthdr_invalid_optlen": { ++ "type": "integer" ++ }, ++ "exthdr_useless_fh": { ++ "type": "integer" ++ }, ++ "fh_non_zero_reserved_field": { ++ "type": "integer" ++ }, ++ "frag_ignored": { ++ "type": "integer" ++ }, ++ "frag_invalid_length": { ++ "type": "integer" ++ }, ++ "frag_overlap": { ++ "type": "integer" ++ }, ++ "frag_pkt_too_large": { ++ "type": "integer" ++ }, ++ "hopopts_only_padding": { ++ "type": "integer" ++ }, ++ "hopopts_unknown_opt": { ++ "type": "integer" ++ }, ++ "icmpv4": { ++ "type": "integer" ++ }, ++ "ipv4_in_ipv6_too_small": { ++ "type": "integer" ++ }, ++ "ipv4_in_ipv6_wrong_version": { ++ "type": "integer" ++ }, ++ "ipv6_in_ipv6_too_small": { ++ "type": "integer" ++ }, ++ "ipv6_in_ipv6_wrong_version": { ++ "type": "integer" ++ }, ++ "pkt_too_small": { ++ "type": "integer" ++ }, ++ "rh_type_0": { ++ "type": "integer" ++ }, ++ "trunc_exthdr": { ++ "type": "integer" ++ }, ++ "trunc_pkt": { ++ "type": "integer" ++ }, ++ "unknown_next_header": { ++ "type": "integer" ++ }, ++ "wrong_ip_version": { ++ "type": "integer" ++ }, ++ "zero_len_padn": { ++ "type": "integer" ++ } ++ }, ++ "additionalProperties": false ++ }, ++ "ltnull": { ++ "type": "object", ++ "properties": { ++ "pkt_too_small": { ++ "type": "integer" ++ }, ++ "unsupported_type": { ++ "type": "integer" ++ } ++ }, ++ "additionalProperties": false ++ }, ++ "mpls": { ++ "type": "object", ++ "properties": { ++ "bad_label_implicit_null": { ++ "type": "integer" ++ }, ++ "bad_label_reserved": { ++ "type": "integer" ++ }, ++ "bad_label_router_alert": { ++ "type": "integer" ++ }, ++ "header_too_small": { ++ "type": "integer" ++ }, ++ "pkt_too_small": { ++ "type": "integer" ++ }, ++ "unknown_payload_type": { ++ "type": "integer" ++ } ++ }, ++ "additionalProperties": false ++ }, ++ "nsh": { ++ "type": "object", ++ "properties": { ++ "bad_header_length": { ++ "type": "integer" ++ }, ++ "header_too_small": { ++ "type": "integer" ++ }, ++ "reserved_type": { ++ "type": "integer" ++ }, ++ "unknown_payload": { ++ "type": "integer" ++ }, ++ "unsupported_type": { ++ "type": "integer" ++ }, ++ "unsupported_version": { ++ "type": "integer" ++ } ++ }, ++ "additionalProperties": false ++ }, ++ "ppp": { ++ "type": "object", ++ "properties": { ++ "ip4_pkt_too_small": { ++ "type": "integer" ++ }, ++ "ip6_pkt_too_small": { ++ "type": "integer" ++ }, ++ "pkt_too_small": { ++ "type": "integer" ++ }, ++ "unsup_proto": { ++ "type": "integer" ++ }, ++ "vju_pkt_too_small": { ++ "type": "integer" ++ }, ++ "wrong_type": { ++ "type": "integer" ++ } ++ }, ++ "additionalProperties": false ++ }, ++ "pppoe": { ++ "type": "object", ++ "properties": { ++ "malformed_tags": { ++ "type": "integer" ++ }, ++ "pkt_too_small": { ++ "type": "integer" ++ }, ++ "wrong_code": { ++ "type": "integer" ++ } ++ }, ++ "additionalProperties": false ++ }, ++ "sctp": { ++ "type": "object", ++ "properties": { ++ "pkt_too_small": { ++ "type": "integer" ++ } ++ }, ++ "additionalProperties": false ++ }, ++ "sll": { ++ "type": "object", ++ "properties": { ++ "pkt_too_small": { ++ "type": "integer" ++ } ++ }, ++ "additionalProperties": false ++ }, ++ "tcp": { ++ "type": "object", ++ "properties": { ++ "hlen_too_small": { ++ "type": "integer" ++ }, ++ "invalid_optlen": { ++ "type": "integer" ++ }, ++ "opt_duplicate": { ++ "type": "integer" ++ }, ++ "opt_invalid_len": { ++ "type": "integer" ++ }, ++ "pkt_too_small": { ++ "type": "integer" ++ } ++ }, ++ "additionalProperties": false ++ }, ++ "udp": { ++ "type": "object", ++ "properties": { ++ "hlen_invalid": { ++ "type": "integer" ++ }, ++ "hlen_too_small": { ++ "type": "integer" ++ }, ++ "pkt_too_small": { ++ "type": "integer" ++ } ++ }, ++ "additionalProperties": false ++ }, ++ "vlan": { ++ "type": "object", ++ "properties": { ++ "header_too_small": { ++ "type": "integer" ++ }, ++ "too_many_layers": { ++ "type": "integer" ++ }, ++ "unknown_type": { ++ "type": "integer" ++ } ++ }, ++ "additionalProperties": false ++ }, ++ "vntag": { ++ "type": "object", ++ "properties": { ++ "header_too_small": { ++ "type": "integer" ++ }, ++ "unknown_type": { ++ "type": "integer" ++ } ++ }, ++ "additionalProperties": false ++ }, ++ "vxlan": { ++ "type": "object", ++ "properties": { ++ "unknown_payload_type": { ++ "type": "integer" ++ } ++ }, ++ "additionalProperties": false ++ } ++ }, ++ "additionalProperties": false ++ } ++ }, ++ "additionalProperties": false ++ }, ++ "defrag": { ++ "type": "object", ++ "properties": { ++ "max_frag_hits": { ++ "type": "integer" ++ }, ++ "ipv4": { ++ "type": "object", ++ "properties": { ++ "fragments": { ++ "type": "integer" ++ }, ++ "reassembled": { ++ "type": "integer" ++ }, ++ "timeouts": { ++ "type": "integer" ++ } ++ }, ++ "additionalProperties": false ++ }, ++ "ipv6": { ++ "type": "object", ++ "properties": { ++ "fragments": { ++ "type": "integer" ++ }, ++ "reassembled": { ++ "type": "integer" ++ }, ++ "timeouts": { ++ "type": "integer" ++ } ++ }, ++ "additionalProperties": false ++ } ++ }, ++ "additionalProperties": false ++ }, ++ "detect": { ++ "type": "object", ++ "properties": { ++ "alert": { ++ "type": "integer" ++ }, ++ "alert_queue_overflow": { ++ "type": "integer" ++ }, ++ "alerts_suppressed": { ++ "type": "integer" ++ }, ++ "engines": { ++ "type": "array", ++ "items": [ ++ { ++ "type": "object", ++ "properties": { ++ "id": { ++ "type": "integer" ++ }, ++ "last_reload": { ++ "type": "string" ++ }, ++ "rules_loaded": { ++ "type": "integer" ++ }, ++ "rules_failed": { ++ "type": "integer" ++ } ++ }, ++ "additionalProperties": false ++ } ++ ] ++ } ++ }, ++ "additionalProperties": false ++ }, ++ "file_store": { ++ "type": "object", ++ "properties": { ++ "fs_errors": { ++ "type": "integer" ++ }, ++ "open_files": { ++ "type": "integer" ++ }, ++ "open_files_max_hit": { ++ "type": "integer" ++ } ++ }, ++ "additionalProperties": false ++ }, ++ "flow": { ++ "type": "object", ++ "properties": { ++ "emerg_mode_entered": { ++ "type": "integer" ++ }, ++ "emerg_mode_over": { ++ "type": "integer" ++ }, ++ "get_used": { ++ "type": "integer" ++ }, ++ "get_used_eval": { ++ "type": "integer" ++ }, ++ "get_used_eval_busy": { ++ "type": "integer" ++ }, ++ "get_used_eval_reject": { ++ "type": "integer" ++ }, ++ "get_used_failed": { ++ "type": "integer" ++ }, ++ "icmpv4": { ++ "type": "integer" ++ }, ++ "icmpv6": { ++ "type": "integer" ++ }, ++ "memcap": { ++ "type": "integer" ++ }, ++ "memuse": { ++ "type": "integer" ++ }, ++ "spare": { ++ "type": "integer" ++ }, ++ "tcp": { ++ "type": "integer" ++ }, ++ "tcp_reuse": { ++ "type": "integer" ++ }, ++ "udp": { ++ "type": "integer" ++ }, ++ "mgr": { ++ "type": "object", ++ "properties": { ++ "bypassed_pruned": { ++ "type": "integer" ++ }, ++ "closed_pruned": { ++ "type": "integer" ++ }, ++ "est_pruned": { ++ "type": "integer" ++ }, ++ "flows_checked": { ++ "type": "integer" ++ }, ++ "flows_evicted": { ++ "type": "integer" ++ }, ++ "flows_evicted_needs_work": { ++ "type": "integer" ++ }, ++ "flows_notimeout": { ++ "type": "integer" ++ }, ++ "flows_timeout": { ++ "type": "integer" ++ }, ++ "flows_timeout_inuse": { ++ "type": "integer" ++ }, ++ "full_hash_pass": { ++ "type": "integer" ++ }, ++ "new_pruned": { ++ "type": "integer" ++ }, ++ "rows_maxlen": { ++ "type": "integer" ++ } ++ }, ++ "additionalProperties": false ++ }, ++ "wrk": { ++ "type": "object", ++ "properties": { ++ "flows_evicted": { ++ "type": "integer" ++ }, ++ "flows_evicted_needs_work": { ++ "type": "integer" ++ }, ++ "flows_evicted_pkt_inject": { ++ "type": "integer" ++ }, ++ "flows_injected": { ++ "type": "integer" ++ }, ++ "spare_sync": { ++ "type": "integer" ++ }, ++ "spare_sync_avg": { ++ "type": "integer" ++ }, ++ "spare_sync_empty": { ++ "type": "integer" ++ }, ++ "spare_sync_incomplete": { ++ "type": "integer" ++ } ++ }, ++ "additionalProperties": false ++ } ++ }, ++ "additionalProperties": false ++ }, ++ "flow_bypassed": { ++ "type": "object", ++ "properties": { ++ "bytes": { ++ "type": "integer" ++ }, ++ "closed": { ++ "type": "integer" ++ }, ++ "local_bytes": { ++ "type": "integer" ++ }, ++ "local_capture_bytes": { ++ "type": "integer" ++ }, ++ "local_capture_pkts": { ++ "type": "integer" ++ }, ++ "local_pkts": { ++ "type": "integer" ++ }, ++ "pkts": { ++ "type": "integer" ++ } ++ }, ++ "additionalProperties": false ++ }, ++ "flow_mgr": { ++ "type": "object", ++ "properties": { ++ "bypassed_pruned": { ++ "type": "integer" ++ }, ++ "closed_pruned": { ++ "type": "integer" ++ }, ++ "est_pruned": { ++ "type": "integer" ++ }, ++ "flows_checked": { ++ "type": "integer" ++ }, ++ "flows_notimeout": { ++ "type": "integer" ++ }, ++ "flows_removed": { ++ "type": "integer" ++ }, ++ "flows_timeout": { ++ "type": "integer" ++ }, ++ "flows_timeout_inuse": { ++ "type": "integer" ++ }, ++ "new_pruned": { ++ "type": "integer" ++ }, ++ "rows_busy": { ++ "type": "integer" ++ }, ++ "rows_checked": { ++ "type": "integer" ++ }, ++ "rows_empty": { ++ "type": "integer" ++ }, ++ "rows_maxlen": { ++ "type": "integer" ++ }, ++ "rows_skipped": { ++ "type": "integer" ++ } ++ }, ++ "additionalProperties": false ++ }, ++ "ftp": { ++ "type": "object", ++ "properties": { ++ "memcap": { ++ "type": "integer" ++ }, ++ "memuse": { ++ "type": "integer" ++ } ++ }, ++ "additionalProperties": false ++ }, ++ "http": { ++ "type": "object", ++ "properties": { ++ "memcap": { ++ "type": "integer" ++ }, ++ "memuse": { ++ "type": "integer" ++ } ++ }, ++ "additionalProperties": false ++ }, ++ "tcp": { ++ "type": "object", ++ "properties": { ++ "insert_data_normal_fail": { ++ "type": "integer" ++ }, ++ "insert_data_overlap_fail": { ++ "type": "integer" ++ }, ++ "insert_list_fail": { ++ "type": "integer" ++ }, ++ "invalid_checksum": { ++ "type": "integer" ++ }, ++ "memuse": { ++ "type": "integer" ++ }, ++ "midstream_pickups": { ++ "type": "integer" ++ }, ++ "no_flow": { ++ "type": "integer" ++ }, ++ "overlap": { ++ "type": "integer" ++ }, ++ "overlap_diff_data": { ++ "type": "integer" ++ }, ++ "pkt_on_wrong_thread": { ++ "type": "integer" ++ }, ++ "pseudo": { ++ "type": "integer" ++ }, ++ "pseudo_failed": { ++ "type": "integer" ++ }, ++ "reassembly_gap": { ++ "type": "integer" ++ }, ++ "reassembly_memuse": { ++ "type": "integer" ++ }, ++ "rst": { ++ "type": "integer" ++ }, ++ "segment_memcap_drop": { ++ "type": "integer" ++ }, ++ "sessions": { ++ "type": "integer" ++ }, ++ "ssn_memcap_drop": { ++ "type": "integer" ++ }, ++ "stream_depth_reached": { ++ "type": "integer" ++ }, ++ "syn": { ++ "type": "integer" ++ }, ++ "synack": { ++ "type": "integer" ++ } ++ }, ++ "additionalProperties": false ++ } ++ }, ++ "additionalProperties": false ++ }, ++ "tcp": { ++ "type": "object", ++ "optional": true, ++ "properties": { ++ "ack": { ++ "type": "boolean" ++ }, ++ "cwr": { ++ "type": "boolean" ++ }, ++ "ecn": { ++ "type": "boolean" ++ }, ++ "fin": { ++ "type": "boolean" ++ }, ++ "psh": { ++ "type": "boolean" ++ }, ++ "rst": { ++ "type": "boolean" ++ }, ++ "state": { ++ "type": "string" ++ }, ++ "syn": { ++ "type": "boolean" ++ }, ++ "tcp_flags": { ++ "type": "string" ++ }, ++ "tcp_flags_tc": { ++ "type": "string" ++ }, ++ "tcp_flags_ts": { ++ "type": "string" ++ }, ++ "urg": { ++ "type": "boolean" ++ } ++ }, ++ "additionalProperties": false ++ }, ++ "template": { ++ "type": "object", ++ "optional": true, ++ "properties": { ++ "request": { ++ "type": "string" ++ }, ++ "response": { ++ "type": "string" ++ } ++ }, ++ "additionalProperties": false ++ }, ++ "tftp": { ++ "type": "object", ++ "optional": true, ++ "properties": { ++ "file": { ++ "type": "string" ++ }, ++ "mode": { ++ "type": "string" ++ }, ++ "packet": { ++ "type": "string" ++ } ++ }, ++ "additionalProperties": false ++ }, ++ "tls": { ++ "type": "object", ++ "optional": true, ++ "properties": { ++ "fingerprint": { ++ "type": "string" ++ }, ++ "from_proto": { ++ "type": "string" ++ }, ++ "issuerdn": { ++ "type": "string" ++ }, ++ "notafter": { ++ "type": "string" ++ }, ++ "notbefore": { ++ "type": "string" ++ }, ++ "serial": { ++ "type": "string" ++ }, ++ "session_resumed": { ++ "type": "boolean" ++ }, ++ "sni": { ++ "type": "string" ++ }, ++ "subject": { ++ "type": "string" ++ }, ++ "version": { ++ "type": "string" ++ }, ++ "ja3": { ++ "type": "object", ++ "optional": true, ++ "properties": { ++ "hash": { ++ "type": "string" ++ }, ++ "string": { ++ "type": "string" ++ } ++ }, ++ "additionalProperties": false ++ }, ++ "ja3s": { ++ "type": "object", ++ "optional": true, ++ "properties": { ++ "hash": { ++ "type": "string" ++ }, ++ "string": { ++ "type": "string" ++ } ++ }, ++ "additionalProperties": false ++ } ++ }, ++ "additionalProperties": false ++ }, ++ "traffic": { ++ "type": "object", ++ "optional": true, ++ "properties": { ++ "id": { ++ "type": "array", ++ "items": { ++ "type": "string" ++ } ++ }, ++ "label": { ++ "type": "array", ++ "items": { ++ "type": "string" ++ } ++ } ++ }, ++ "additionalProperties": false ++ }, ++ "tunnel": { ++ "type": "object", ++ "optional": true, ++ "properties": { ++ "depth": { ++ "type": "integer" ++ }, ++ "dest_ip": { ++ "type": "string" ++ }, ++ "dest_port": { ++ "type": "integer" ++ }, ++ "pcap_cnt": { ++ "type": "integer" ++ }, ++ "pkt_src": { ++ "type": "string" ++ }, ++ "proto": { ++ "type": "string" ++ }, ++ "src_ip": { ++ "type": "string" ++ }, ++ "src_port": { ++ "type": "integer" ++ } ++ }, ++ "additionalProperties": false ++ } ++ }, ++ "additionalProperties": false, ++ "$defs": { ++ "stats_applayer_error": { ++ "type": "object", ++ "properties": { ++ "gap": { ++ "type": "integer" ++ }, ++ "alloc": { ++ "type": "integer" ++ }, ++ "parser": { ++ "type": "integer" ++ }, ++ "internal": { ++ "type": "integer" ++ } ++ }, ++ "additionalProperties": false ++ } ++ } ++} +-- +2.50.1 + diff --git a/recipes-ids/suricata/files/CVE-2024-55628-003.patch b/recipes-ids/suricata/files/CVE-2024-55628-003.patch new file mode 100644 index 0000000..c498a6b --- /dev/null +++ b/recipes-ids/suricata/files/CVE-2024-55628-003.patch @@ -0,0 +1,114 @@ +From 5edb84fe234f47a0fedfbf9b10b49699152fe8cb Mon Sep 17 00:00:00 2001 +From: Jason Ish +Date: Thu, 31 Oct 2024 15:46:35 -0600 +Subject: [PATCH] eve/dns: add truncation flags for fields that are truncated + +If rrname, rdata or mname are truncated, set a flag field like +'rrname_truncated: true' to indicate that the name is truncated. + +Ticket: #7280 + +(cherry picked from commit 37f4c52b22fcdde4adf9b479cb5700f89d00768d) + +CVE: CVE-2024-55628 +Upstream-Status: Backport [https://github.com/OISF/suricata/commit/5edb84fe234f47a0fedfbf9b10b49699152fe8cb] +Signed-off-by: Hitendra Prajapati +--- + etc/schema.json | 7 +++++++ + rust/src/dns/log.rs | 19 +++++++++++++++++++ + 2 files changed, 26 insertions(+) + +diff --git a/etc/schema.json b/etc/schema.json +index 99f419f..422d77c 100644 +--- a/etc/schema.json ++++ b/etc/schema.json +@@ -790,6 +790,9 @@ + "rrname": { + "type": "string" + }, ++ "rrname_truncated": { ++ "type": "boolean" ++ }, + "rrtype": { + "type": "string" + }, +@@ -2365,6 +2368,10 @@ + "type": "array", + "items": { + "type": "integer" ++ }, ++ "rrname_truncated": { ++ "description": "Set to true if the rrname was too long and truncated by Suricata", ++ "type": "boolean" + } + } + }, +diff --git a/rust/src/dns/log.rs b/rust/src/dns/log.rs +index 6bf9589..d0e468d 100644 +--- a/rust/src/dns/log.rs ++++ b/rust/src/dns/log.rs +@@ -399,7 +399,13 @@ fn dns_log_soa(soa: &DNSRDataSOA) -> Result { + let mut js = JsonBuilder::try_new_object()?; + + js.set_string_from_bytes("mname", &soa.mname.value)?; ++ if soa.mname.flags.contains(DNSNameFlags::TRUNCATED) { ++ js.set_bool("mname_truncated", true)?; ++ } + js.set_string_from_bytes("rname", &soa.rname.value)?; ++ if soa.rname.flags.contains(DNSNameFlags::TRUNCATED) { ++ js.set_bool("rname_truncated", true)?; ++ } + js.set_uint("serial", soa.serial as u64)?; + js.set_uint("refresh", soa.refresh as u64)?; + js.set_uint("retry", soa.retry as u64)?; +@@ -444,6 +450,9 @@ fn dns_log_json_answer_detail(answer: &DNSAnswerEntry) -> Result Result { + jsa.set_string_from_bytes("rdata", &name.value)?; ++ if name.flags.contains(DNSNameFlags::TRUNCATED) { ++ jsa.set_bool("rdata_truncated", true)?; ++ } + } + DNSRData::TXT(bytes) | DNSRData::NULL(bytes) => { + jsa.set_string_from_bytes("rdata", bytes)?; +@@ -506,6 +518,9 @@ fn dns_log_json_answer( + + if let Some(query) = response.queries.first() { + js.set_string_from_bytes("rrname", &query.name.value)?; ++ if query.name.flags.contains(DNSNameFlags::TRUNCATED) { ++ js.set_bool("rrname_truncated", true)?; ++ } + js.set_string("rrtype", &dns_rrtype_string(query.rrtype))?; + } + js.set_string("rcode", &dns_rcode_string(header.flags))?; +@@ -532,6 +547,7 @@ fn dns_log_json_answer( + | DNSRData::MX(name) + | DNSRData::NS(name) + | DNSRData::PTR(name) => { ++ // Flags like truncated not logged here as it would break the schema. + if !answer_types.contains_key(&type_string) { + answer_types + .insert(type_string.to_string(), JsonBuilder::try_new_array()?); +@@ -620,6 +636,9 @@ fn dns_log_query( + jb.set_string("type", "query")?; + jb.set_uint("id", request.header.tx_id as u64)?; + jb.set_string_from_bytes("rrname", &query.name.value)?; ++ if query.name.flags.contains(DNSNameFlags::TRUNCATED) { ++ jb.set_bool("rrname_truncated", true)?; ++ } + jb.set_string("rrtype", &dns_rrtype_string(query.rrtype))?; + jb.set_uint("tx_id", tx.id - 1)?; + if request.header.flags & 0x0040 != 0 { +-- +2.50.1 + diff --git a/recipes-ids/suricata/files/CVE-2024-55628-004.patch b/recipes-ids/suricata/files/CVE-2024-55628-004.patch new file mode 100644 index 0000000..5a2bcf6 --- /dev/null +++ b/recipes-ids/suricata/files/CVE-2024-55628-004.patch @@ -0,0 +1,510 @@ +From 71212b78bd1b7b841c9d9a907d0b3eea71a54060 Mon Sep 17 00:00:00 2001 +From: Jason Ish +Date: Fri, 1 Nov 2024 11:39:23 -0600 +Subject: [PATCH] dns: provide events for recoverable parse errors + +Add events for the following resource name parsing issues: + +- name truncated as its too long +- maximum number of labels reached +- infinite loop + +Currently these events are only registered when encountered, but +recoverable. That is where we are able to return some of the name, +usually in a truncated state. + +As name parsing has many code paths, we pass in a pointer to a flag +field that can be updated by the name parser, this is done in +addition to the flags being set on a specific name as when logging we +want to designate which fields are truncated, etc. But for alerts, we +just care that something happened during the parse. It also reduces +errors as it won't be forgotten to check for the flags and set the +event if some new parser is written that also parses names. + +Ticket: #7280 + +(cherry picked from commit 19cf0f81335d9f787d587450f7105ad95a648951) + +CVE: CVE-2024-55628 +Upstream-Status: Backport [https://github.com/OISF/suricata/commit/71212b78bd1b7b841c9d9a907d0b3eea71a54060] +Signed-off-by: Hitendra Prajapati +--- + rules/dns-events.rules | 9 +++ + rust/src/dns/dns.rs | 36 ++++++++++- + rust/src/dns/parser.rs | 136 +++++++++++++++++++++++++---------------- + 3 files changed, 124 insertions(+), 57 deletions(-) + +diff --git a/rules/dns-events.rules b/rules/dns-events.rules +index d4c02b5..cc43629 100644 +--- a/rules/dns-events.rules ++++ b/rules/dns-events.rules +@@ -8,3 +8,12 @@ alert dns any any -> any any (msg:"SURICATA DNS Not a response"; flow:to_client; + # Z flag (reserved) not 0 + alert dns any any -> any any (msg:"SURICATA DNS Z flag set"; app-layer-event:dns.z_flag_set; classtype:protocol-command-decode; sid:2240006; rev:2;) + alert dns any any -> any any (msg:"SURICATA DNS Invalid opcode"; app-layer-event:dns.invalid_opcode; classtype:protocol-command-decode; sid:2240007; rev:1;) ++ ++# A resource name was too long (over 1025 chars) ++alert dns any any -> any any (msg:"SURICATA DNS Name too long"; app-layer-event:dns.name_too_long; classtype:protocol-command-decode; sid:224008; rev:1;) ++ ++# An infinite loop was found while decoding a DNS resource name. ++alert dns any any -> any any (msg:"SURICATA DNS Infinite loop"; app-layer-event:dns.infinite_loop; classtype:protocol-command-decode; sid:224009; rev:1;) ++ ++# Suricata's maximum number of DNS name labels was reached while parsing a resource name. ++alert dns any any -> any any (msg:"SURICATA DNS Too many labels"; app-layer-event:dns.too_many_labels; classtype:protocol-command-decode; sid:224010; rev:1;) +diff --git a/rust/src/dns/dns.rs b/rust/src/dns/dns.rs +index 680bf7e..34406dc 100644 +--- a/rust/src/dns/dns.rs ++++ b/rust/src/dns/dns.rs +@@ -129,6 +129,12 @@ pub enum DNSEvent { + NotResponse, + ZFlagSet, + InvalidOpcode, ++ /// A DNS resource name was exessively long and was truncated. ++ NameTooLong, ++ /// An infinite loop was found while parsing a name. ++ InfiniteLoop, ++ /// Too many labels were found. ++ TooManyLabels, + } + + #[derive(Debug, PartialEq, Eq)] +@@ -418,7 +424,7 @@ impl DNSState { + }; + + match parser::dns_parse_request_body(body, input, header) { +- Ok((_, request)) => { ++ Ok((_, (request, parse_flags))) => { + if request.header.flags & 0x8000 != 0 { + SCLogDebug!("DNS message is not a request"); + self.set_event(DNSEvent::NotRequest); +@@ -441,6 +447,18 @@ impl DNSState { + self.set_event(DNSEvent::InvalidOpcode); + } + ++ if parse_flags.contains(DNSNameFlags::TRUNCATED) { ++ self.set_event(DNSEvent::NameTooLong); ++ } ++ ++ if parse_flags.contains(DNSNameFlags::INFINITE_LOOP) { ++ self.set_event(DNSEvent::InfiniteLoop); ++ } ++ ++ if parse_flags.contains(DNSNameFlags::LABEL_LIMIT) { ++ self.set_event(DNSEvent::TooManyLabels); ++ } ++ + return true; + } + Err(Err::Incomplete(_)) => { +@@ -490,7 +508,7 @@ impl DNSState { + }; + + match parser::dns_parse_response_body(body, input, header) { +- Ok((_, response)) => { ++ Ok((_, (response, parse_flags))) => { + SCLogDebug!("Response header flags: {}", response.header.flags); + + if response.header.flags & 0x8000 == 0 { +@@ -519,6 +537,18 @@ impl DNSState { + self.set_event(DNSEvent::InvalidOpcode); + } + ++ if parse_flags.contains(DNSNameFlags::TRUNCATED) { ++ self.set_event(DNSEvent::NameTooLong); ++ } ++ ++ if parse_flags.contains(DNSNameFlags::INFINITE_LOOP) { ++ self.set_event(DNSEvent::InfiniteLoop); ++ } ++ ++ if parse_flags.contains(DNSNameFlags::LABEL_LIMIT) { ++ self.set_event(DNSEvent::TooManyLabels); ++ } ++ + return true; + } + Err(Err::Incomplete(_)) => { +@@ -718,7 +748,7 @@ fn probe(input: &[u8], dlen: usize) -> (bool, bool, bool) { + } + + match parser::dns_parse_request(input) { +- Ok((_, request)) => { ++ Ok((_, (request, _))) => { + return probe_header_validity(&request.header, dlen); + } + Err(Err::Incomplete(_)) => match parser::dns_parse_header(input) { +diff --git a/rust/src/dns/parser.rs b/rust/src/dns/parser.rs +index 12929bc..c98ba05 100644 +--- a/rust/src/dns/parser.rs ++++ b/rust/src/dns/parser.rs +@@ -81,7 +81,7 @@ static MAX_NAME_LEN: usize = 1025; + /// Parameters: + /// start: the start of the name + /// message: the complete message that start is a part of with the DNS header +-pub fn dns_parse_name<'b>(start: &'b [u8], message: &'b [u8]) -> IResult<&'b [u8], DNSName> { ++pub fn dns_parse_name<'b>(start: &'b [u8], message: &'b [u8], parse_flags: &mut DNSNameFlags) -> IResult<&'b [u8], DNSName> { + let mut pos = start; + let mut pivot = start; + let mut name: Vec = Vec::with_capacity(32); +@@ -166,6 +166,8 @@ pub fn dns_parse_name<'b>(start: &'b [u8], message: &'b [u8]) -> IResult<&'b [u8 + } + } + ++ parse_flags.insert(flags); ++ + // If we followed a pointer we return the position after the first + // pointer followed. Is there a better way to see if these slices + // diverged from each other? A straight up comparison would +@@ -188,7 +190,7 @@ pub fn dns_parse_name<'b>(start: &'b [u8], message: &'b [u8]) -> IResult<&'b [u8 + /// multi-string TXT entry as a single quote string, similar to the + /// output of dig. Something to consider for a future version. + fn dns_parse_answer<'a>( +- slice: &'a [u8], message: &'a [u8], count: usize, ++ slice: &'a [u8], message: &'a [u8], count: usize, flags: &mut DNSNameFlags, + ) -> IResult<&'a [u8], Vec> { + let mut answers = Vec::new(); + let mut input = slice; +@@ -201,8 +203,10 @@ fn dns_parse_answer<'a>( + data: &'a [u8], + } + +- fn subparser<'a>(i: &'a [u8], message: &'a [u8]) -> IResult<&'a [u8], Answer<'a>> { +- let (i, name) = dns_parse_name(i, message)?; ++ fn subparser<'a>( ++ i: &'a [u8], message: &'a [u8], flags: &mut DNSNameFlags, ++ ) -> IResult<&'a [u8], Answer<'a>> { ++ let (i, name) = dns_parse_name(i, message, flags)?; + let (i, rrtype) = be_u16(i)?; + let (i, rrclass) = be_u16(i)?; + let (i, ttl) = be_u32(i)?; +@@ -218,7 +222,7 @@ fn dns_parse_answer<'a>( + } + + for _ in 0..count { +- match subparser(input, message) { ++ match subparser(input, message, flags) { + Ok((rem, val)) => { + let n = match val.rrtype { + DNS_RECORD_TYPE_TXT => { +@@ -236,7 +240,7 @@ fn dns_parse_answer<'a>( + } + }; + let result: IResult<&'a [u8], Vec> = +- many_m_n(1, n, complete(|b| dns_parse_rdata(b, message, val.rrtype)))(val.data); ++ many_m_n(1, n, complete(|b| dns_parse_rdata(b, message, val.rrtype, flags)))(val.data); + match result { + Ok((_, rdatas)) => { + for rdata in rdatas { +@@ -266,18 +270,19 @@ fn dns_parse_answer<'a>( + + pub fn dns_parse_response_body<'a>( + i: &'a [u8], message: &'a [u8], header: DNSHeader, +-) -> IResult<&'a [u8], DNSResponse> { +- let (i, queries) = count(|b| dns_parse_query(b, message), header.questions as usize)(i)?; +- let (i, answers) = dns_parse_answer(i, message, header.answer_rr as usize)?; +- let (i, authorities) = dns_parse_answer(i, message, header.authority_rr as usize)?; ++) -> IResult<&'a [u8], (DNSResponse, DNSNameFlags)> { ++ let mut flags = DNSNameFlags::default(); ++ let (i, queries) = count(|b| dns_parse_query(b, message, &mut flags), header.questions as usize)(i)?; ++ let (i, answers) = dns_parse_answer(i, message, header.answer_rr as usize, &mut flags)?; ++ let (i, authorities) = dns_parse_answer(i, message, header.authority_rr as usize, &mut flags)?; + Ok(( + i, +- DNSResponse { ++ (DNSResponse { + header, + queries, + answers, + authorities, +- }, ++ }, flags), + )) + } + +@@ -286,9 +291,9 @@ pub fn dns_parse_response_body<'a>( + /// Arguments are suitable for using with call!: + /// + /// call!(complete_dns_message_buffer) +-pub fn dns_parse_query<'a>(input: &'a [u8], message: &'a [u8]) -> IResult<&'a [u8], DNSQueryEntry> { ++pub fn dns_parse_query<'a>(input: &'a [u8], message: &'a [u8], flags: &mut DNSNameFlags) -> IResult<&'a [u8], DNSQueryEntry> { + let i = input; +- let (i, name) = dns_parse_name(i, message)?; ++ let (i, name) = dns_parse_name(i, message, flags)?; + let (i, rrtype) = be_u16(i)?; + let (i, rrclass) = be_u16(i)?; + Ok(( +@@ -309,22 +314,30 @@ fn dns_parse_rdata_aaaa(input: &[u8]) -> IResult<&[u8], DNSRData> { + rest(input).map(|(input, data)| (input, DNSRData::AAAA(data.to_vec()))) + } + +-fn dns_parse_rdata_cname<'a>(input: &'a [u8], message: &'a [u8]) -> IResult<&'a [u8], DNSRData> { +- dns_parse_name(input, message).map(|(input, name)| (input, DNSRData::CNAME(name))) ++fn dns_parse_rdata_cname<'a>( ++ input: &'a [u8], message: &'a [u8], flags: &mut DNSNameFlags, ++) -> IResult<&'a [u8], DNSRData> { ++ dns_parse_name(input, message, flags).map(|(input, name)| (input, DNSRData::CNAME(name))) + } + +-fn dns_parse_rdata_ns<'a>(input: &'a [u8], message: &'a [u8]) -> IResult<&'a [u8], DNSRData> { +- dns_parse_name(input, message).map(|(input, name)| (input, DNSRData::NS(name))) ++fn dns_parse_rdata_ns<'a>( ++ input: &'a [u8], message: &'a [u8], flags: &mut DNSNameFlags, ++) -> IResult<&'a [u8], DNSRData> { ++ dns_parse_name(input, message, flags).map(|(input, name)| (input, DNSRData::NS(name))) + } + +-fn dns_parse_rdata_ptr<'a>(input: &'a [u8], message: &'a [u8]) -> IResult<&'a [u8], DNSRData> { +- dns_parse_name(input, message).map(|(input, name)| (input, DNSRData::PTR(name))) ++fn dns_parse_rdata_ptr<'a>( ++ input: &'a [u8], message: &'a [u8], flags: &mut DNSNameFlags, ++) -> IResult<&'a [u8], DNSRData> { ++ dns_parse_name(input, message, flags).map(|(input, name)| (input, DNSRData::PTR(name))) + } + +-fn dns_parse_rdata_soa<'a>(input: &'a [u8], message: &'a [u8]) -> IResult<&'a [u8], DNSRData> { ++fn dns_parse_rdata_soa<'a>( ++ input: &'a [u8], message: &'a [u8], flags: &mut DNSNameFlags, ++) -> IResult<&'a [u8], DNSRData> { + let i = input; +- let (i, mname) = dns_parse_name(i, message)?; +- let (i, rname) = dns_parse_name(i, message)?; ++ let (i, mname) = dns_parse_name(i, message, flags)?; ++ let (i, rname) = dns_parse_name(i, message, flags)?; + let (i, serial) = be_u32(i)?; + let (i, refresh) = be_u32(i)?; + let (i, retry) = be_u32(i)?; +@@ -344,20 +357,24 @@ fn dns_parse_rdata_soa<'a>(input: &'a [u8], message: &'a [u8]) -> IResult<&'a [u + )) + } + +-fn dns_parse_rdata_mx<'a>(input: &'a [u8], message: &'a [u8]) -> IResult<&'a [u8], DNSRData> { ++fn dns_parse_rdata_mx<'a>( ++ input: &'a [u8], message: &'a [u8], flags: &mut DNSNameFlags, ++) -> IResult<&'a [u8], DNSRData> { + // For MX we skip over the preference field before + // parsing out the name. + let (i, _) = be_u16(input)?; +- let (i, name) = dns_parse_name(i, message)?; ++ let (i, name) = dns_parse_name(i, message, flags)?; + Ok((i, DNSRData::MX(name))) + } + +-fn dns_parse_rdata_srv<'a>(input: &'a [u8], message: &'a [u8]) -> IResult<&'a [u8], DNSRData> { ++fn dns_parse_rdata_srv<'a>( ++ input: &'a [u8], message: &'a [u8], flags: &mut DNSNameFlags, ++) -> IResult<&'a [u8], DNSRData> { + let i = input; + let (i, priority) = be_u16(i)?; + let (i, weight) = be_u16(i)?; + let (i, port) = be_u16(i)?; +- let (i, target) = dns_parse_name(i, message)?; ++ let (i, target) = dns_parse_name(i, message, flags)?; + Ok(( + i, + DNSRData::SRV(DNSRDataSRV { +@@ -398,26 +415,26 @@ fn dns_parse_rdata_unknown(input: &[u8]) -> IResult<&[u8], DNSRData> { + } + + pub fn dns_parse_rdata<'a>( +- input: &'a [u8], message: &'a [u8], rrtype: u16, ++ input: &'a [u8], message: &'a [u8], rrtype: u16, flags: &mut DNSNameFlags + ) -> IResult<&'a [u8], DNSRData> { + match rrtype { + DNS_RECORD_TYPE_A => dns_parse_rdata_a(input), + DNS_RECORD_TYPE_AAAA => dns_parse_rdata_aaaa(input), +- DNS_RECORD_TYPE_CNAME => dns_parse_rdata_cname(input, message), +- DNS_RECORD_TYPE_PTR => dns_parse_rdata_ptr(input, message), +- DNS_RECORD_TYPE_SOA => dns_parse_rdata_soa(input, message), +- DNS_RECORD_TYPE_MX => dns_parse_rdata_mx(input, message), +- DNS_RECORD_TYPE_NS => dns_parse_rdata_ns(input, message), ++ DNS_RECORD_TYPE_CNAME => dns_parse_rdata_cname(input, message, flags), ++ DNS_RECORD_TYPE_PTR => dns_parse_rdata_ptr(input, message, flags), ++ DNS_RECORD_TYPE_SOA => dns_parse_rdata_soa(input, message, flags), ++ DNS_RECORD_TYPE_MX => dns_parse_rdata_mx(input, message, flags), ++ DNS_RECORD_TYPE_NS => dns_parse_rdata_ns(input, message, flags), + DNS_RECORD_TYPE_TXT => dns_parse_rdata_txt(input), + DNS_RECORD_TYPE_NULL => dns_parse_rdata_null(input), + DNS_RECORD_TYPE_SSHFP => dns_parse_rdata_sshfp(input), +- DNS_RECORD_TYPE_SRV => dns_parse_rdata_srv(input, message), ++ DNS_RECORD_TYPE_SRV => dns_parse_rdata_srv(input, message, flags), + _ => dns_parse_rdata_unknown(input), + } + } + + /// Parse a DNS request. +-pub fn dns_parse_request(input: &[u8]) -> IResult<&[u8], DNSRequest> { ++pub fn dns_parse_request(input: &[u8]) -> IResult<&[u8], (DNSRequest, DNSNameFlags)> { + let i = input; + let (i, header) = dns_parse_header(i)?; + dns_parse_request_body(i, input, header) +@@ -425,10 +442,11 @@ pub fn dns_parse_request(input: &[u8]) -> IResult<&[u8], DNSRequest> { + + pub fn dns_parse_request_body<'a>( + input: &'a [u8], message: &'a [u8], header: DNSHeader, +-) -> IResult<&'a [u8], DNSRequest> { ++) -> IResult<&'a [u8], (DNSRequest, DNSNameFlags)> { ++ let mut flags = DNSNameFlags::default(); + let i = input; +- let (i, queries) = count(|b| dns_parse_query(b, message), header.questions as usize)(i)?; +- Ok((i, DNSRequest { header, queries })) ++ let (i, queries) = count(|b| dns_parse_query(b, message, &mut flags), header.questions as usize)(i)?; ++ Ok((i, (DNSRequest { header, queries }, flags))) + } + + #[cfg(test)] +@@ -447,7 +465,8 @@ mod tests { + 0x03, 0x63, 0x6f, 0x6d, 0x00, 0x00, 0x01, 0x00, /* .com.... */ + ]; + let expected_remainder: &[u8] = &[0x00, 0x01, 0x00]; +- let (remainder, name) = dns_parse_name(buf, buf).unwrap(); ++ let mut flags = DNSNameFlags::default(); ++ let (remainder, name) = dns_parse_name(buf, buf, &mut flags).unwrap(); + assert_eq!("client-cf.dropbox.com".as_bytes(), &name.value[..]); + assert_eq!(remainder, expected_remainder); + } +@@ -481,7 +500,8 @@ mod tests { + + // The name at offset 54 is the complete name. + let start1 = &buf[54..]; +- let res1 = dns_parse_name(start1, message); ++ let mut flags = DNSNameFlags::default(); ++ let res1 = dns_parse_name(start1, message, &mut flags); + assert_eq!( + res1, + Ok(( +@@ -496,7 +516,8 @@ mod tests { + // The second name starts at offset 80, but is just a pointer + // to the first. + let start2 = &buf[80..]; +- let res2 = dns_parse_name(start2, message); ++ let mut flags = DNSNameFlags::default(); ++ let res2 = dns_parse_name(start2, message, &mut flags); + assert_eq!( + res2, + Ok(( +@@ -511,7 +532,8 @@ mod tests { + // The third name starts at offset 94, but is a pointer to a + // portion of the first. + let start3 = &buf[94..]; +- let res3 = dns_parse_name(start3, message); ++ let mut flags = DNSNameFlags::default(); ++ let res3 = dns_parse_name(start3, message, &mut flags); + assert_eq!( + res3, + Ok(( +@@ -526,7 +548,8 @@ mod tests { + // The fourth name starts at offset 110, but is a pointer to a + // portion of the first. + let start4 = &buf[110..]; +- let res4 = dns_parse_name(start4, message); ++ let mut flags = DNSNameFlags::default(); ++ let res4 = dns_parse_name(start4, message, &mut flags); + assert_eq!( + res4, + Ok(( +@@ -567,7 +590,8 @@ mod tests { + // packet). + let start: &[u8] = &buf[100..]; + +- let res = dns_parse_name(start, message); ++ let mut flags = DNSNameFlags::default(); ++ let res = dns_parse_name(start, message, &mut flags); + assert_eq!( + res, + Ok(( +@@ -595,7 +619,7 @@ mod tests { + + let res = dns_parse_request(pkt); + match res { +- Ok((rem, request)) => { ++ Ok((rem, (request, _flags))) => { + // For now we have some remainder data as there is an + // additional record type we don't parse yet. + assert!(!rem.is_empty()); +@@ -626,7 +650,7 @@ mod tests { + } + + /// Parse a DNS response. +- fn dns_parse_response(message: &[u8]) -> IResult<&[u8], DNSResponse> { ++ fn dns_parse_response(message: &[u8]) -> IResult<&[u8], (DNSResponse, DNSNameFlags)> { + let i = message; + let (i, header) = dns_parse_header(i)?; + dns_parse_response_body(i, message, header) +@@ -653,7 +677,7 @@ mod tests { + + let res = dns_parse_response(pkt); + match res { +- Ok((rem, response)) => { ++ Ok((rem, (response, _flags))) => { + // The response should be full parsed. + assert_eq!(rem.len(), 0); + +@@ -745,7 +769,7 @@ mod tests { + + let res = dns_parse_response(pkt); + match res { +- Ok((rem, response)) => { ++ Ok((rem, (response, _flags))) => { + // For now we have some remainder data as there is an + // additional record type we don't parse yet. + assert!(!rem.is_empty()); +@@ -812,7 +836,7 @@ mod tests { + + let res = dns_parse_response(pkt); + match res { +- Ok((rem, response)) => { ++ Ok((rem, (response, _flags))) => { + // The response should be fully parsed. + assert_eq!(rem.len(), 0); + +@@ -924,7 +948,7 @@ mod tests { + + let res = dns_parse_response(pkt); + match res { +- Ok((rem, response)) => { ++ Ok((rem, (response, _flags))) => { + // The data should be fully parsed. + assert_eq!(rem.len(), 0); + +@@ -978,7 +1002,8 @@ mod tests { + } + } + +- let (rem, name) = dns_parse_name(&buf, &buf).unwrap(); ++ let mut flags = DNSNameFlags::default(); ++ let (rem, name) = dns_parse_name(&buf, &buf, &mut flags).unwrap(); + assert_eq!(name.value.len(), MAX_NAME_LEN); + assert!(name.flags.contains(DNSNameFlags::TRUNCATED)); + assert!(rem.is_empty()); +@@ -995,7 +1020,8 @@ mod tests { + // This should fail as we've hit the segment limit without a + // pointer, we'd need to keep parsing more segments to figure + // out where the next data point lies. +- assert!(dns_parse_name(&buf, &buf).is_err()); ++ let mut flags = DNSNameFlags::default(); ++ assert!(dns_parse_name(&buf, &buf, &mut flags).is_err()); + } + + #[test] +@@ -1015,7 +1041,8 @@ mod tests { + buf.push(0b1100_0000); + buf.push(0b000_0000); + +- let (_rem, name) = dns_parse_name(&buf[4..], &buf).unwrap(); ++ let mut flags = DNSNameFlags::default(); ++ let (_rem, name) = dns_parse_name(&buf[4..], &buf, &mut flags).unwrap(); + assert_eq!(name.value.len(), 255); + assert!(name.flags.contains(DNSNameFlags::TRUNCATED)); + } +@@ -1025,6 +1052,7 @@ mod tests { + let mut buf = vec![]; + buf.push(0b1100_0000); + buf.push(0b0000_0000); +- assert!(dns_parse_name(&buf, &buf).is_err()); ++ let mut flags = DNSNameFlags::default(); ++ assert!(dns_parse_name(&buf, &buf, &mut flags).is_err()); + } + } +-- +2.50.1 + diff --git a/recipes-ids/suricata/suricata_7.0.0.bb b/recipes-ids/suricata/suricata_7.0.0.bb index 4a1857e..58ed688 100644 --- a/recipes-ids/suricata/suricata_7.0.0.bb +++ b/recipes-ids/suricata/suricata_7.0.0.bb @@ -31,6 +31,13 @@ SRC_URI += " \ file://CVE-2024-32867-002.patch \ file://CVE-2024-32867-003.patch \ file://CVE-2024-32867-004.patch \ + file://CVE-2024-55627-001.patch \ + file://CVE-2024-55627-002.patch \ + file://CVE-2024-55627-003.patch \ + file://CVE-2024-55628-001.patch \ + file://CVE-2024-55628-002.patch \ + file://CVE-2024-55628-003.patch \ + file://CVE-2024-55628-004.patch \ " inherit autotools pkgconfig python3native systemd ptest cargo cargo-update-recipe-crates From patchwork Sun Nov 23 23:45:04 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Scott Murray X-Patchwork-Id: 75290 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8FEDECFD2F6 for ; Sun, 23 Nov 2025 23:45:53 +0000 (UTC) Received: from mail-qk1-f178.google.com (mail-qk1-f178.google.com [209.85.222.178]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.4868.1763941544254117770 for ; Sun, 23 Nov 2025 15:45:44 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@konsulko.com header.s=google header.b=fDEOBZfK; spf=pass (domain: konsulko.com, ip: 209.85.222.178, mailfrom: scott.murray@konsulko.com) Received: by mail-qk1-f178.google.com with SMTP id af79cd13be357-8b2dcdde65bso560165385a.0 for ; Sun, 23 Nov 2025 15:45:44 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=konsulko.com; s=google; t=1763941543; x=1764546343; darn=lists.yoctoproject.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=oMSMb/arExaHhPvK/QdMAWItajCd1ECFFL8pTKJ0RU8=; b=fDEOBZfKVouqANnk4uZ09To5sQbFJSkvd/SVRqpLm4npQFAsKIMkNv5zyMgaun22Eg aFL7NvB/2tlh6Yc3bH7ED/no9W3P31oELModHM5v1d8ZaZsdO8TTI+4NBQeF6Wrm5oS/ pZHpJQQY0UAPK6VRvBdJUNSj20jOj+xrfiPjM= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1763941543; x=1764546343; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=oMSMb/arExaHhPvK/QdMAWItajCd1ECFFL8pTKJ0RU8=; b=giyjUpGqhn4SUmQ5RoEHTyv5/ZEjNx7mNcc9uLqe+FtI6FWj0cYYAu93WPZZy3WmiP p3pFpAuex5wFPX7nhACoziATcVEOf65N2R/to7nY4VVZGd7BjNWoRrolY/wuWVD+UoFF SyMSB0z+/fAX/2rDRU/RzADdN1xSUnSVCB4KhEpVbxiP1uh/jthrtpgg2L8CTQk3X6iQ YYuVy74aWe7wJZ1XIMcrGUnwLBidM+MQg9h31+FbQSwo7vGZWOf1dq71WD/VwbSC+GKy A78yjlEY8Ra4qvN1KmbFqkoEGDpeV69qNb478wI5MjQuBByVZ0+8VCFKXudi1x5Ga75Y sVVQ== X-Gm-Message-State: AOJu0YwIYdRhA9riXfBak5VMyWBOa748yCVwCnCrZGy+vs1eD+70qm1k qhWDDsnpc3srvD3ieYUfNlv2laknm386/3j22/z1rkHjvOY8qYKris+cAhLvqsEbAqgyIcFYCZ3 QpV92 X-Gm-Gg: ASbGncsB3tSMHgt/OC/5HoOFjgvJoxAORWdq+pNBN+0yGmkZTIB51pVkpx3itamtvKN JcIPIMlpBC4Jwtp1YIkYXZQL8z1Ak0wl0ENJ7sqqQucPAmOe55u8xt57cCPu8eo9/N3qUXm1wo9 Nn9X5Lu8609FDh899WR3w/JxUInfdf36qJzp7c8NaL7JbZZZbItdcE07Xt2ZZxjHThPhSjF/39n e/KfxskzRCgohiQe66zmTMtXtf7MIzg8c2tLACBUD6cJiyraXYV1f7hJ7rWFAmj24vQwnPCFSHt mWGCrY/f0X6OS/hiyp14eWGFR95T5ipSXyQ5zlH3z6S4VhoPqMJGfxTF4r+ip3tLunR2UcoO5wV prfNrKOHkzafUCyFIoRM5w97r7bXVNOpazAtJ2I5dET3tSqBITMu6b+EaNZhhR4dgdiZVkz2kpJ YDJ2dyu10exONjCXg1e3WeyL8YYMZInxE8sU5c5tiIsBOg/lccgvnFsXB5ab6PaSo= X-Google-Smtp-Source: AGHT+IFWv3h66lXXK9SZCBPrWUCfuhS/L5dwjXdxloVdgiX6ExiwY5Uu88AID7N3tNpZ2i4TjMjN5g== X-Received: by 2002:a05:620a:1993:b0:8b2:76c6:a7d2 with SMTP id af79cd13be357-8b33d21304fmr1033944185a.9.1763941542444; Sun, 23 Nov 2025 15:45:42 -0800 (PST) Received: from ghidorah.spiteful.org (107-179-213-3.cpe.teksavvy.com. [107.179.213.3]) by smtp.gmail.com with ESMTPSA id af79cd13be357-8b32932db59sm843706585a.1.2025.11.23.15.45.41 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 23 Nov 2025 15:45:42 -0800 (PST) From: Scott Murray To: yocto-patches@lists.yoctoproject.org Subject: [meta-security][scarthgap][PATCH 24/32] python3-fail2ban: fix ptest failures Date: Sun, 23 Nov 2025 18:45:04 -0500 Message-ID: <7a38b2fa92503e6de7e2d52e75dca8b9389c5590.1763938436.git.scott.murray@konsulko.com> X-Mailer: git-send-email 2.51.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 23 Nov 2025 23:45:53 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto-patches/message/2681 From: Yi Zhao Fix ptest failures by backporting patch and updating test case config files. Before the patch: $ ptest-runner python3-fail2ban START: ptest-runner 2025-09-11T15:42 BEGIN: /usr/lib64/python3-fail2ban/ptest Ran 524 tests in 23.023s FAILED (failures=5, errors=7, skipped=3) DURATION: 24 END: /usr/lib64/python3-fail2ban/ptest 2025-09-11T15:42 STOP: ptest-runner TOTAL: 1 FAIL: 1 After the patch: $ ptest-runner python3-fail2ban START: ptest-runner 2025-09-11T15:59 BEGIN: /usr/lib64/python3-fail2ban/ptest Ran 524 tests in 25.982s OK (skipped=3) DURATION: 27 END: /usr/lib64/python3-fail2ban/ptest 2025-09-11T15:59 STOP: ptest-runner TOTAL: 1 FAIL: 0 Signed-off-by: Yi Zhao Signed-off-by: Scott Murray --- ...ges-the-IPs-again.-additionally-it-g.patch | 210 ++++++++++++++++++ ...case.py-set-correct-config-dir-for-t.patch | 34 +++ .../fail2ban/python3-fail2ban_git.bb | 12 +- 3 files changed, 255 insertions(+), 1 deletion(-) create mode 100644 dynamic-layers/meta-python/recipes-security/fail2ban/files/0001-example.com-changes-the-IPs-again.-additionally-it-g.patch create mode 100644 dynamic-layers/meta-python/recipes-security/fail2ban/files/0002-clientreadertestcase.py-set-correct-config-dir-for-t.patch diff --git a/dynamic-layers/meta-python/recipes-security/fail2ban/files/0001-example.com-changes-the-IPs-again.-additionally-it-g.patch b/dynamic-layers/meta-python/recipes-security/fail2ban/files/0001-example.com-changes-the-IPs-again.-additionally-it-g.patch new file mode 100644 index 0000000..73014ab --- /dev/null +++ b/dynamic-layers/meta-python/recipes-security/fail2ban/files/0001-example.com-changes-the-IPs-again.-additionally-it-g.patch @@ -0,0 +1,210 @@ +From 5b6c13f0aae79a23d94570bacd1b5796e57f088d Mon Sep 17 00:00:00 2001 +From: sebres +Date: Thu, 30 Jan 2025 01:05:30 +0100 +Subject: [PATCH] example.com changes the IPs, again... additionally it got + more IPs, which look unstable now (depends on resolver), so replaced with + fail2ban.org, that seems to resolve to single IPv4 and IPv6 (can be adjusted + later for something more persistent) + + +Upstream-Status: Backport +[https://github.com/fail2ban/fail2ban/commit/5b6c13f0aae79a23d94570bacd1b5796e57f088d] + +Signed-off-by: Yi Zhao +--- + .../tests/files/logs/apache-fakegooglebot | 6 +- + fail2ban/tests/files/testcase-usedns.log | 4 +- + fail2ban/tests/filtertestcase.py | 58 +++++++++---------- + fail2ban/tests/utils.py | 4 +- + 4 files changed, 36 insertions(+), 36 deletions(-) + +diff --git a/fail2ban/tests/files/logs/apache-fakegooglebot b/fail2ban/tests/files/logs/apache-fakegooglebot +index b77a1a6b..024842fd 100644 +--- a/fail2ban/tests/files/logs/apache-fakegooglebot ++++ b/fail2ban/tests/files/logs/apache-fakegooglebot +@@ -1,5 +1,5 @@ + # Apache 2.2 + # failJSON: { "time": "2015-01-31T14:29:44", "match": true, "host": "66.249.66.1" } +-66.249.66.1 - - - [31/Jan/2015:14:29:44 ] example.com "GET / HTTP/1.1" 200 814 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)" + 293 1149 546 +-# failJSON: { "time": "2015-01-31T14:29:44", "match": false, "host": "93.184.215.14" } +-93.184.215.14 - - - [31/Jan/2015:14:29:44 ] example.com "GET / HTTP/1.1" 200 814 "-" "NOT A __GOOGLE_BOT__" + 293 1149 546 ++66.249.66.1 - - - [31/Jan/2015:14:29:44 ] fail2ban.org "GET / HTTP/1.1" 200 814 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)" + 293 1149 546 ++# failJSON: { "time": "2015-01-31T14:29:44", "match": false, "host": "51.159.55.100" } ++51.159.55.100 - - - [31/Jan/2015:14:29:44 ] fail2ban.org "GET / HTTP/1.1" 200 814 "-" "NOT A __GOOGLE_BOT__" + 293 1149 546 +diff --git a/fail2ban/tests/files/testcase-usedns.log b/fail2ban/tests/files/testcase-usedns.log +index eea6eb44..3e7b36bb 100644 +--- a/fail2ban/tests/files/testcase-usedns.log ++++ b/fail2ban/tests/files/testcase-usedns.log +@@ -1,2 +1,2 @@ +-Aug 14 11:54:59 i60p295 sshd[12365]: Failed publickey for roehl from example.com port 51332 ssh2 +-Aug 14 11:58:59 i60p295 sshd[12365]: Failed publickey for roehl from ::ffff:93.184.215.14 port 51332 ssh2 ++Aug 14 11:54:59 i60p295 sshd[12365]: Failed publickey for roehl from fail2ban.org port 51332 ssh2 ++Aug 14 11:58:59 i60p295 sshd[12365]: Failed publickey for roehl from ::ffff:51.159.55.100 port 51332 ssh2 +diff --git a/fail2ban/tests/filtertestcase.py b/fail2ban/tests/filtertestcase.py +index 20945b78..26961a1b 100644 +--- a/fail2ban/tests/filtertestcase.py ++++ b/fail2ban/tests/filtertestcase.py +@@ -587,14 +587,14 @@ class IgnoreIP(LogCaptureTestCase): + self.assertNotLogged("returned successfully") + + def testIgnoreCauseOK(self): +- ip = "93.184.215.14" ++ ip = "51.159.55.100" + for ignore_source in ["dns", "ip", "command"]: + self.filter.logIgnoreIp(ip, True, ignore_source=ignore_source) + self.assertLogged("[%s] Ignore %s by %s" % (self.jail.name, ip, ignore_source)) + + def testIgnoreCauseNOK(self): +- self.filter.logIgnoreIp("example.com", False, ignore_source="NOT_LOGGED") +- self.assertNotLogged("[%s] Ignore %s by %s" % (self.jail.name, "example.com", "NOT_LOGGED")) ++ self.filter.logIgnoreIp("fail2ban.org", False, ignore_source="NOT_LOGGED") ++ self.assertNotLogged("[%s] Ignore %s by %s" % (self.jail.name, "fail2ban.org", "NOT_LOGGED")) + + + class IgnoreIPDNS(LogCaptureTestCase): +@@ -607,7 +607,7 @@ class IgnoreIPDNS(LogCaptureTestCase): + self.filter = FileFilter(self.jail) + + def testIgnoreIPDNS(self): +- for dns in ("www.epfl.ch", "example.com"): ++ for dns in ("www.epfl.ch", "fail2ban.org"): + self.filter.addIgnoreIP(dns) + ips = DNSUtils.dnsToIp(dns) + self.assertTrue(len(ips) > 0) +@@ -1892,22 +1892,22 @@ class GetFailures(LogCaptureTestCase): + #unittest.F2B.SkipIfNoNetwork() ## without network it is simulated via cache in utils. + # We should still catch failures with usedns = no ;-) + output_yes = ( +- ('93.184.215.14', 1, 1124013299.0, +- ['Aug 14 11:54:59 i60p295 sshd[12365]: Failed publickey for roehl from example.com port 51332 ssh2'] ++ ('51.159.55.100', 1, 1124013299.0, ++ ['Aug 14 11:54:59 i60p295 sshd[12365]: Failed publickey for roehl from fail2ban.org port 51332 ssh2'] + ), +- ('93.184.215.14', 1, 1124013539.0, +- ['Aug 14 11:58:59 i60p295 sshd[12365]: Failed publickey for roehl from ::ffff:93.184.215.14 port 51332 ssh2'] ++ ('51.159.55.100', 1, 1124013539.0, ++ ['Aug 14 11:58:59 i60p295 sshd[12365]: Failed publickey for roehl from ::ffff:51.159.55.100 port 51332 ssh2'] + ), +- ('2606:2800:21f:cb07:6820:80da:af6b:8b2c', 1, 1124013299.0, +- ['Aug 14 11:54:59 i60p295 sshd[12365]: Failed publickey for roehl from example.com port 51332 ssh2'] ++ ('2001:bc8:1200:6:208:a2ff:fe0c:61f8', 1, 1124013299.0, ++ ['Aug 14 11:54:59 i60p295 sshd[12365]: Failed publickey for roehl from fail2ban.org port 51332 ssh2'] + ), + ) + if not unittest.F2B.no_network and not DNSUtils.IPv6IsAllowed(): + output_yes = output_yes[0:2] + + output_no = ( +- ('93.184.215.14', 1, 1124013539.0, +- ['Aug 14 11:58:59 i60p295 sshd[12365]: Failed publickey for roehl from ::ffff:93.184.215.14 port 51332 ssh2'] ++ ('51.159.55.100', 1, 1124013539.0, ++ ['Aug 14 11:58:59 i60p295 sshd[12365]: Failed publickey for roehl from ::ffff:51.159.55.100 port 51332 ssh2'] + ) + ) + +@@ -2098,10 +2098,10 @@ class DNSUtilsNetworkTests(unittest.TestCase): + super(DNSUtilsNetworkTests, self).setUp() + #unittest.F2B.SkipIfNoNetwork() + +- ## example.com IPs considering IPv6 support (without network it is simulated via cache in utils). ++ ## fail2ban.org IPs considering IPv6 support (without network it is simulated via cache in utils). + EXAMPLE_ADDRS = ( +- ['93.184.215.14', '2606:2800:21f:cb07:6820:80da:af6b:8b2c'] if unittest.F2B.no_network or DNSUtils.IPv6IsAllowed() else \ +- ['93.184.215.14'] ++ ['51.159.55.100', '2001:bc8:1200:6:208:a2ff:fe0c:61f8'] if unittest.F2B.no_network or DNSUtils.IPv6IsAllowed() else \ ++ ['51.159.55.100'] + ) + + def test_IPAddr(self): +@@ -2163,13 +2163,13 @@ class DNSUtilsNetworkTests(unittest.TestCase): + self.assertTrue(r < ip6) + + def testUseDns(self): +- res = DNSUtils.textToIp('www.example.com', 'no') ++ res = DNSUtils.textToIp('www.fail2ban.org', 'no') + self.assertSortedEqual(res, []) + #unittest.F2B.SkipIfNoNetwork() ## without network it is simulated via cache in utils. +- res = DNSUtils.textToIp('www.example.com', 'warn') ++ res = DNSUtils.textToIp('www.fail2ban.org', 'warn') + # sort ipaddr, IPv4 is always smaller as IPv6 + self.assertSortedEqual(res, self.EXAMPLE_ADDRS) +- res = DNSUtils.textToIp('www.example.com', 'yes') ++ res = DNSUtils.textToIp('www.fail2ban.org', 'yes') + # sort ipaddr, IPv4 is always smaller as IPv6 + self.assertSortedEqual(res, self.EXAMPLE_ADDRS) + +@@ -2177,13 +2177,13 @@ class DNSUtilsNetworkTests(unittest.TestCase): + #unittest.F2B.SkipIfNoNetwork() ## without network it is simulated via cache in utils. + # Test hostnames + hostnames = [ +- 'www.example.com', ++ 'www.fail2ban.org', + 'doh1.2.3.4.buga.xxxxx.yyy.invalid', + '1.2.3.4.buga.xxxxx.yyy.invalid', + ] + for s in hostnames: + res = DNSUtils.textToIp(s, 'yes') +- if s == 'www.example.com': ++ if s == 'www.fail2ban.org': + # sort ipaddr, IPv4 is always smaller as IPv6 + self.assertSortedEqual(res, self.EXAMPLE_ADDRS) + else: +@@ -2234,8 +2234,8 @@ class DNSUtilsNetworkTests(unittest.TestCase): + + self.assertEqual(IPAddr('192.0.2.0').getPTR(), '0.2.0.192.in-addr.arpa.') + self.assertEqual(IPAddr('192.0.2.1').getPTR(), '1.2.0.192.in-addr.arpa.') +- self.assertEqual(IPAddr('2606:2800:21f:cb07:6820:80da:af6b:8b2c').getPTR(), +- 'c.2.b.8.b.6.f.a.a.d.0.8.0.2.8.6.7.0.b.c.f.1.2.0.0.0.8.2.6.0.6.2.ip6.arpa.') ++ self.assertEqual(IPAddr('2001:db8::1').getPTR(), ++ '1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.') + + def testIPAddr_Equal6(self): + self.assertEqual( +@@ -2365,10 +2365,10 @@ class DNSUtilsNetworkTests(unittest.TestCase): + + def testIPAddr_CompareDNS(self): + #unittest.F2B.SkipIfNoNetwork() ## without network it is simulated via cache in utils. +- ips = IPAddr('example.com') +- self.assertTrue(IPAddr("93.184.215.14").isInNet(ips)) +- self.assertEqual(IPAddr("2606:2800:21f:cb07:6820:80da:af6b:8b2c").isInNet(ips), +- "2606:2800:21f:cb07:6820:80da:af6b:8b2c" in self.EXAMPLE_ADDRS) ++ ips = IPAddr('fail2ban.org') ++ self.assertTrue(IPAddr("51.159.55.100").isInNet(ips)) ++ self.assertEqual(IPAddr("2001:bc8:1200:6:208:a2ff:fe0c:61f8").isInNet(ips), ++ "2001:bc8:1200:6:208:a2ff:fe0c:61f8" in self.EXAMPLE_ADDRS) + + def testIPAddr_wrongDNS_IP(self): + unittest.F2B.SkipIfNoNetwork() +@@ -2376,11 +2376,11 @@ class DNSUtilsNetworkTests(unittest.TestCase): + DNSUtils.ipToName('*') + + def testIPAddr_Cached(self): +- ips = [DNSUtils.dnsToIp('example.com'), DNSUtils.dnsToIp('example.com')] ++ ips = [DNSUtils.dnsToIp('fail2ban.org'), DNSUtils.dnsToIp('fail2ban.org')] + for ip1, ip2 in zip(ips, ips): + self.assertEqual(id(ip1), id(ip2)) +- ip1 = IPAddr('93.184.215.14'); ip2 = IPAddr('93.184.215.14'); self.assertEqual(id(ip1), id(ip2)) +- ip1 = IPAddr('2606:2800:21f:cb07:6820:80da:af6b:8b2c'); ip2 = IPAddr('2606:2800:21f:cb07:6820:80da:af6b:8b2c'); self.assertEqual(id(ip1), id(ip2)) ++ ip1 = IPAddr('51.159.55.100'); ip2 = IPAddr('51.159.55.100'); self.assertEqual(id(ip1), id(ip2)) ++ ip1 = IPAddr('2001:bc8:1200:6:208:a2ff:fe0c:61f8'); ip2 = IPAddr('2001:bc8:1200:6:208:a2ff:fe0c:61f8'); self.assertEqual(id(ip1), id(ip2)) + + def test_NetworkInterfacesAddrs(self): + for withMask in (False, True): +diff --git a/fail2ban/tests/utils.py b/fail2ban/tests/utils.py +index f71ba60a..e6ef54f3 100644 +--- a/fail2ban/tests/utils.py ++++ b/fail2ban/tests/utils.py +@@ -326,8 +326,8 @@ def initTests(opts): + ('failed.dns.ch', set()), + ('doh1.2.3.4.buga.xxxxx.yyy.invalid', set()), + ('1.2.3.4.buga.xxxxx.yyy.invalid', set()), +- ('example.com', set([IPAddr('2606:2800:21f:cb07:6820:80da:af6b:8b2c'), IPAddr('93.184.215.14')])), +- ('www.example.com', set([IPAddr('2606:2800:21f:cb07:6820:80da:af6b:8b2c'), IPAddr('93.184.215.14')])), ++ ('fail2ban.org', set([IPAddr('2001:bc8:1200:6:208:a2ff:fe0c:61f8'), IPAddr('51.159.55.100')])), ++ ('www.fail2ban.org', set([IPAddr('2001:bc8:1200:6:208:a2ff:fe0c:61f8'), IPAddr('51.159.55.100')])), + ): + c.set(*i) + # if fast - precache all host names as localhost addresses (speed-up getSelfIPs/ignoreself): +-- +2.34.1 + diff --git a/dynamic-layers/meta-python/recipes-security/fail2ban/files/0002-clientreadertestcase.py-set-correct-config-dir-for-t.patch b/dynamic-layers/meta-python/recipes-security/fail2ban/files/0002-clientreadertestcase.py-set-correct-config-dir-for-t.patch new file mode 100644 index 0000000..ab957da --- /dev/null +++ b/dynamic-layers/meta-python/recipes-security/fail2ban/files/0002-clientreadertestcase.py-set-correct-config-dir-for-t.patch @@ -0,0 +1,34 @@ +From 9137d3f47a9e0c0e1aad11a71bb8ac8d0ba21b4e Mon Sep 17 00:00:00 2001 +From: Yi Zhao +Date: Thu, 11 Sep 2025 22:36:07 +0800 +Subject: [PATCH] clientreadertestcase.py: set correct config dir for + testReadStockJailFilterComplete + +In test case testReadStockJailFilterComplete, set configuration +directory to CONFIG_DIR (/etc/fail2ban/filter.d on the target) instead +of the hardcoded "config" directory. Otherwise, the config files will +not be found during runtime testing. + +Upstream-Status: Pending + +Signed-off-by: Yi Zhao +--- + fail2ban/tests/clientreadertestcase.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fail2ban/tests/clientreadertestcase.py b/fail2ban/tests/clientreadertestcase.py +index 0388fd3d..670e5b76 100644 +--- a/fail2ban/tests/clientreadertestcase.py ++++ b/fail2ban/tests/clientreadertestcase.py +@@ -861,7 +861,7 @@ class JailsReaderTest(LogCaptureTestCase): + self.assertTrue(jails.getOptions()) # reads fine + # grab all filter names + filters = set(os.path.splitext(os.path.split(a)[1])[0] +- for a in glob.glob(os.path.join('config', 'filter.d', '*.conf')) ++ for a in glob.glob(os.path.join(CONFIG_DIR, 'filter.d', '*.conf')) + if not (a.endswith('common.conf') or a.endswith('-aggressive.conf'))) + # get filters of all jails (filter names without options inside filter[...]) + filters_jail = set( +-- +2.34.1 + diff --git a/dynamic-layers/meta-python/recipes-security/fail2ban/python3-fail2ban_git.bb b/dynamic-layers/meta-python/recipes-security/fail2ban/python3-fail2ban_git.bb index 444574a..eb20a88 100644 --- a/dynamic-layers/meta-python/recipes-security/fail2ban/python3-fail2ban_git.bb +++ b/dynamic-layers/meta-python/recipes-security/fail2ban/python3-fail2ban_git.bb @@ -13,6 +13,8 @@ DEPENDS = "python3-native" SRCREV = "ac62658c10f492911f8a0037a0bcf97c8521cd78" SRC_URI = "git://github.com/fail2ban/fail2ban.git;branch=master;protocol=https \ + file://0001-example.com-changes-the-IPs-again.-additionally-it-g.patch \ + file://0002-clientreadertestcase.py-set-correct-config-dir-for-t.patch \ file://initd \ file://run-ptest \ " @@ -49,8 +51,16 @@ do_install_ptest:append () { sed -i -e 's/##PYTHON##/python3/g' ${D}${PTEST_PATH}/run-ptest install -D ${S}/bin/* ${D}${PTEST_PATH}/bin rm -f ${D}${PTEST_PATH}/bin/fail2ban-python -} + for i in checklogtype.conf zzz-generic-example.conf zzz-sshd-obsolete-multiline.conf; do + sed -i -e 's|^before =.*|before = ${sysconfdir}/fail2ban/filter.d/common.conf|g' \ + ${D}${PYTHON_SITEPACKAGES_DIR}/fail2ban/tests/config/filter.d/${i} + done + + install -m 0644 ${S}/README.md ${D}${PTEST_PATH} + sed -i -e 's|^logpath = README.md|logpath = ${PTEST_PATH}/README.md|g' \ + ${D}${PYTHON_SITEPACKAGES_DIR}/fail2ban/tests/config/jail.conf +} INITSCRIPT_PACKAGES = "${PN}" INITSCRIPT_NAME = "fail2ban-server" From patchwork Sun Nov 23 23:45:05 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Scott Murray X-Patchwork-Id: 75296 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id BA495CFD342 for ; Sun, 23 Nov 2025 23:45:53 +0000 (UTC) Received: from mail-qk1-f173.google.com (mail-qk1-f173.google.com [209.85.222.173]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.5050.1763941544916846400 for ; Sun, 23 Nov 2025 15:45:45 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@konsulko.com header.s=google header.b=qu78bbCc; spf=pass (domain: konsulko.com, ip: 209.85.222.173, mailfrom: scott.murray@konsulko.com) Received: by mail-qk1-f173.google.com with SMTP id af79cd13be357-8b2d7c38352so506495585a.0 for ; Sun, 23 Nov 2025 15:45:44 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=konsulko.com; s=google; t=1763941544; x=1764546344; darn=lists.yoctoproject.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=JHaSva1QYCV6XV9jozSRT/Bhm1xiecw0M1WgnZwUJL0=; b=qu78bbCcdcVnzZMi57P9mjHOBT6t2sdr8vb/KLkeHDZ4n6d2m2xlDdITNoHxbEjUMa XTmUuwBPFl3lrGU2o4TLvWu7kFosHES6XioBkS2Am6l+ay5olsf++wvM3rIZXOI+c6HH NZksDXDrQIf9yq66rSUexv/XM/Xv5ba/SLtp0= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1763941544; x=1764546344; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=JHaSva1QYCV6XV9jozSRT/Bhm1xiecw0M1WgnZwUJL0=; b=CYaW9Hbi9oFFQ4OiJH3AeXSQRnlGP+dkVY5uZMv+anJ3mrBDvfA6z5Vb/k2zkxFVnn ChKOKZzjAPUCXKbD98BK6QmfF1EczQlaPl/h4mDxHgVR80hV4FeharKRg76SDT3xZ+3c V10SmZdTbPmRwDvDpSNqVonMIpQdF2kq044tWZi9qMrQwUf3mhB4GwSPRA1QpThO/3cD WxA5WFit/RH8BgLIIsCTz0UbfU1N7hDt4xRB4p598X4Ot0zhAk/9Jul+llzuj8Eal5Yu vuIhrKVlyxW00+ZEQxWxcGtQi8x1LwMN8LmFpsBXedzmdLx7uoyu7WBZGY5XBXMYoCLs HtvQ== X-Gm-Message-State: AOJu0YxSLglif8xjKK5OeGfunTiTbBQ1TQUh2M22V9dKHrpI3ShZPaKI x8jJ/5HJhKxSmVWtcgp4nMQdcBjAEw4HpZrYIDVUSTvMEciZzdZchmkb++rAJ4kaH7f9dhq057J WFBxw X-Gm-Gg: ASbGncskzJ568jSENLDyqmrw//dB/aSI1tsWcON+k/kQ4GvwA0JR6BS1ntSph81UUQ4 urNeWnG4yfuFdVwMn0251BfkTrBWNHZFMqygVJiBFoGx2gM3d+CewjZg/AiGzlo1dfm9WV6a5c5 fxTF7wcalnmpCURKBOlVUYXDtI1GQROgTZJ1kGYChToi0wMVDYOkHt/s+mttNssLM5PvaYogKa3 ovDO4UQTO+ojusgOTBQ7BAfJzbMw7eNxITGnl1iHsgHvcPnqLSQlIUopaPu2MUcVvaf1BqeEioT oTJogHP+PDWiC438kioUGe/w8bjRvY9eXjlgmqIZaEinUxIICex/IZbfwJA8xqkgT+Pi8UAVbeH 9a2x1Fx2pWpOoJkbSwKdqsk9gPtnbdJZxzQic9Q/c5mLOpe5Q+9FFmPTJnijtO6kPrdTjFYxR9g hWu5orkfH7itvHLSLNlgGDytH9/QVV2gH4+GCtvSsa3KxCfcQ9UVUTaqKxoIDEBw8= X-Google-Smtp-Source: AGHT+IEpl2lx7dvpjQt5ehnmFCO4UBAvLCTHln9jdu2w6BH6GlaqeZM2I5pgB+g9TRF+voQ3cjiavA== X-Received: by 2002:a05:620a:109c:b0:8a3:90cb:9224 with SMTP id af79cd13be357-8b32ab88d50mr1633451185a.2.1763941543383; Sun, 23 Nov 2025 15:45:43 -0800 (PST) Received: from ghidorah.spiteful.org (107-179-213-3.cpe.teksavvy.com. [107.179.213.3]) by smtp.gmail.com with ESMTPSA id af79cd13be357-8b32932db59sm843706585a.1.2025.11.23.15.45.42 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 23 Nov 2025 15:45:42 -0800 (PST) From: Scott Murray To: yocto-patches@lists.yoctoproject.org Subject: [meta-security][scarthgap][PATCH 25/32] fail2ban: Adapt test output to Automake format for ptest compatibility Date: Sun, 23 Nov 2025 18:45:05 -0500 Message-ID: <2fb507fc9a060cc8a7405b8aae23af46bfb4ecf2.1763938436.git.scott.murray@konsulko.com> X-Mailer: git-send-email 2.51.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 23 Nov 2025 23:45:53 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto-patches/message/2683 From: Haixiao Yan Convert fail2ban-testcases output to follow Automake-compatible format (PASS:/FAIL:) so that ptest-runner can correctly parse and report test results. root@intel-x86-64:~# ptest-runner python3-fail2ban -t 300 START: ptest-runner 2025-09-22T07:57 BEGIN: /usr/lib64/python3-fail2ban/ptest Fail2ban 1.1.1.dev1 test suite. Python 3.12.11 (main, Jun 3 2025, 15:41:47) [GCC 13.4.0]. Please wait... I: Skipping smtp tests: No module named 'smtpd' I: Skipping SSL smtp tests: No module named 'aiosmtpd' PASS: fail2ban.tests.servertestcase.Transmitter.testAction PASS: fail2ban.tests.servertestcase.Transmitter.testAddJail PASS: fail2ban.tests.servertestcase.Transmitter.testDatabase PASS: fail2ban.tests.servertestcase.Transmitter.testDatePattern PASS: fail2ban.tests.servertestcase.Transmitter.testGetNOK PASS: fail2ban.tests.servertestcase.Transmitter.testJailAttemptIP PASS: fail2ban.tests.servertestcase.Transmitter.testJailBanIP ... PASS: fail2ban.tests.servertestcase.TransmitterLogging.testBanTimeIncr PASS: fail2ban.tests.servertestcase.TransmitterLogging.testFlushLogs PASS: fail2ban.tests.servertestcase.TransmitterLogging.testLogLevel PASS: fail2ban.tests.servertestcase.TransmitterLogging.testLogTarget PASS: fail2ban.tests.servertestcase.TransmitterLogging.testLogTargetSYSLOG PASS: fail2ban.tests.servertestcase.TransmitterLogging.testSyslogSocket PASS: fail2ban.tests.servertestcase.TransmitterLogging.testSyslogSocketNOK ============================================================================ Testsuite summary DURATION: 48 END: /usr/lib64/python3-fail2ban/ptest 2025-09-22T07:58 STOP: ptest-runner TOTAL: 1 FAIL: 0 Signed-off-by: Haixiao Yan Signed-off-by: Scott Murray --- ...ao.unittest.TestRunner-for-ptest-out.patch | 43 +++++++++++++++++++ .../fail2ban/python3-fail2ban_git.bb | 9 +++- 2 files changed, 51 insertions(+), 1 deletion(-) create mode 100644 dynamic-layers/meta-python/recipes-security/fail2ban/files/0001-fail2ban-use-putao.unittest.TestRunner-for-ptest-out.patch diff --git a/dynamic-layers/meta-python/recipes-security/fail2ban/files/0001-fail2ban-use-putao.unittest.TestRunner-for-ptest-out.patch b/dynamic-layers/meta-python/recipes-security/fail2ban/files/0001-fail2ban-use-putao.unittest.TestRunner-for-ptest-out.patch new file mode 100644 index 0000000..c6729cc --- /dev/null +++ b/dynamic-layers/meta-python/recipes-security/fail2ban/files/0001-fail2ban-use-putao.unittest.TestRunner-for-ptest-out.patch @@ -0,0 +1,43 @@ +From 7b42974b5bf20d9db8e788e9d6817004556d660d Mon Sep 17 00:00:00 2001 +From: Haixiao Yan +Date: Fri, 19 Sep 2025 15:03:56 +0800 +Subject: [PATCH] fail2ban: use putao.unittest.TestRunner for ptest output + +Switch the test runner from unittest's default TextTestRunner to +putao.unittest.TestRunner (provided by unittest-automake-output) so +that results are reported in Automake-compatible PASS/FAIL format. +This enables ptest-runner to correctly parse and summarize individual +test results. + +Upstream-Status: Pending + +Signed-off-by: Haixiao Yan +--- + bin/fail2ban-testcases | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/bin/fail2ban-testcases b/bin/fail2ban-testcases +index 48aae4b5ffdc..20db4a01a3d6 100755 +--- a/bin/fail2ban-testcases ++++ b/bin/fail2ban-testcases +@@ -28,7 +28,7 @@ import logging + import os + import sys + import time +-import unittest ++import putao.unittest + + # Check if local fail2ban module exists, and use if it exists by + # modifying the path. This is done so that tests can be used in dev +@@ -63,7 +63,7 @@ tests = gatherTests(regexps, opts) + # + # Run the tests + # +-testRunner = unittest.TextTestRunner(verbosity=verbosity) ++testRunner = putao.unittest.TestRunner() + + tests_results = testRunner.run(tests) + +-- +2.34.1 + diff --git a/dynamic-layers/meta-python/recipes-security/fail2ban/python3-fail2ban_git.bb b/dynamic-layers/meta-python/recipes-security/fail2ban/python3-fail2ban_git.bb index eb20a88..72a932b 100644 --- a/dynamic-layers/meta-python/recipes-security/fail2ban/python3-fail2ban_git.bb +++ b/dynamic-layers/meta-python/recipes-security/fail2ban/python3-fail2ban_git.bb @@ -15,6 +15,7 @@ SRCREV = "ac62658c10f492911f8a0037a0bcf97c8521cd78" SRC_URI = "git://github.com/fail2ban/fail2ban.git;branch=master;protocol=https \ file://0001-example.com-changes-the-IPs-again.-additionally-it-g.patch \ file://0002-clientreadertestcase.py-set-correct-config-dir-for-t.patch \ + file://0001-fail2ban-use-putao.unittest.TestRunner-for-ptest-out.patch \ file://initd \ file://run-ptest \ " @@ -71,6 +72,12 @@ INSANE_SKIP:${PN}:append = "already-stripped" RDEPENDS:${PN} = "${VIRTUAL-RUNTIME_base-utils-syslog} nftables python3-core python3-pyinotify" RDEPENDS:${PN} += "python3-sqlite3" RDEPENDS:${PN} += " python3-logging python3-fcntl python3-json" -RDEPENDS:${PN}-ptest = "python3-core python3-io python3-modules python3-fail2ban" +RDEPENDS:${PN}-ptest = " \ + python3-core \ + python3-io \ + python3-modules \ + python3-fail2ban \ + python3-unittest-automake-output \ + " RRECOMMENDS:${PN} += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'python3-systemd', '', d)}" From patchwork Sun Nov 23 23:45:06 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Scott Murray X-Patchwork-Id: 75295 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B8262CFD340 for ; Sun, 23 Nov 2025 23:45:53 +0000 (UTC) Received: from mail-qk1-f182.google.com (mail-qk1-f182.google.com [209.85.222.182]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.5051.1763941545908609959 for ; Sun, 23 Nov 2025 15:45:46 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@konsulko.com header.s=google header.b=ozcXJCwy; spf=pass (domain: konsulko.com, ip: 209.85.222.182, mailfrom: scott.murray@konsulko.com) Received: by mail-qk1-f182.google.com with SMTP id af79cd13be357-8b2dcdde698so560446085a.3 for ; Sun, 23 Nov 2025 15:45:45 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=konsulko.com; s=google; t=1763941545; x=1764546345; darn=lists.yoctoproject.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=YuSXdBYrl3w5a84464sHxAPQ1UzSF2krdp7cjTU41LY=; b=ozcXJCwyP539Qry5OLKHz353OlAofqDOWZes4LT/HqkoUZtpBiG5DElPdizyvKHU8r 2Kcp2I+CjtANIk465Y0Maw+jq/zdn8NDnBrzVMpWkhw0zZEhHYwHJpw6BisNAu7H493E sx0AN00nFiqOW+U7b3MSa1FgvB9mueOpctV3U= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1763941545; x=1764546345; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=YuSXdBYrl3w5a84464sHxAPQ1UzSF2krdp7cjTU41LY=; b=GpdImvwYvpz7dwGN8i7qwp1rd9kZ59Wz0V8/94urVWgqr/9luk8qtOInP7UhYDcckV A37LrTgFuCzxZyv2j4k/3Ye0tvoig/oGoVJ0pPjtZBpGeMYh23CVCFRuyeJD5L43W+OH ltN77VJ5qbWq6dAfbaA0nQjJxpStVoapPB7s7NvTfGGMerpMorJQAFzw92/zMghgiwqk LtOZh2Zoon2Go2f6BrBCcHPL5Z/EndG4DNs1OhDdfo8vXjC0pg66sTbxQJcIUuxS33hS 1fIYBbFQiwIB4lcFFrNnYVpdxKl3GXJDzb5hmwgJ8BbC0nrWHKNAO+7m5imOSgSWm3UT 6SQw== X-Gm-Message-State: AOJu0Yy+EWhript+M2W2MSWFPqEpeDc301jmE58DkRjfAnV1pgRM39ME 0Q1pRx4qb2EkQKxuOpW9lHQd0tdI10mvSINsL3jUCOxgAM/H9VBF5gCXvD1nNyum/euQbmb3nho lQrf7 X-Gm-Gg: ASbGncttMvjKhBGPZJEhart45NJm60DzHPHSIXtm8LzWB5t2EObjxUSnqVfdlhtp5m2 HOYAcD5Rqyay2K9AtxfYAElNMEQpU8+kT75nL9wCfYCDKE1PD8k1IBvIPAl/bL1xOzWCy2oM+7a YCjYlKxG7TbdQFDkmkkrtoTczdQIrnZjiYrov3kB2o8BGvEOzUNSaWbsh8rST/avCArVg55kdZH ukGBddk1UD0ErkjM6ngd8kDOjVXxttfiJZD3vriBL7MmEKBxhao4By3bYkTEnm2jbgOC60EZE6y 21CzWM1I3Otn1uBe/g/cuCkGO5yWp8Am10PrKrzZR0wnmMfZSHZNQLJm4VFXtfnJf0GXfpRIopa gBZRgXi11yGxVx/Q964Ew+AJH10x3MZi3Fimdv9jdRr1hk/S0kGT0nDzLj+TZcLWb/qLRVim64W pX94oQa9uhqQLftylcndoZIsBbdUgVjWUoIw5HimxiFMbfHigGBdHYC5jW9sxkoTU= X-Google-Smtp-Source: AGHT+IHWm8Jvnggevaq3TAwCXv4DALnZVvq5hqfDFSWH41Wn2AGoX+fcn9f80fBjFW52vEXOF7FrAA== X-Received: by 2002:a05:620a:2907:b0:89f:2d97:98fd with SMTP id af79cd13be357-8b33d1cf940mr1156932985a.2.1763941544618; Sun, 23 Nov 2025 15:45:44 -0800 (PST) Received: from ghidorah.spiteful.org (107-179-213-3.cpe.teksavvy.com. [107.179.213.3]) by smtp.gmail.com with ESMTPSA id af79cd13be357-8b32932db59sm843706585a.1.2025.11.23.15.45.43 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 23 Nov 2025 15:45:43 -0800 (PST) From: Scott Murray To: yocto-patches@lists.yoctoproject.org Subject: [meta-security][scarthgap][PATCH 26/32] fail2ban: replace fail2ban-python shebang with python3 Date: Sun, 23 Nov 2025 18:45:06 -0500 Message-ID: <4c8212c19ff9482f97abaff6d5d7a93531c2ea89.1763938436.git.scott.murray@konsulko.com> X-Mailer: git-send-email 2.51.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 23 Nov 2025 23:45:53 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto-patches/message/2684 From: Haixiao Yan In Yocto, there is only one Python interpreter (python3), and the auto-generated "fail2ban-python" symlink is not used. To ensure all installed scripts can run correctly, replace the shebang line from "#!/usr/bin/env fail2ban-python" to "#!/usr/bin/env python3" during installation. Signed-off-by: Haixiao Yan Signed-off-by: Scott Murray --- .../recipes-security/fail2ban/python3-fail2ban_git.bb | 3 +++ 1 file changed, 3 insertions(+) diff --git a/dynamic-layers/meta-python/recipes-security/fail2ban/python3-fail2ban_git.bb b/dynamic-layers/meta-python/recipes-security/fail2ban/python3-fail2ban_git.bb index 72a932b..e95048f 100644 --- a/dynamic-layers/meta-python/recipes-security/fail2ban/python3-fail2ban_git.bb +++ b/dynamic-layers/meta-python/recipes-security/fail2ban/python3-fail2ban_git.bb @@ -44,6 +44,7 @@ do_install:append () { chown -R root:root ${D}/${bindir} rm -rf ${D}/run + find ${D}${sysconfdir} -type f -exec sed -i '1s/env fail2ban-python/env python3/' {} + } do_install_ptest:append () { @@ -61,6 +62,8 @@ do_install_ptest:append () { install -m 0644 ${S}/README.md ${D}${PTEST_PATH} sed -i -e 's|^logpath = README.md|logpath = ${PTEST_PATH}/README.md|g' \ ${D}${PYTHON_SITEPACKAGES_DIR}/fail2ban/tests/config/jail.conf + find ${D}${PYTHON_SITEPACKAGES_DIR} -type f -exec sed -i \ + '1s/env fail2ban-python/env python3/' {} + } INITSCRIPT_PACKAGES = "${PN}" From patchwork Sun Nov 23 23:45:07 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Scott Murray X-Patchwork-Id: 75294 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id AC3CECFD31F for ; Sun, 23 Nov 2025 23:45:53 +0000 (UTC) Received: from mail-qk1-f175.google.com (mail-qk1-f175.google.com [209.85.222.175]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.5052.1763941546958997884 for ; Sun, 23 Nov 2025 15:45:47 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@konsulko.com header.s=google header.b=iTMsDXLD; spf=pass (domain: konsulko.com, ip: 209.85.222.175, mailfrom: scott.murray@konsulko.com) Received: by mail-qk1-f175.google.com with SMTP id af79cd13be357-8b2ec756de0so400762785a.3 for ; Sun, 23 Nov 2025 15:45:46 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=konsulko.com; s=google; t=1763941546; x=1764546346; darn=lists.yoctoproject.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=Z9pW4jtxJNty2Ksuhn66YclmAHPGEgviBCO9QG9b68M=; b=iTMsDXLD49UBO4OjWQSH1oAf0mVuwtIuKrRAXz01DllRW76XwdsPJ0n8fAPfuNa7LO g1NxLWCxojXwVt7lZyN+eAAK5tHkorBUZ2Ctidz+Zl5Unw1SjgmjfQfzVMurvEjuham8 0VLMdHEh7+RRrx9D3MwfJQqfabfL+Qk6n/mRA= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1763941546; x=1764546346; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=Z9pW4jtxJNty2Ksuhn66YclmAHPGEgviBCO9QG9b68M=; b=hxNaeGRHEqh1puCSc3dLYJo+9QxH2iSn3PK+WcrY9P+xQ2o0Ayrdc8kKTsbP7M2+rH XSh3Fwo4KHDJLRs5Le3L9zWR1V0rXlI5n2aqxd55ZqvUw+TzwScuE20i502AaTrmFJol yI8CDZKhkrPYv1bEOAMRcDlKWT6O2ewwtMn1E0LKypTjZKWd46YFWmGOsY1hdPliUHW+ CVwYSaIaq8VFgD+O8Uux4yovhfgVG9hsCytpYhc1OlzdcZWi1jjXyPyWDbBDRp51Xntr w5PX9sjUvOD/pVs9Lk7JxCqUJQtq3nmbH90hstq0Mkd5bJmSsKbCedzIamWZzVYeTSIf 7MBw== X-Gm-Message-State: AOJu0YzDWZaWYZP3QhFcPbt3mAWTstcD46nmJe+4MJyUtCJC8hFlrOuk i7BJzwZQBtSdRE7zz7jvqQstR1SblX/ipKkhJwBVkM1u2QvCKuyNpLfDIB5MAPme0JE4ML2p91m GusR5 X-Gm-Gg: ASbGncu7+4kEOTygg2EdDXxMKM81itp9EynrgHwhxM+3MYaS7WHmTCrA/SsrTEsyA9j xqLsWOyAMU2mZjygoIkyE6pZZKg8J7MOK2ZQ9sg/0aNCT7I/blGDXLYrKTcWalswRKaQf0wkOGJ zlY5b3lDoiZWhJxfzA33YcNYnFYBZN89sjAyuqSAg6ipN52vx2xkCSAYkocud4/hkbhjVdJCW47 JiK/5ra46FBbqShuTajANTn62InJnESo+KvkOblZ7rgt5yq+9An4/1d8Lwyyk9//Wq2sF1z4Sse YtyiWrvdLbVG1xqlKLP8wqDt020u2Opekz/X4AFRLuNcrLsYMtFR5F+TNVO92UL0Mxp+4oBDG3q dAwNGPwnWeBQgQ8cIlsrBp0zldIXFuh6EG5j1PFKs2aAnXWhPEaA+BbKAOypnDU5S6KqKjKfiKJ zNNOqKj9Hu9spIc2HzVISel9On72czKyZsPwll2JuFdGDIzwCe1K8ktSoMylsD+9w= X-Google-Smtp-Source: AGHT+IH8TIVLFwmM9I8adtafwHkM0h0twqh8a/F/DB5IJwA43PaSdbMJUGEHr+ct/AeI8toFd0e6PQ== X-Received: by 2002:a05:620a:7106:b0:8b2:dfb3:dc2a with SMTP id af79cd13be357-8b33d4a2131mr1220466185a.75.1763941545560; Sun, 23 Nov 2025 15:45:45 -0800 (PST) Received: from ghidorah.spiteful.org (107-179-213-3.cpe.teksavvy.com. [107.179.213.3]) by smtp.gmail.com with ESMTPSA id af79cd13be357-8b32932db59sm843706585a.1.2025.11.23.15.45.44 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 23 Nov 2025 15:45:45 -0800 (PST) From: Scott Murray To: yocto-patches@lists.yoctoproject.org Subject: [meta-security][scarthgap][PATCH 27/32] suricata: resolve TMPDIR QA issues in do_configure Date: Sun, 23 Nov 2025 18:45:07 -0500 Message-ID: <4eac7ea05daeb2281d251f556a6a800e9a937932.1763938436.git.scott.murray@konsulko.com> X-Mailer: git-send-email 2.51.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 23 Nov 2025 23:45:53 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto-patches/message/2685 From: Clayton Casciato ERROR: suricata-7.0.0-r0 do_package_qa: QA Issue: File /usr/bin/suricata in package suricata contains reference to TMPDIR [buildpaths] ERROR: suricata-7.0.0-r0 do_package_qa: QA Issue: File /usr/src/debug/suricata/7.0.0/src/build-info.h in package suricata-src contains reference to TMPDIR [buildpaths] Address references when src/build-info.h is being written This is similar to Debian's approach: https://sources.debian.org/patches/suricata/1:7.0.10-1~bpo12%2B1/reproducible.patch/ Restore the "already-stripped" check and CFLAGS info Original resolution in commit c0e3fecc3bea ("suricata: fix QA warnings") Signed-off-by: Clayton Casciato Signed-off-by: Armin Kuster (cherry picked from commit 277bf8f9160540d582fec58f0f2139b4e4aebef0) Signed-off-by: Scott Murray --- recipes-ids/suricata/suricata_7.0.0.bb | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/recipes-ids/suricata/suricata_7.0.0.bb b/recipes-ids/suricata/suricata_7.0.0.bb index 58ed688..e2e94e2 100644 --- a/recipes-ids/suricata/suricata_7.0.0.bb +++ b/recipes-ids/suricata/suricata_7.0.0.bb @@ -85,9 +85,25 @@ do_configure:prepend () { # use host for RUST_SURICATA_LIB_XC_DIR sed -i -e 's,\${host_alias},${RUST_HOST_SYS},' ${S}/configure.ac sed -i -e 's,libsuricata_rust.a,libsuricata.a,' ${S}/configure.ac + # Address build configuration written to src/build-info.h + sed -i -e 's,\(| sed -e '\''s/^/"/'\''\)\( |\),\1 -e '\''s#${WORKDIR}#\\.#g'\''\2,' ${S}/configure.ac oe_runconf } +CFLAGS += "-Wno-error=incompatible-pointer-types" + +# Commit 7a2b9acef2 cargo: pass PACKAGECONFIG_CONFARGS to cargo build +# breaks building this recipe. Providing a copy of the original function +# Armin 2025/04/01 +# +oe_cargo_build () { + export RUSTFLAGS="${RUSTFLAGS}" + bbnote "Using rust targets from ${RUST_TARGET_PATH}" + bbnote "cargo = $(which ${CARGO})" + bbnote "${CARGO} build ${CARGO_BUILD_FLAGS}$@" + "${CARGO}" build ${CARGO_BUILD_FLAGS}"$@" +} + do_compile () { # we do this to bypass the make provided by this pkg # patches Makefile to skip the subdir From patchwork Sun Nov 23 23:45:08 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Scott Murray X-Patchwork-Id: 75291 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id A3CB5CFD31E for ; Sun, 23 Nov 2025 23:45:53 +0000 (UTC) Received: from mail-qk1-f175.google.com (mail-qk1-f175.google.com [209.85.222.175]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.4871.1763941548264716718 for ; Sun, 23 Nov 2025 15:45:48 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@konsulko.com header.s=google header.b=OrzHewmq; spf=pass (domain: konsulko.com, ip: 209.85.222.175, mailfrom: scott.murray@konsulko.com) Received: by mail-qk1-f175.google.com with SMTP id af79cd13be357-8b29ff9d18cso370993785a.3 for ; Sun, 23 Nov 2025 15:45:48 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=konsulko.com; s=google; t=1763941547; x=1764546347; darn=lists.yoctoproject.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=zBC/XrRDvE0M8TreB4urm2ooDaHGxqvxsCfku8Sqw5M=; b=OrzHewmq0GYLimhDtlFk/e/LpoV5BQcBd7iyTVg7LM1k5b75s8xR/Xa6DDx0G1/0rZ xAZUPv7iLJlvJ+eEqQ9zb0ssjSQK5KKWMzFqSkjcIIEO5ebwBxO0W8id7chD+iH3kfAq O3/xMvNWNLZMR+Z0kJzSv223CHu0vtx8Swyyw= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1763941547; x=1764546347; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=zBC/XrRDvE0M8TreB4urm2ooDaHGxqvxsCfku8Sqw5M=; b=h4f9fV3PUqT2INO58+WmMVCDnfHbL2E3u+bkI/p2GfEH71Zrnq6B3jpx8uWpZvv4KS VVr7jBraF6zhLzFU9ZJzZe+Q2S9zfKASwm0D4y1H5eTGLDTRj0oymb7f89Qu5OvrJMmI o6x9s96FyLJX/zIN4NV/KY8mWhahllP1+sCL/rFMejzDPIavUNPHp+MT4SYJjm5Y+g4a jsloSrlQRIWMutfMB9C2Bca/wqz7rIbthgWSwcrOCFWTSbcMyJDk9/16EXleWnC6Tp2m ULH+D+c6ynF5nbpgxxWDCTN/Pb3TAKz3sKVowA1LpHyysQVjIjnMurjw15sl6OR/0Nfc 04kg== X-Gm-Message-State: AOJu0YxJvFpce22foSncX2kYZOGAx3OeU9nbBuodrswzZRtJjAdeIGXV H01y7aNHU3EgtAnV3nwaJlE6YWZZcP24K8vAIn68zBsisSq78x6l+mhvN9hGhKSJa2MiVvpCYGZ I9m8q X-Gm-Gg: ASbGncuUmZ86zoW0y1wSXIKBs7VlQax5L3ExAoQPy5sWBeup9R5VqxYdvfIDFXklu+X hl6eeGOYR+vN5FFIPOQZ79VoBi5C+l0Bv4Xzh5DhtbPW+1nCSV4o7MSHDWBHrP4nZv01g0QQliP fqG3oINVfi310ygya/Z2L2FGc3kGRRF1FiI1y51VWWh/P7PcJJsgjjuOljzeHAmPR4ROlGVVD1l FWVSdO1Ez4ea100p8kcPIr1EszqKN4gHvRp0bJ4nZMAEo5nAUb3ImpmF3GzkXc/fDtsdrfY7VXT jZU2MlVRejFUQSt4X0N3ZEYxjT7gR/ios33n/93GOzmvhZlDSf3+58MqIQkQEWHXZ6zyx0U7sO5 z2PmV+YrWt4nHK7OfeUFozcalU4n8iBnoGBZdUZeEAhTLbIjq3+8eCRSUo1AAe6QdL36TjjaV0s pWM+6dZm6FY5ooa23lv8SnPf/DZEp+nEFCKAvYdJybJN7MLEGvjPUU6L2bDMGriSE= X-Google-Smtp-Source: AGHT+IFKw4+g9ZjcATBPAHav+goc6NmC43j5XnqB8YebbftVwiVmC6OPnoCXHRTuN4zNn25Bw3+XtQ== X-Received: by 2002:a05:620a:172b:b0:88f:4264:ea78 with SMTP id af79cd13be357-8b33d1b2482mr1300752285a.15.1763941546687; Sun, 23 Nov 2025 15:45:46 -0800 (PST) Received: from ghidorah.spiteful.org (107-179-213-3.cpe.teksavvy.com. [107.179.213.3]) by smtp.gmail.com with ESMTPSA id af79cd13be357-8b32932db59sm843706585a.1.2025.11.23.15.45.45 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 23 Nov 2025 15:45:46 -0800 (PST) From: Scott Murray To: yocto-patches@lists.yoctoproject.org Subject: [meta-security][scarthgap][PATCH 28/32] suricata: drop pkg_postinst_ontarget systemd init Date: Sun, 23 Nov 2025 18:45:08 -0500 Message-ID: X-Mailer: git-send-email 2.51.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 23 Nov 2025 23:45:53 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto-patches/message/2686 From: Clayton Casciato /var/log/suricata initialization is handled by systemd-tmpfiles-setup.service, which occurs before services like suricata Work towards resolving: ERROR: [...] do_rootfs: The following packages could not be configured offline and rootfs is read-only: ['100-suricata'] Added in commit 36d656fe7244 ("suricata: add tmpfiles.d config") systemd testing: root@beaglebone-yocto:~# ls -d /var/log/suricata /var/log/suricata root@beaglebone-yocto:~# systemctl enable suricata Created symlink '/etc/systemd/system/multi-user.target.wants/suricata.service' -> '/usr/lib/systemd/system/suricata.service'. root@beaglebone-yocto:~# rmdir /var/log/suricata root@beaglebone-yocto:~# reboot now root@beaglebone-yocto:~# ls -d /var/log/suricata /var/log/suricata root@beaglebone-yocto:~# journalctl -o short-iso-precise -u systemd-tmpfiles-setup -u suricata 2025-05-20T00:45:46.450027+00:00 beaglebone-yocto systemd[1]: Starting Create System Files and Directories... [...] 2025-05-20T00:45:47.041049+00:00 beaglebone-yocto systemd[1]: Finished Create System Files and Directories. 2025-05-20T00:45:47.542976+00:00 beaglebone-yocto systemd[1]: Started Suricata IDS/IDP daemon. [...] Signed-off-by: Clayton Casciato Signed-off-by: Armin Kuster (cherry picked from commit 9109f7258dc60c88985869ceff5ca3523cd01400) Signed-off-by: Scott Murray --- recipes-ids/suricata/suricata_7.0.0.bb | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/recipes-ids/suricata/suricata_7.0.0.bb b/recipes-ids/suricata/suricata_7.0.0.bb index e2e94e2..7a6b930 100644 --- a/recipes-ids/suricata/suricata_7.0.0.bb +++ b/recipes-ids/suricata/suricata_7.0.0.bb @@ -148,9 +148,7 @@ do_install () { } pkg_postinst_ontarget:${PN} () { -if command -v systemd-tmpfiles >/dev/null; then - systemd-tmpfiles --create ${sysconfdir}/tmpfiles.d/suricata.conf -elif [ -e ${sysconfdir}/init.d/populate-volatile.sh ]; then +if [ -e ${sysconfdir}/init.d/populate-volatile.sh ]; then ${sysconfdir}/init.d/populate-volatile.sh update fi } From patchwork Sun Nov 23 23:45:09 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Scott Murray X-Patchwork-Id: 75293 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9E039CFD316 for ; Sun, 23 Nov 2025 23:45:53 +0000 (UTC) Received: from mail-qk1-f181.google.com (mail-qk1-f181.google.com [209.85.222.181]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.4872.1763941549302684123 for ; Sun, 23 Nov 2025 15:45:49 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@konsulko.com header.s=google header.b=JA0rh2VS; spf=pass (domain: konsulko.com, ip: 209.85.222.181, mailfrom: scott.murray@konsulko.com) Received: by mail-qk1-f181.google.com with SMTP id af79cd13be357-8b2148ca40eso540843585a.1 for ; Sun, 23 Nov 2025 15:45:49 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=konsulko.com; s=google; t=1763941548; x=1764546348; darn=lists.yoctoproject.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=ZzQXVsLmVEUEr5PzTxZUGAlLe58q9cxQZB6QXPi9NX8=; b=JA0rh2VSQskig/C/U4Mqd+YkujAmJKGNmeDZx2Sm3AwWKIbvcj7m8u3CVWLyuXs1wb I9cKkLmglQS1Eu1jqOd3/xxt87lJxq4Z8lsOu7xOw41KZZa7hQMc+6zm782WUk3sPXd1 zPrPyOm9wQNBQLCGUZievTpRZp+SFwfWRKqUU= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1763941548; x=1764546348; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=ZzQXVsLmVEUEr5PzTxZUGAlLe58q9cxQZB6QXPi9NX8=; b=kIkak8cyqXJRx7cjVzRKk846UV9ma0CswqrvGYNS6YFIQjU0QM1jHiMNpcjiclPy/w 8EXaw/B7j2CtlnsXtD368jgvfLnJ54riawJeZ1Vqo5XDNG2v3iEpwL2/E5CaNW9OT1RH aSOMS4vx2Hwz2w++pAGXd1vNAqtAEJRL6K59oZulv3z/OW4an4wgEOy8NSWo4XjgPBeN YQEsfnAMU+fV2iiFYQhRz95+1sqi893BKB2A9ny0G+j4tuW1qJuY4yOW8LvpnX7Fw77d GBAigtQQub4DOc/dFMG91vCJjkuOVs8vTfYPX8BvoYJZqMu4QqVob9hRftvdpSXOliU3 639Q== X-Gm-Message-State: AOJu0YyUfFvEbdByRuKocjE3cOPja72gvfATRl6z6swotxQm8Eo10tS3 qCLLBOmYpJDnBDCdblijg8GXCH01EDjptJjad8pzjKN6wuYe69l4DNKndi7nnP7JTjG+ujuc24W bUImR X-Gm-Gg: ASbGnctDLf8CjHZ0g7kEE2JwCdjfAqc569jWDaXU1IA6AeQ0V4UvBVbtK4DRjNPVvzr 311cBKBIYr/huWRXrMEuPjX2meAEVc1cxpNwu4t5hl0V7O+u5Bxg+85LaU/jivmBw0SK2J06SGH meAHaISGkTjLZgbKOZWo/2M8mSMo3m0UOgUMVD90ngvJHut1Ts4Yy2+fMLTKZ/tInIOJ6dWsTQ1 V/yXWFVU5WioNUB5zgLLEwcepG+08NbBr0bS+U2yySuCQsbnPEQeuaRYLjlr8pEogrXcAB1f7td r5TXg/bWF5hPSCsNu/jiCUAxyRNLFT8211TlFb+aInYCU+iSwxoRY1/R1seupYeRdx4E8lW1uro zgm39XEZGjsaJpvm8JBno0QplphaB34onbZorWIs5S5FYap+wieXtat/4ZzZ1OgW/eNa8F3WXtY ywAL1fGNzFVl05fsaSpdpCd9pfkmfSjAGS4t4BGA/Lwgbk8QLxBO7Gog1E8WeFWSc= X-Google-Smtp-Source: AGHT+IGMncHg2o7YYKe+UBpsBINdKU0EaY3GMDZIWS1vDg3rG78hWekxAblKfx+X5hA43pN4kCgMjg== X-Received: by 2002:a05:620a:45ab:b0:8b2:f269:f899 with SMTP id af79cd13be357-8b33d479781mr1235544585a.56.1763941548019; Sun, 23 Nov 2025 15:45:48 -0800 (PST) Received: from ghidorah.spiteful.org (107-179-213-3.cpe.teksavvy.com. [107.179.213.3]) by smtp.gmail.com with ESMTPSA id af79cd13be357-8b32932db59sm843706585a.1.2025.11.23.15.45.46 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 23 Nov 2025 15:45:47 -0800 (PST) From: Scott Murray To: yocto-patches@lists.yoctoproject.org Subject: [meta-security][scarthgap][PATCH 29/32] suricata: fix "interface" arg in systemd service Date: Sun, 23 Nov 2025 18:45:09 -0500 Message-ID: <6fd611cce084924da3574d70fbb139e15bac55de.1763938436.git.scott.murray@konsulko.com> X-Mailer: git-send-email 2.51.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 23 Nov 2025 23:45:53 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto-patches/message/2687 From: Clayton Casciato Fix service startup https://docs.suricata.io/en/suricata-7.0.0/command-line-options.html#cmdoption-i Signed-off-by: Clayton Casciato Signed-off-by: Scott Murray (cherry picked from commit ca34a66f82caa95b6469f2dee5be6c26bbe2cecc) Signed-off-by: Scott Murray --- recipes-ids/suricata/files/suricata.service | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/recipes-ids/suricata/files/suricata.service b/recipes-ids/suricata/files/suricata.service index a99a76e..bd7010d 100644 --- a/recipes-ids/suricata/files/suricata.service +++ b/recipes-ids/suricata/files/suricata.service @@ -9,7 +9,7 @@ Documentation=https://redmine.openinfosecfoundation.org/projects/suricata/wiki Type=simple CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW RestrictAddressFamilies= -ExecStart=/usr/bin/suricata -c /etc/suricata/suricata.yaml eth0 +ExecStart=/usr/bin/suricata -c /etc/suricata/suricata.yaml -i eth0 ExecReload=/bin/kill -HUP $MAINPID PrivateTmp=yes ProtectHome=yes From patchwork Sun Nov 23 23:45:10 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Scott Murray X-Patchwork-Id: 75289 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9085CCFD31D for ; Sun, 23 Nov 2025 23:45:53 +0000 (UTC) Received: from mail-qk1-f172.google.com (mail-qk1-f172.google.com [209.85.222.172]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.4873.1763941550345103348 for ; Sun, 23 Nov 2025 15:45:50 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@konsulko.com header.s=google header.b=aO0T6u07; spf=pass (domain: konsulko.com, ip: 209.85.222.172, mailfrom: scott.murray@konsulko.com) Received: by mail-qk1-f172.google.com with SMTP id af79cd13be357-8b2dcdde698so560450085a.3 for ; Sun, 23 Nov 2025 15:45:50 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=konsulko.com; s=google; t=1763941549; x=1764546349; darn=lists.yoctoproject.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=yQRKnYNYG5tVFr6/FD0FaSYV7dnjvw3T1FgluzMzzp8=; b=aO0T6u07/pmsyilS+lxrNtkwbIXnpcMgbLwSVGxP8zRbIcfMbOsl0ADSRX8HMmjple DV0uz6KSG6DjD5xU3KW34F1u/PsreYcuoxtLhvJDQ1wGCBkeVNFroTPOF0xKnippAxHi 8SHFW9yuiAo3fuf+hWlSKeEmHe4euYrSEPCVg= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1763941549; x=1764546349; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=yQRKnYNYG5tVFr6/FD0FaSYV7dnjvw3T1FgluzMzzp8=; b=M0b2AgSZ3+qWmnV6E5QXoT9rbwJG+DrrDJ0s/LXCcLPqqyRria1rv7vu27wZ39ta/M KI8xdedbwOb1kUn6HpA/mFoSooW1hd8TGdhWQeCaesaSQJycMlq2w+PsIe3DoemLxmYc RytPeiRVSwDIlJs+JlaHVqPOgEzrF9GhM6cP6Ypf4WvubuJBa1TYC6nTmIqZ/S/kANN/ vdTLM/ce6GTe7d3IZ+91tz8Vj1JVPcJpVW+w6Vc/xyefM5OkirhTTkvKDo7CYQVoe46p I/jd6fp23vxEnlbAqGacOWiJ0211wrd8rAR+GA+JxrkvvARv29TW4Zx1bLuILvZBl39F Sy2w== X-Gm-Message-State: AOJu0Yw2YarVtCY674ToUpmpznexzqxUIvjXKN5rHs1CKE2IHsBmfIsq ENKLjb0uIIJNm5xXgJoURaK+E01hnJA8p18yasMk7TgoEP4YNYaikCjgpHR4chlGWZLtPgFUkWk uumYP X-Gm-Gg: ASbGncvpq4oRyH+LCULPJNzQi+rxSZhuU+HqK6KTgcpNTM0tPTDnkOFsEK4u1bZ4C+j qDyt2WT78DfWXxpYxcIVAObWpXWIRjYOu3ADw3Hdku4MQ3vrwyAHuGOJPw3y2QarNh0DS1WoPeq 6SzraNFcmVKB7aDbwQYof4nEcxzKnuFFB4AxgFyHHsSfhNXbc3IBqfY3bqd5tSy4TTJ3uC4DzgS Zubtl1XG8LXqFJ1HizQiWGaq7IAzUT/NU0xJSpJ73OlE7IaMr4do4X19QDC2VWG8fsm4iGappz0 pXv9Hu9F3MHtMgXJx1I7qzBY/kG+NwusptCGEu+5vUjYveVmxTwFkdOaHktadzzR8YTWI+7aHDl DnDqWdxt1XGiA7Fv78oXHRx07EjRbP/hjD+s092N304anEAOgqVO+o617lHHw2GYv2u9ia1f5Np bEnyWlwaq5RxZgymtFpN3sFiq0bVBSwCFu+3hxFPdhR6jIZx8WinDMXIdFGOTkCnM= X-Google-Smtp-Source: AGHT+IHFSFQqqtBAYqX4nZy5dtub+qTgixiyWhnFmApi+mLCev3J7MmRlyBgXxF8YOo8zuIKhLISqg== X-Received: by 2002:a05:620a:3710:b0:8b2:ea5a:413d with SMTP id af79cd13be357-8b33d4afdefmr1140911185a.86.1763941548937; Sun, 23 Nov 2025 15:45:48 -0800 (PST) Received: from ghidorah.spiteful.org (107-179-213-3.cpe.teksavvy.com. [107.179.213.3]) by smtp.gmail.com with ESMTPSA id af79cd13be357-8b32932db59sm843706585a.1.2025.11.23.15.45.48 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 23 Nov 2025 15:45:48 -0800 (PST) From: Scott Murray To: yocto-patches@lists.yoctoproject.org Subject: [meta-security][scarthgap][PATCH 30/32] suricata: install classification, reference configs Date: Sun, 23 Nov 2025 18:45:10 -0500 Message-ID: <6e1bac491d9a9243f3e8cbd8ee3bdbe2dad27c94.1763938436.git.scott.murray@konsulko.com> X-Mailer: git-send-email 2.51.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 23 Nov 2025 23:45:53 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto-patches/message/2688 From: Clayton Casciato suricata.yaml references these configs Resolve: -- could not open: "/etc/suricata/classification.config": No such file or directory -- please check the "classification-file" option in your suricata.yaml file Signed-off-by: Clayton Casciato (cherry picked from commit 9a49fcbd05e46cafb0a2300a035a9528242bd4b2) Signed-off-by: Scott Murray --- recipes-ids/suricata/suricata_7.0.0.bb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/recipes-ids/suricata/suricata_7.0.0.bb b/recipes-ids/suricata/suricata_7.0.0.bb index 7a6b930..021575f 100644 --- a/recipes-ids/suricata/suricata_7.0.0.bb +++ b/recipes-ids/suricata/suricata_7.0.0.bb @@ -122,6 +122,8 @@ do_install () { install -d ${D}${sysconfdir}/suricata ${D}${sysconfdir}/default/volatiles install -m 0644 ${WORKDIR}/volatiles.03_suricata ${D}${sysconfdir}/default/volatiles/03_suricata + install -m 0644 ${S}/etc/classification.config ${D}${sysconfdir}/suricata + install -m 0644 ${S}/etc/reference.config ${D}${sysconfdir}/suricata install -m 0644 ${S}/threshold.config ${D}${sysconfdir}/suricata install -m 0644 ${S}/suricata.yaml ${D}${sysconfdir}/suricata From patchwork Sun Nov 23 23:45:11 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Scott Murray X-Patchwork-Id: 75292 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8C76BCFD313 for ; Sun, 23 Nov 2025 23:45:53 +0000 (UTC) Received: from mail-qk1-f180.google.com (mail-qk1-f180.google.com [209.85.222.180]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.5056.1763941551934573412 for ; Sun, 23 Nov 2025 15:45:52 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@konsulko.com header.s=google header.b=oypBKe5B; spf=pass (domain: konsulko.com, ip: 209.85.222.180, mailfrom: scott.murray@konsulko.com) Received: by mail-qk1-f180.google.com with SMTP id af79cd13be357-8b2e530a748so355902985a.0 for ; Sun, 23 Nov 2025 15:45:51 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=konsulko.com; s=google; t=1763941551; x=1764546351; darn=lists.yoctoproject.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=aGci2DTrEBfigQCc2w19pIJ5C2moEwL/Q5U/OTUMvbk=; b=oypBKe5Baw77joxp2DiIK9MdO/hJJ7zorx5J4CkzAciOoX8iSKrgl195v53UeD07wp rQuMwuXMe5PXDImMBEuu+STBrTcu8E+vrRUAOdD3mt698lvJZqAsxm5Bzq44RRYwYgtO HFHqGmi+JfrZXXsX9fZTZb25jh1JFxp4QoM+k= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1763941551; x=1764546351; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=aGci2DTrEBfigQCc2w19pIJ5C2moEwL/Q5U/OTUMvbk=; b=QT7i5ARr7dbcb1WQ6f87TAG+OIZGgtahlXVITwrhKN4DVr0IQo7jDlbedr9G1NHGaC fbW8EJ8jMyVs+YFuZGfoyCcj86U4yHDJLS36WYQKRSbj4w7JqqaB42x95+J/zhDIB2wz 67UykFC5UJ/xzSQ4DMjxqKcAFtXY8VstKN4Zk/hww5BUJpbcckbtLSM4G2PWvOSZepHI sh7tRxW0T8a4LHazy378G0kACeHG1Wf1ZT6KDg8mNmimnj0poNLxAOrmK41PZht1MtbW K6J4VXDHa7AULgDEM44lXXOwlNpRMqZN10ENzTb2+QV3/VpMaRkjIeRdSzm+GYfvQfHZ WU9g== X-Gm-Message-State: AOJu0YyC1XpwXXcNvBEjVGZftHCaTIs2tt4UwC90yi9sTqnsqMs8bbVL 5n1pKoBivPLj9fQnZHlI4SW7Tnak7JZw7/MZ2TFSlDkdsl1ULhXq00u2kNzdc7ow0d1PNQ5y5rn iV6Zj X-Gm-Gg: ASbGncv8QefJD/qhef+OzLANnnE1QvhbX644aD5ipREdc5uMImaLoOStMaGf9Rt6I8B 0W/km67xge9HgAEIe8kbeZlP8da6Gl5KKO2FaInd4itAglQ2WtF4JQubOcnyRSjlbzJ96HhQBXg CM57XFrJOgoBHjJshB0cjk1wWf1509SgTBIxs40uSBBPlZdVBomk4jqiQNzFtQ4WLwjgcpNWUYk mNMHkj2tAhiMr364f9leMcAN2yxBvRmOxLGpP0lFPlzIh+8DK2++7faNxqDAtzXqXDN+z5pckqt kn5Fxi7nCMz2/FTUeoLtsl9/u6dm1TlDqXSIKf1tuGqamoOtwzI18tsLLi1D3ZRIdOgDT8L3ud/ gOV66Is3kgrB5ee2FlUvHi8gRpgdgWAHqGVf2o5WGOnERRQP9/rNFSTwlyP4XhWLxB9c2XN2ot0 T6eGdUWcm+94+x4qT0YTu+7bRzq1w6UmZaT4TIIVOgY3BMJppZZy55QzzUvX/UORM= X-Google-Smtp-Source: AGHT+IExNGNtJOMM2csfey4EnBpp1+rARryfNtd6ddaT17eEUIaMu5Oh30KOK9/KejJSDl8wxlSUew== X-Received: by 2002:a05:620a:2910:b0:8a2:45ba:1b5e with SMTP id af79cd13be357-8b33d1f01a9mr1284318185a.28.1763941550478; Sun, 23 Nov 2025 15:45:50 -0800 (PST) Received: from ghidorah.spiteful.org (107-179-213-3.cpe.teksavvy.com. [107.179.213.3]) by smtp.gmail.com with ESMTPSA id af79cd13be357-8b32932db59sm843706585a.1.2025.11.23.15.45.49 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 23 Nov 2025 15:45:49 -0800 (PST) From: Scott Murray To: yocto-patches@lists.yoctoproject.org Subject: [meta-security][scarthgap][PATCH 31/32] suricata: populate SYSTEMD_SERVICE for service autostart Date: Sun, 23 Nov 2025 18:45:11 -0500 Message-ID: <282d281042995e7927812031298ca17f8a0445cd.1763938436.git.scott.murray@konsulko.com> X-Mailer: git-send-email 2.51.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 23 Nov 2025 23:45:53 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto-patches/message/2689 From: Clayton Casciato https://docs.yoctoproject.org/dev/ref-manual/variables.html#term-SYSTEMD_SERVICE Before: root@beaglebone-yocto:~# systemctl status suricata * suricata.service - Suricata IDS/IDP daemon Loaded: loaded (/usr/lib/systemd/system/suricata.service; disabled; preset: disabled) Active: inactive (dead) Docs: man:suricata(8) man:suricatasc(8) https://redmine.openinfosecfoundation.org/projects/suricata/wiki After: root@beaglebone-yocto:~# systemctl status suricata * suricata.service - Suricata IDS/IDP daemon Loaded: loaded (/usr/lib/systemd/system/suricata.service; enabled; preset: enabled) Active: active (running) since Mon 2025-09-22 04:05:08 UTC; 20s ago Invocation: 8cfeb29631f443f0830bffeb00975931 Docs: man:suricata(8) man:suricatasc(8) https://redmine.openinfosecfoundation.org/projects/suricata/wiki Main PID: 268 (Suricata-Main) Tasks: 7 (limit: 4915) Memory: 36.8M (peak: 37M) CPU: 2.222s CGroup: /system.slice/suricata.service `-268 /usr/bin/suricata -c /etc/suricata/suricata.yaml -i eth0 Sep 22 04:05:08 beaglebone-yocto systemd[1]: Started Suricata IDS/IDP daemon. Sep 22 04:05:09 beaglebone-yocto suricata[268]: i: suricata: This is Suricata version 7.0.0 RELEASE running in SYSTEM mode Sep 22 04:05:10 beaglebone-yocto suricata[268]: W: detect: No rule files match the pattern /var/lib/suricata/rules/suricata.rules Sep 22 04:05:10 beaglebone-yocto suricata[268]: W: detect: 1 rule files specified, but no rules were loaded! Sep 22 04:05:10 beaglebone-yocto suricata[268]: i: threads: Threads created -> W: 1 FM: 1 FR: 1 Engine started. Signed-off-by: Clayton Casciato (cherry picked from commit 0b7b0629bebe98237ce3060ebe132db05cdcc3b7) Signed-off-by: Scott Murray --- recipes-ids/suricata/suricata_7.0.0.bb | 1 + 1 file changed, 1 insertion(+) diff --git a/recipes-ids/suricata/suricata_7.0.0.bb b/recipes-ids/suricata/suricata_7.0.0.bb index 021575f..62baa35 100644 --- a/recipes-ids/suricata/suricata_7.0.0.bb +++ b/recipes-ids/suricata/suricata_7.0.0.bb @@ -156,6 +156,7 @@ fi } SYSTEMD_PACKAGES = "${PN}" +SYSTEMD_SERVICE:${PN} = "${BPN}.service" PACKAGES =+ "${PN}-python" FILES:${PN} += "${systemd_unitdir} ${sysconfdir}/tmpfiles.d" From patchwork Sun Nov 23 23:45:12 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Scott Murray X-Patchwork-Id: 75298 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id E63FECFD2F6 for ; Sun, 23 Nov 2025 23:46:03 +0000 (UTC) Received: from mail-qk1-f179.google.com (mail-qk1-f179.google.com [209.85.222.179]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.5058.1763941556803367330 for ; Sun, 23 Nov 2025 15:45:57 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@konsulko.com header.s=google header.b=GdCJQoXv; spf=pass (domain: konsulko.com, ip: 209.85.222.179, mailfrom: scott.murray@konsulko.com) Received: by mail-qk1-f179.google.com with SMTP id af79cd13be357-8b2d6df99c5so529236585a.1 for ; Sun, 23 Nov 2025 15:45:56 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=konsulko.com; s=google; t=1763941555; x=1764546355; darn=lists.yoctoproject.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=reYKB2tnEzv3CZ+2uuyBvxkGsSN3kn14z1S7HET1aUw=; b=GdCJQoXvQfjzxGtZkKd/vlkPedHswmjOJ1N4OmHMDVDkGe6GKegvGkQ19py1Fysfes uRc7qMTl/gOjFGK+o6PrwUN7HOMQEo7mtico+jWkbkUACL7feD7YToxVTQvVa1szIfzZ tfb52Q/OKMF592hg/lw3iu5z85uSmzlXqnft8= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1763941555; x=1764546355; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=reYKB2tnEzv3CZ+2uuyBvxkGsSN3kn14z1S7HET1aUw=; b=RIAjp4HSH9bO78BniL2fy6gDIhdgIazvH8ol2OWfLjLBPrQ5BeGaCrXgH7FLhn1F76 qGMGCJSH/fyd81wohrbHh2HhxASf2REf3/dHBaOYa54BHTh/r4hXnGPH51oBmTluhVaD QfRlyUeK7tAOyxdR56dfD4ans1je1W3Rheol7GfwaCTV8yMH06Uv5vX5LtJ5Vfi1eyHz WB3agz9ek57xgRiN5m+XC0Cvj8PKwiujmupqpAFFsSwvWAsCjwfiXFtK7UvjXBNK2qbZ c6if1qFhlxVpXiusnnQgJj21isF1qO+LLliizw+C4FCwHbIB4Odz/FOdsif1itwr4gsU G3wg== X-Gm-Message-State: AOJu0YwsBMkcAhf7tFEgrRqVZmhMsEVDD2Y6qFV8Ggm7ww99hjiRiaBB SBNBs4JQNeDej2NT5YrfX7pTFFKKRQMbQT26mUvuMloyNKjqUAcsauZeSAeQkfniQkuAZxVd+Jo IpAmu X-Gm-Gg: ASbGncu+qeZ/h2V2aVIzOvHipThwaRBE2yY5QdyIKVOTfn/rgBuZsFQjqdWAjgSCO4O dh65a+npzevDnvS2LLodLXfU1Dnkk6X95NEui5YrPtrNFpC6JRwkZ5VaANN4mcLpYmc16jr+0fT l69Flx4UMM7tNKSJ4NCqNLJUMGkbz053DKvt/PxEea85+qGhjTJpXn1+2OKFMS/GU07akIUfuZq SCFLEQL4SUsEhCnskIbH7wAgErKnuxn5oldpGRtqsdzzR5XzOOymJZgPp/o2sq988gFBgXGdIxK RKlIxFBTMO+XhpMjn4LIplputgXby+/V47zOmZZx6PEXZkArT+a2GFjraUVjNz0RFiSzGgEDozP bubDheZp9wQ6WxK4QdGFSOK8ynCvg89UQDUgWW6hTkh9BOWwRUgVNN7JMu1E7lOI6LSQCD3W5ua OYekhCXQ+xHybxVjBTiwdyHFuXFGeEaG3QpZRAP28cGV630FQTgQwT460wb6JVTlY= X-Google-Smtp-Source: AGHT+IG9J8vKN6Kecex+Sur3oqLqQK0OIW+G2KPzOBrc5evf3TZRIGnlCRFLj2T49hJ8wqms4CWYTw== X-Received: by 2002:a05:620a:45a7:b0:810:a62b:1950 with SMTP id af79cd13be357-8b33bde8919mr1513670685a.31.1763941552678; Sun, 23 Nov 2025 15:45:52 -0800 (PST) Received: from ghidorah.spiteful.org (107-179-213-3.cpe.teksavvy.com. [107.179.213.3]) by smtp.gmail.com with ESMTPSA id af79cd13be357-8b32932db59sm843706585a.1.2025.11.23.15.45.50 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 23 Nov 2025 15:45:51 -0800 (PST) From: Scott Murray To: yocto-patches@lists.yoctoproject.org Subject: [meta-security][scarthgap][PATCH 32/32] suricata: update to 7.0.12 Date: Sun, 23 Nov 2025 18:45:12 -0500 Message-ID: <2c11f9f384f7f421d390064b348f00d9eb7c48da.1763938436.git.scott.murray@konsulko.com> X-Mailer: git-send-email 2.51.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 23 Nov 2025 23:46:03 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto-patches/message/2690 From: Clayton Casciato Also update libhtp to required version 0.5.52. See suricata release notes for more details about changes and CVEs fixed: https://suricata.io/2024/02/08/suricata-7-0-3-and-6-0-16-released/ https://suricata.io/2024/03/19/suricata-7-0-4-and-6-0-17-released/ https://suricata.io/2024/04/23/suricata-7-0-5-and-6-0-19-released/ https://suricata.io/2024/06/27/suricata-7-0-6-and-6-0-20-released/ https://suricata.io/2024/10/01/suricata-7-0-7-released/ https://suricata.io/2024/12/12/suricata-7-0-8-released/ https://suricata.io/2025/03/18/suricata-7-0-9-released/ https://suricata.io/2025/07/08/suricata-7-0-11-released/ https://suricata.io/2025/09/16/suricata-8-0-1-and-7-0-12-released/ Obsolete CVE patches removed. Signed-off-by: Clayton Casciato (cherry picked from commit fbb8343cf81b0cfe1dc396b0cd2417a8315de9ad) Signed-off-by: Scott Murray --- ...kefile-from-using-its-own-rust-steps.patch | 40 + .../suricata/files/CVE-2024-32663-001.patch | 294 - .../suricata/files/CVE-2024-32663-002.patch | 70 - .../suricata/files/CVE-2024-32664.patch | 53 - .../suricata/files/CVE-2024-32867-001.patch | 235 - .../suricata/files/CVE-2024-32867-002.patch | 591 -- .../suricata/files/CVE-2024-32867-003.patch | 472 -- .../suricata/files/CVE-2024-32867-004.patch | 169 - .../suricata/files/CVE-2024-45795.patch | 123 - .../suricata/files/CVE-2024-45796.patch | 33 - .../suricata/files/CVE-2024-45797.patch | 148 - .../suricata/files/CVE-2024-55605.patch | 205 - .../suricata/files/CVE-2024-55627-001.patch | 59 - .../suricata/files/CVE-2024-55627-002.patch | 44 - .../suricata/files/CVE-2024-55627-003.patch | 41 - .../suricata/files/CVE-2024-55628-001.patch | 738 --- .../suricata/files/CVE-2024-55628-002.patch | 4877 ----------------- .../suricata/files/CVE-2024-55628-003.patch | 114 - .../suricata/files/CVE-2024-55628-004.patch | 510 -- .../suricata/files/CVE-2025-29916-01.patch | 124 - .../suricata/files/CVE-2025-29916-02.patch | 197 - .../suricata/files/CVE-2025-29916-03.patch | 55 - .../suricata/files/CVE-2025-29917.patch | 115 - .../suricata/files/CVE-2025-29918.patch | 49 - .../suricata/files/CVE-2025-53537-001.patch | 79 - .../suricata/files/CVE-2025-53537-002.patch | 31 - recipes-ids/suricata/files/fixup.patch | 32 - .../{libhtp_0.5.45.bb => libhtp_0.5.52.bb} | 8 +- recipes-ids/suricata/suricata-crates.inc | 1509 +++-- .../{suricata_7.0.0.bb => suricata_7.0.12.bb} | 26 +- 30 files changed, 780 insertions(+), 10261 deletions(-) create mode 100644 recipes-ids/suricata/files/0001-Skip-pkg-Makefile-from-using-its-own-rust-steps.patch delete mode 100644 recipes-ids/suricata/files/CVE-2024-32663-001.patch delete mode 100644 recipes-ids/suricata/files/CVE-2024-32663-002.patch delete mode 100644 recipes-ids/suricata/files/CVE-2024-32664.patch delete mode 100644 recipes-ids/suricata/files/CVE-2024-32867-001.patch delete mode 100644 recipes-ids/suricata/files/CVE-2024-32867-002.patch delete mode 100644 recipes-ids/suricata/files/CVE-2024-32867-003.patch delete mode 100644 recipes-ids/suricata/files/CVE-2024-32867-004.patch delete mode 100644 recipes-ids/suricata/files/CVE-2024-45795.patch delete mode 100644 recipes-ids/suricata/files/CVE-2024-45796.patch delete mode 100644 recipes-ids/suricata/files/CVE-2024-45797.patch delete mode 100644 recipes-ids/suricata/files/CVE-2024-55605.patch delete mode 100644 recipes-ids/suricata/files/CVE-2024-55627-001.patch delete mode 100644 recipes-ids/suricata/files/CVE-2024-55627-002.patch delete mode 100644 recipes-ids/suricata/files/CVE-2024-55627-003.patch delete mode 100644 recipes-ids/suricata/files/CVE-2024-55628-001.patch delete mode 100644 recipes-ids/suricata/files/CVE-2024-55628-002.patch delete mode 100644 recipes-ids/suricata/files/CVE-2024-55628-003.patch delete mode 100644 recipes-ids/suricata/files/CVE-2024-55628-004.patch delete mode 100644 recipes-ids/suricata/files/CVE-2025-29916-01.patch delete mode 100644 recipes-ids/suricata/files/CVE-2025-29916-02.patch delete mode 100644 recipes-ids/suricata/files/CVE-2025-29916-03.patch delete mode 100644 recipes-ids/suricata/files/CVE-2025-29917.patch delete mode 100644 recipes-ids/suricata/files/CVE-2025-29918.patch delete mode 100644 recipes-ids/suricata/files/CVE-2025-53537-001.patch delete mode 100644 recipes-ids/suricata/files/CVE-2025-53537-002.patch delete mode 100644 recipes-ids/suricata/files/fixup.patch rename recipes-ids/suricata/{libhtp_0.5.45.bb => libhtp_0.5.52.bb} (72%) rename recipes-ids/suricata/{suricata_7.0.0.bb => suricata_7.0.12.bb} (86%) diff --git a/recipes-ids/suricata/files/0001-Skip-pkg-Makefile-from-using-its-own-rust-steps.patch b/recipes-ids/suricata/files/0001-Skip-pkg-Makefile-from-using-its-own-rust-steps.patch new file mode 100644 index 0000000..12cb096 --- /dev/null +++ b/recipes-ids/suricata/files/0001-Skip-pkg-Makefile-from-using-its-own-rust-steps.patch @@ -0,0 +1,40 @@ +From a59708a9300df8116867ac77f7829f7fd647325e Mon Sep 17 00:00:00 2001 +From: Clayton Casciato +Date: Mon, 3 Nov 2025 10:30:26 -0700 +Subject: [PATCH] Skip pkg Makefile from using its own rust steps + +Upstream-Status: Inappropriate [OE Specific] + +Signed-off-by: Armin Kuster +Signed-off-by: Clayton Casciato +--- + Makefile.am | 2 +- + Makefile.in | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/Makefile.am b/Makefile.am +index d0d3d09..a572912 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -10,7 +10,7 @@ EXTRA_DIST = ChangeLog COPYING LICENSE suricata.yaml.in \ + scripts/generate-images.sh \ + scripts/docs-almalinux9-minimal-build.sh \ + scripts/docs-ubuntu-debian-minimal-build.sh +-SUBDIRS = $(HTP_DIR) rust src qa rules doc contrib etc python ebpf \ ++SUBDIRS = $(HTP_DIR) src qa rules doc contrib etc python ebpf \ + $(SURICATA_UPDATE_DIR) + + CLEANFILES = stamp-h[0-9]* +diff --git a/Makefile.in b/Makefile.in +index 7a89353..3864613 100644 +--- a/Makefile.in ++++ b/Makefile.in +@@ -428,7 +428,7 @@ EXTRA_DIST = ChangeLog COPYING LICENSE suricata.yaml.in \ + scripts/docs-almalinux9-minimal-build.sh \ + scripts/docs-ubuntu-debian-minimal-build.sh + +-SUBDIRS = $(HTP_DIR) rust src qa rules doc contrib etc python ebpf \ ++SUBDIRS = $(HTP_DIR) src qa rules doc contrib etc python ebpf \ + $(SURICATA_UPDATE_DIR) + + CLEANFILES = stamp-h[0-9]* diff --git a/recipes-ids/suricata/files/CVE-2024-32663-001.patch b/recipes-ids/suricata/files/CVE-2024-32663-001.patch deleted file mode 100644 index f07904a..0000000 --- a/recipes-ids/suricata/files/CVE-2024-32663-001.patch +++ /dev/null @@ -1,294 +0,0 @@ -From e68ec4b227d19498f364a41eb25d3182f0383ca5 Mon Sep 17 00:00:00 2001 -From: Philippe Antoine -Date: Wed, 27 Mar 2024 14:33:54 +0100 -Subject: [PATCH] http2: use a reference counter for headers - -Ticket: 6892 - -As HTTP hpack header compression allows one single byte to -express a previously seen arbitrary-size header block (name+value) -we should avoid to copy the vectors data, but just point -to the same data, while reamining memory safe, even in the case -of later headers eviction from the dybnamic table. - -Rust std solution is Rc, and the use of clone, so long as the -data is accessed by only one thread. - -(cherry picked from commit 390f09692eb99809c679d3f350c7cc185d163e1a) - -CVE: CVE-2024-32663 -Upstream-Status: Backport [https://github.com/OISF/suricata/commit/e68ec4b227d19498f364a41eb25d3182f0383ca5] -Signed-off-by: Hitendra Prajapati ---- - rust/src/http2/detect.rs | 19 +++++++------ - rust/src/http2/http2.rs | 2 +- - rust/src/http2/parser.rs | 61 +++++++++++++++++++++------------------- - 3 files changed, 43 insertions(+), 39 deletions(-) - -diff --git a/rust/src/http2/detect.rs b/rust/src/http2/detect.rs -index 99261ad..904b9ad 100644 ---- a/rust/src/http2/detect.rs -+++ b/rust/src/http2/detect.rs -@@ -23,6 +23,7 @@ use crate::core::Direction; - use crate::detect::uint::{detect_match_uint, DetectUintData}; - use std::ffi::CStr; - use std::str::FromStr; -+use std::rc::Rc; - - fn http2_tx_has_frametype( - tx: &mut HTTP2Transaction, direction: Direction, value: u8, -@@ -404,7 +405,7 @@ fn http2_frames_get_header_firstvalue<'a>( - for frame in frames { - if let Some(blocks) = http2_header_blocks(frame) { - for block in blocks.iter() { -- if block.name == name.as_bytes() { -+ if block.name.as_ref() == name.as_bytes() { - return Ok(&block.value); - } - } -@@ -428,7 +429,7 @@ pub fn http2_frames_get_header_value_vec( - for frame in frames { - if let Some(blocks) = http2_header_blocks(frame) { - for block in blocks.iter() { -- if block.name == name.as_bytes() { -+ if block.name.as_ref() == name.as_bytes() { - if found == 0 { - vec.extend_from_slice(&block.value); - found = 1; -@@ -465,7 +466,7 @@ fn http2_frames_get_header_value<'a>( - for frame in frames { - if let Some(blocks) = http2_header_blocks(frame) { - for block in blocks.iter() { -- if block.name == name.as_bytes() { -+ if block.name.as_ref() == name.as_bytes() { - if found == 0 { - single = Ok(&block.value); - found = 1; -@@ -905,8 +906,8 @@ fn http2_tx_set_header(state: &mut HTTP2State, name: &[u8], input: &[u8]) { - }; - let mut blocks = Vec::new(); - let b = parser::HTTP2FrameHeaderBlock { -- name: name.to_vec(), -- value: input.to_vec(), -+ name: Rc::new(name.to_vec()), -+ value: Rc::new(input.to_vec()), - error: parser::HTTP2HeaderDecodeStatus::HTTP2HeaderDecodeSuccess, - sizeupdate: 0, - }; -@@ -1061,15 +1062,15 @@ mod tests { - }; - let mut blocks = Vec::new(); - let b = parser::HTTP2FrameHeaderBlock { -- name: "Host".as_bytes().to_vec(), -- value: "abc.com".as_bytes().to_vec(), -+ name: "Host".as_bytes().to_vec().into(), -+ value: "abc.com".as_bytes().to_vec().into(), - error: parser::HTTP2HeaderDecodeStatus::HTTP2HeaderDecodeSuccess, - sizeupdate: 0, - }; - blocks.push(b); - let b2 = parser::HTTP2FrameHeaderBlock { -- name: "Host".as_bytes().to_vec(), -- value: "efg.net".as_bytes().to_vec(), -+ name: "Host".as_bytes().to_vec().into(), -+ value: "efg.net".as_bytes().to_vec().into(), - error: parser::HTTP2HeaderDecodeStatus::HTTP2HeaderDecodeSuccess, - sizeupdate: 0, - }; -diff --git a/rust/src/http2/http2.rs b/rust/src/http2/http2.rs -index 326030f..d14ca06 100644 ---- a/rust/src/http2/http2.rs -+++ b/rust/src/http2/http2.rs -@@ -204,7 +204,7 @@ impl HTTP2Transaction { - - fn handle_headers(&mut self, blocks: &[parser::HTTP2FrameHeaderBlock], dir: Direction) { - for block in blocks { -- if block.name == b"content-encoding" { -+ if block.name.as_ref() == b"content-encoding" { - self.decoder.http2_encoding_fromvec(&block.value, dir); - } - } -diff --git a/rust/src/http2/parser.rs b/rust/src/http2/parser.rs -index adabeb2..1a46437 100644 ---- a/rust/src/http2/parser.rs -+++ b/rust/src/http2/parser.rs -@@ -30,6 +30,7 @@ use nom7::sequence::tuple; - use nom7::{Err, IResult}; - use std::fmt; - use std::str::FromStr; -+use std::rc::Rc; - - #[repr(u8)] - #[derive(Clone, Copy, PartialEq, Eq, FromPrimitive, Debug)] -@@ -295,8 +296,8 @@ fn http2_frame_header_static(n: u64, dyn_headers: &HTTP2DynTable) -> Option Option, -- pub value: Vec, -+ // Use Rc reference counted so that indexed headers do not get copied. -+ // Otherwise, this leads to quadratic complexity in memory occupation. -+ pub name: Rc>, -+ pub value: Rc>, - pub error: HTTP2HeaderDecodeStatus, - pub sizeupdate: u64, - } -@@ -391,7 +394,7 @@ fn http2_parse_headers_block_literal_common<'a>( - ) -> IResult<&'a [u8], HTTP2FrameHeaderBlock> { - let (i3, name, error) = if index == 0 { - match http2_parse_headers_block_string(input) { -- Ok((r, n)) => Ok((r, n, HTTP2HeaderDecodeStatus::HTTP2HeaderDecodeSuccess)), -+ Ok((r, n)) => Ok((r, Rc::new(n), HTTP2HeaderDecodeStatus::HTTP2HeaderDecodeSuccess)), - Err(e) => Err(e), - } - } else { -@@ -403,7 +406,7 @@ fn http2_parse_headers_block_literal_common<'a>( - )), - None => Ok(( - input, -- Vec::new(), -+ Rc::new(Vec::new()), - HTTP2HeaderDecodeStatus::HTTP2HeaderDecodeNotIndexed, - )), - } -@@ -413,7 +416,7 @@ fn http2_parse_headers_block_literal_common<'a>( - i4, - HTTP2FrameHeaderBlock { - name, -- value, -+ value: Rc::new(value), - error, - sizeupdate: 0, - }, -@@ -435,8 +438,8 @@ fn http2_parse_headers_block_literal_incindex<'a>( - match r { - Ok((r, head)) => { - let headcopy = HTTP2FrameHeaderBlock { -- name: head.name.to_vec(), -- value: head.value.to_vec(), -+ name: head.name.clone(), -+ value: head.value.clone(), - error: head.error, - sizeupdate: 0, - }; -@@ -556,8 +559,8 @@ fn http2_parse_headers_block_dynamic_size<'a>( - return Ok(( - i3, - HTTP2FrameHeaderBlock { -- name: Vec::new(), -- value: Vec::new(), -+ name: Rc::new(Vec::new()), -+ value: Rc::new(Vec::new()), - error: HTTP2HeaderDecodeStatus::HTTP2HeaderDecodeSizeUpdate, - sizeupdate: maxsize2, - }, -@@ -614,8 +617,8 @@ fn http2_parse_headers_blocks<'a>( - // if we error from http2_parse_var_uint, we keep the first parsed headers - if err.code == ErrorKind::LengthValue { - blocks.push(HTTP2FrameHeaderBlock { -- name: Vec::new(), -- value: Vec::new(), -+ name: Rc::new(Vec::new()), -+ value: Rc::new(Vec::new()), - error: HTTP2HeaderDecodeStatus::HTTP2HeaderDecodeIntegerOverflow, - sizeupdate: 0, - }); -@@ -765,8 +768,8 @@ mod tests { - match r0 { - Ok((remainder, hd)) => { - // Check the first message. -- assert_eq!(hd.name, ":method".as_bytes().to_vec()); -- assert_eq!(hd.value, "GET".as_bytes().to_vec()); -+ assert_eq!(hd.name, ":method".as_bytes().to_vec().into()); -+ assert_eq!(hd.value, "GET".as_bytes().to_vec().into()); - // And we should have no bytes left. - assert_eq!(remainder.len(), 0); - } -@@ -782,8 +785,8 @@ mod tests { - match r1 { - Ok((remainder, hd)) => { - // Check the first message. -- assert_eq!(hd.name, "accept".as_bytes().to_vec()); -- assert_eq!(hd.value, "*/*".as_bytes().to_vec()); -+ assert_eq!(hd.name, "accept".as_bytes().to_vec().into()); -+ assert_eq!(hd.value, "*/*".as_bytes().to_vec().into()); - // And we should have no bytes left. - assert_eq!(remainder.len(), 0); - assert_eq!(dynh.table.len(), 1); -@@ -802,8 +805,8 @@ mod tests { - match result { - Ok((remainder, hd)) => { - // Check the first message. -- assert_eq!(hd.name, ":authority".as_bytes().to_vec()); -- assert_eq!(hd.value, "localhost:3000".as_bytes().to_vec()); -+ assert_eq!(hd.name, ":authority".as_bytes().to_vec().into()); -+ assert_eq!(hd.value, "localhost:3000".as_bytes().to_vec().into()); - // And we should have no bytes left. - assert_eq!(remainder.len(), 0); - assert_eq!(dynh.table.len(), 2); -@@ -820,8 +823,8 @@ mod tests { - match r3 { - Ok((remainder, hd)) => { - // same as before -- assert_eq!(hd.name, ":authority".as_bytes().to_vec()); -- assert_eq!(hd.value, "localhost:3000".as_bytes().to_vec()); -+ assert_eq!(hd.name, ":authority".as_bytes().to_vec().into()); -+ assert_eq!(hd.value, "localhost:3000".as_bytes().to_vec().into()); - // And we should have no bytes left. - assert_eq!(remainder.len(), 0); - assert_eq!(dynh.table.len(), 2); -@@ -856,8 +859,8 @@ mod tests { - match r2 { - Ok((remainder, hd)) => { - // Check the first message. -- assert_eq!(hd.name, ":path".as_bytes().to_vec()); -- assert_eq!(hd.value, "/doc/manual/html/index.html".as_bytes().to_vec()); -+ assert_eq!(hd.name, ":path".as_bytes().to_vec().into()); -+ assert_eq!(hd.value, "/doc/manual/html/index.html".as_bytes().to_vec().into()); - // And we should have no bytes left. - assert_eq!(remainder.len(), 0); - assert_eq!(dynh.table.len(), 2); --- -2.50.1 - diff --git a/recipes-ids/suricata/files/CVE-2024-32663-002.patch b/recipes-ids/suricata/files/CVE-2024-32663-002.patch deleted file mode 100644 index a57f58f..0000000 --- a/recipes-ids/suricata/files/CVE-2024-32663-002.patch +++ /dev/null @@ -1,70 +0,0 @@ -From c0af92295e833d1db29b184d63cd3b829451d7fd Mon Sep 17 00:00:00 2001 -From: Philippe Antoine -Date: Thu, 28 Mar 2024 11:15:51 +0100 -Subject: [PATCH] http2: do not log duplicate headers - -Ticket: 6900 - -And thus avoid DOS by logging a request using a compressed -header block repeated many times and having a long value... - -(cherry picked from commit 03442c9071b8d863d26b609d54c6eacf4de9e340) - -CVE: CVE-2024-32663 -Upstream-Status: Backport [https://github.com/OISF/suricata/commit/c0af92295e833d1db29b184d63cd3b829451d7fd] -Signed-off-by: Hitendra Prajapati ---- - rust/src/http2/logger.rs | 17 +++++++++++++++-- - 1 file changed, 15 insertions(+), 2 deletions(-) - -diff --git a/rust/src/http2/logger.rs b/rust/src/http2/logger.rs -index d25f852..a117a54 100644 ---- a/rust/src/http2/logger.rs -+++ b/rust/src/http2/logger.rs -@@ -19,7 +19,8 @@ use super::http2::{HTTP2Frame, HTTP2FrameTypeData, HTTP2Transaction}; - use super::parser; - use crate::jsonbuilder::{JsonBuilder, JsonError}; - use std; --use std::collections::HashMap; -+use std::collections::{HashMap, HashSet}; -+use std::rc::Rc; - - #[derive(Hash, PartialEq, Eq, Debug)] - enum HeaderName { -@@ -35,10 +36,20 @@ fn log_http2_headers<'a>( - blocks: &'a [parser::HTTP2FrameHeaderBlock], js: &mut JsonBuilder, - common: &mut HashMap>, - ) -> Result<(), JsonError> { -+ let mut logged_headers = HashSet::new(); - for block in blocks { -- js.start_object()?; -+ // delay js.start_object() because we skip suplicate headers - match block.error { - parser::HTTP2HeaderDecodeStatus::HTTP2HeaderDecodeSuccess => { -+ if Rc::strong_count(&block.name) > 2 { -+ // more than one reference in headers table + current headers -+ let ptr = Rc::as_ptr(&block.name) as usize; -+ if !logged_headers.insert(ptr) { -+ // only log once -+ continue; -+ } -+ } -+ js.start_object()?; - js.set_string_from_bytes("name", &block.name)?; - js.set_string_from_bytes("value", &block.value)?; - if let Ok(name) = std::str::from_utf8(&block.name) { -@@ -66,9 +77,11 @@ fn log_http2_headers<'a>( - } - } - parser::HTTP2HeaderDecodeStatus::HTTP2HeaderDecodeSizeUpdate => { -+ js.start_object()?; - js.set_uint("table_size_update", block.sizeupdate)?; - } - _ => { -+ js.start_object()?; - js.set_string("error", &block.error.to_string())?; - } - } --- -2.50.1 - diff --git a/recipes-ids/suricata/files/CVE-2024-32664.patch b/recipes-ids/suricata/files/CVE-2024-32664.patch deleted file mode 100644 index ee55b25..0000000 --- a/recipes-ids/suricata/files/CVE-2024-32664.patch +++ /dev/null @@ -1,53 +0,0 @@ -From d5ffecf11ad2c6fe89265e518f5d7443caf26ba4 Mon Sep 17 00:00:00 2001 -From: Philippe Antoine -Date: Thu, 28 Mar 2024 14:00:02 +0100 -Subject: [PATCH] util/base64: fix buffer overflow - -Ticket: 6902 - -In case the caller of DecodeBase64 does not supply a big enough -output buffer. - -(cherry picked from commit fd47e67dc65f9111895c88fb406c938b1f857325) - -CVE: CVE-2024-32664 -Upstream-Status: Backport [https://github.com/OISF/suricata/commit/d5ffecf11ad2c6fe89265e518f5d7443caf26ba4] -Signed-off-by: Hitendra Prajapati ---- - src/util-base64.c | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/src/util-base64.c b/src/util-base64.c -index 4a4a5d1..d973f0e 100644 ---- a/src/util-base64.c -+++ b/src/util-base64.c -@@ -156,6 +156,8 @@ Base64Ecode DecodeBase64(uint8_t *dest, uint32_t dest_size, const uint8_t *src, - ecode = BASE64_ECODE_BUF; - break; - } -+ if (dest_size - *decoded_bytes < ASCII_BLOCK) -+ return BASE64_ECODE_BUF; - - /* Decode base-64 block into ascii block and move pointer */ - DecodeBase64Block(dptr, b64); -@@ -183,7 +185,7 @@ Base64Ecode DecodeBase64(uint8_t *dest, uint32_t dest_size, const uint8_t *src, - /* if the destination size is not at least 3 Bytes long, it'll give a dynamic - * buffer overflow while decoding, so, return and let the caller take care of the - * remaining bytes to be decoded which should always be < 4 at this stage */ -- if (dest_size - *decoded_bytes < 3) -+ if (dest_size - *decoded_bytes < ASCII_BLOCK) - return BASE64_ECODE_BUF; - *decoded_bytes += numDecoded_blk; - DecodeBase64Block(dptr, b64); -@@ -193,6 +195,8 @@ Base64Ecode DecodeBase64(uint8_t *dest, uint32_t dest_size, const uint8_t *src, - /* Finish remaining b64 bytes by padding */ - if (valid && bbidx > 0 && (mode != BASE64_MODE_RFC2045)) { - /* Decode remaining */ -+ if (dest_size - *decoded_bytes < ASCII_BLOCK) -+ return BASE64_ECODE_BUF; - *decoded_bytes += ASCII_BLOCK - (B64_BLOCK - bbidx); - DecodeBase64Block(dptr, b64); - } --- -2.50.1 - diff --git a/recipes-ids/suricata/files/CVE-2024-32867-001.patch b/recipes-ids/suricata/files/CVE-2024-32867-001.patch deleted file mode 100644 index 68bd6ea..0000000 --- a/recipes-ids/suricata/files/CVE-2024-32867-001.patch +++ /dev/null @@ -1,235 +0,0 @@ -From 2f39ba75f153ba9bdf8eedc2a839cc973dbaea66 Mon Sep 17 00:00:00 2001 -From: Jason Ish -Date: Tue, 28 Nov 2023 12:35:26 -0600 -Subject: [PATCH] defrag: check next fragment for overlap before stopping - re-assembly - -Instead of breaking the loop when the current fragment does not have -any more fragments, set a flag and continue to the next fragment as -the next fragment may have data that occurs before this fragment, but -overlaps it. - -Then break if the next fragment does not overlap the previous. - -Bug: #6668 -(cherry picked from commit d0fd0782505d837e691ceef1b801776f0db82726) - -CVE: CVE-2024-32867 -Upstream-Status: Backport [https://github.com/OISF/suricata/commit/2f39ba75f153ba9bdf8eedc2a839cc973dbaea66] -Signed-off-by: Hitendra Prajapati ---- - src/defrag.c | 145 ++++++++++++++++++++++++++++++++++++++++++++++++--- - 1 file changed, 139 insertions(+), 6 deletions(-) - -diff --git a/src/defrag.c b/src/defrag.c -index 38704c9..e154899 100644 ---- a/src/defrag.c -+++ b/src/defrag.c -@@ -295,10 +295,20 @@ Defrag4Reassemble(ThreadVars *tv, DefragTracker *tracker, Packet *p) - uint16_t hlen = 0; - int ip_hdr_offset = 0; - -+ /* Assume more frags. */ -+ uint16_t prev_offset = 0; -+ bool more_frags = 1; -+ - RB_FOREACH(frag, IP_FRAGMENTS, &tracker->fragment_tree) { - SCLogDebug("frag %p, data_len %u, offset %u, pcap_cnt %"PRIu64, - frag, frag->data_len, frag->offset, frag->pcap_cnt); - -+ /* Previous fragment has no more fragments, and this packet -+ * doesn't overlap. We're done. */ -+ if (!more_frags && frag->offset > prev_offset) { -+ break; -+ } -+ - if (frag->skip) - continue; - if (frag->ltrim >= frag->data_len) -@@ -339,9 +349,16 @@ Defrag4Reassemble(ThreadVars *tv, DefragTracker *tracker, Packet *p) - fragmentable_len = frag->offset + frag->data_len; - } - -- if (!frag->more_frags) { -- break; -- } -+ /* Even if this fragment is flagged as having no more -+ * fragments, still continue. The next fragment may have the -+ * same offset with data that is preferred. -+ * -+ * For example, DefragBsdFragmentAfterNoMfIpv{4,6}Test -+ * -+ * This is due to not all fragments being completely trimmed, -+ * but relying on the copy ordering. */ -+ more_frags = frag->more_frags; -+ prev_offset = frag->offset; - } - - SCLogDebug("ip_hdr_offset %u, hlen %" PRIu16 ", fragmentable_len %" PRIu16, ip_hdr_offset, hlen, -@@ -436,7 +453,15 @@ Defrag6Reassemble(ThreadVars *tv, DefragTracker *tracker, Packet *p) - uint16_t fragmentable_len = 0; - int ip_hdr_offset = 0; - uint8_t next_hdr = 0; -+ -+ /* Assume more frags. */ -+ uint16_t prev_offset = 0; -+ bool more_frags = 1; -+ - RB_FOREACH(frag, IP_FRAGMENTS, &tracker->fragment_tree) { -+ if (!more_frags && frag->offset > prev_offset) { -+ break; -+ } - if (frag->skip) - continue; - if (frag->data_len - frag->ltrim <= 0) -@@ -481,9 +506,16 @@ Defrag6Reassemble(ThreadVars *tv, DefragTracker *tracker, Packet *p) - fragmentable_len = frag->offset + frag->data_len; - } - -- if (!frag->more_frags) { -- break; -- } -+ /* Even if this fragment is flagged as having no more -+ * fragments, still continue. The next fragment may have the -+ * same offset with data that is preferred. -+ * -+ * For example, DefragBsdFragmentAfterNoMfIpv{4,6}Test -+ * -+ * This is due to not all fragments being completely trimmed, -+ * but relying on the copy ordering. */ -+ more_frags = frag->more_frags; -+ prev_offset = frag->offset; - } - - rp->ip6h = (IPV6Hdr *)(GET_PKT_DATA(rp) + ip_hdr_offset); -@@ -2374,6 +2406,10 @@ static int DefragMfIpv4Test(void) - * fragments should be in the re-assembled packet. */ - FAIL_IF(IPV4_GET_IPLEN(p) != 36); - -+ /* Verify the payload of the IPv4 packet. */ -+ uint8_t expected_payload[] = "AAAAAAAABBBBBBBB"; -+ FAIL_IF(memcmp(GET_PKT_DATA(p) + sizeof(IPV4Hdr), expected_payload, sizeof(expected_payload))); -+ - SCFree(p1); - SCFree(p2); - SCFree(p3); -@@ -2417,6 +2453,10 @@ static int DefragMfIpv6Test(void) - * of 2 fragments, so 16. */ - FAIL_IF(IPV6_GET_PLEN(p) != 16); - -+ /* Verify the payload of the IPv4 packet. */ -+ uint8_t expected_payload[] = "AAAAAAAABBBBBBBB"; -+ FAIL_IF(memcmp(GET_PKT_DATA(p) + sizeof(IPV6Hdr), expected_payload, sizeof(expected_payload))); -+ - SCFree(p1); - SCFree(p2); - SCFree(p3); -@@ -2510,6 +2550,96 @@ static int DefragTestJeremyLinux(void) - PASS; - } - -+static int DefragBsdFragmentAfterNoMfIpv4Test(void) -+{ -+ DefragInit(); -+ default_policy = DEFRAG_POLICY_BSD; -+ Packet *packets[4]; -+ -+ packets[0] = BuildIpv4TestPacket(IPPROTO_ICMP, 0x96, 24 >> 3, 0, 'A', 16); -+ packets[1] = BuildIpv4TestPacket(IPPROTO_ICMP, 0x96, 8 >> 3, 1, 'B', 16); -+ packets[2] = BuildIpv4TestPacket(IPPROTO_ICMP, 0x96, 16 >> 3, 1, 'C', 16); -+ packets[3] = BuildIpv4TestPacket(IPPROTO_ICMP, 0x96, 0, 1, 'D', 8); -+ -+ Packet *r = Defrag(NULL, NULL, packets[0]); -+ FAIL_IF_NOT_NULL(r); -+ -+ r = Defrag(NULL, NULL, packets[1]); -+ FAIL_IF_NOT_NULL(r); -+ -+ r = Defrag(NULL, NULL, packets[2]); -+ FAIL_IF_NOT_NULL(r); -+ -+ r = Defrag(NULL, NULL, packets[3]); -+ FAIL_IF_NULL(r); -+ -+ // clang-format off -+ uint8_t expected[] = { -+ 'D', 'D', 'D', 'D', 'D', 'D', 'D', 'D', -+ 'B', 'B', 'B', 'B', 'B', 'B', 'B', 'B', -+ 'B', 'B', 'B', 'B', 'B', 'B', 'B', 'B', -+ 'C', 'C', 'C', 'C', 'C', 'C', 'C', 'C', -+ 'A', 'A', 'A', 'A', 'A', 'A', 'A', 'A', -+ }; -+ // clang-format on -+ -+ if (memcmp(expected, GET_PKT_DATA(r) + 20, sizeof(expected)) != 0) { -+ printf("Expected:\n"); -+ PrintRawDataFp(stdout, expected, sizeof(expected)); -+ printf("Got:\n"); -+ PrintRawDataFp(stdout, GET_PKT_DATA(r) + 20, GET_PKT_LEN(r) - 20); -+ FAIL; -+ } -+ -+ DefragDestroy(); -+ PASS; -+} -+ -+static int DefragBsdFragmentAfterNoMfIpv6Test(void) -+{ -+ DefragInit(); -+ default_policy = DEFRAG_POLICY_BSD; -+ Packet *packets[4]; -+ -+ packets[0] = BuildIpv6TestPacket(IPPROTO_ICMP, 0x96, 24 >> 3, 0, 'A', 16); -+ packets[1] = BuildIpv6TestPacket(IPPROTO_ICMP, 0x96, 8 >> 3, 1, 'B', 16); -+ packets[2] = BuildIpv6TestPacket(IPPROTO_ICMP, 0x96, 16 >> 3, 1, 'C', 16); -+ packets[3] = BuildIpv6TestPacket(IPPROTO_ICMP, 0x96, 0, 1, 'D', 8); -+ -+ Packet *r = Defrag(NULL, NULL, packets[0]); -+ FAIL_IF_NOT_NULL(r); -+ -+ r = Defrag(NULL, NULL, packets[1]); -+ FAIL_IF_NOT_NULL(r); -+ -+ r = Defrag(NULL, NULL, packets[2]); -+ FAIL_IF_NOT_NULL(r); -+ -+ r = Defrag(NULL, NULL, packets[3]); -+ FAIL_IF_NULL(r); -+ -+ // clang-format off -+ uint8_t expected[] = { -+ 'D', 'D', 'D', 'D', 'D', 'D', 'D', 'D', -+ 'B', 'B', 'B', 'B', 'B', 'B', 'B', 'B', -+ 'B', 'B', 'B', 'B', 'B', 'B', 'B', 'B', -+ 'C', 'C', 'C', 'C', 'C', 'C', 'C', 'C', -+ 'A', 'A', 'A', 'A', 'A', 'A', 'A', 'A', -+ }; -+ // clang-format on -+ -+ if (memcmp(expected, GET_PKT_DATA(r) + 40, sizeof(expected)) != 0) { -+ printf("Expected:\n"); -+ PrintRawDataFp(stdout, expected, sizeof(expected)); -+ printf("Got:\n"); -+ PrintRawDataFp(stdout, GET_PKT_DATA(r) + 40, GET_PKT_LEN(r) - 40); -+ FAIL; -+ } -+ -+ DefragDestroy(); -+ PASS; -+} -+ - #endif /* UNITTESTS */ - - void DefragRegisterTests(void) -@@ -2555,5 +2685,8 @@ void DefragRegisterTests(void) - UtRegisterTest("DefragTestBadProto", DefragTestBadProto); - - UtRegisterTest("DefragTestJeremyLinux", DefragTestJeremyLinux); -+ -+ UtRegisterTest("DefragBsdFragmentAfterNoMfIpv4Test", DefragBsdFragmentAfterNoMfIpv4Test); -+ UtRegisterTest("DefragBsdFragmentAfterNoMfIpv6Test", DefragBsdFragmentAfterNoMfIpv6Test); - #endif /* UNITTESTS */ - } --- -2.50.1 - diff --git a/recipes-ids/suricata/files/CVE-2024-32867-002.patch b/recipes-ids/suricata/files/CVE-2024-32867-002.patch deleted file mode 100644 index cfddce2..0000000 --- a/recipes-ids/suricata/files/CVE-2024-32867-002.patch +++ /dev/null @@ -1,591 +0,0 @@ -From 7137d5e7ab5500f1b7f3391f8ab55a59f1e4cbd7 Mon Sep 17 00:00:00 2001 -From: Jason Ish -Date: Mon, 27 Nov 2023 16:27:27 -0600 -Subject: [PATCH] defrag: consistent unit test naming - -Use a more consistent naming scheme between ipv4 and ipv6. - -(cherry picked from commit 2f00b5870abc6053fca8271a0a827babc03d56f0) - -CVE: CVE-2024-32867 -Upstream-Status: Backport [https://github.com/OISF/suricata/commit/7137d5e7ab5500f1b7f3391f8ab55a59f1e4cbd7] -Signed-off-by: Hitendra Prajapati ---- - src/defrag.c | 217 ++++++++++++++++++++++++--------------------------- - 1 file changed, 102 insertions(+), 115 deletions(-) - -diff --git a/src/defrag.c b/src/defrag.c -index e154899..99fbab3 100644 ---- a/src/defrag.c -+++ b/src/defrag.c -@@ -1125,8 +1125,8 @@ void DefragDestroy(void) - * Allocate a test packet. Nothing to fancy, just a simple IP packet - * with some payload of no particular protocol. - */ --static Packet *BuildTestPacket(uint8_t proto, uint16_t id, uint16_t off, int mf, -- const char content, int content_len) -+static Packet *BuildIpv4TestPacket( -+ uint8_t proto, uint16_t id, uint16_t off, int mf, const char content, int content_len) - { - Packet *p = NULL; - int hlen = 20; -@@ -1199,8 +1199,8 @@ error: - return NULL; - } - --static Packet *IPV6BuildTestPacket(uint8_t proto, uint32_t id, uint16_t off, -- int mf, const char content, int content_len) -+static Packet *BuildIpv6TestPacket( -+ uint8_t proto, uint32_t id, uint16_t off, int mf, const char content, int content_len) - { - Packet *p = NULL; - uint8_t *pcontent; -@@ -1283,11 +1283,11 @@ static int DefragInOrderSimpleTest(void) - - DefragInit(); - -- p1 = BuildTestPacket(IPPROTO_ICMP, id, 0, 1, 'A', 8); -+ p1 = BuildIpv4TestPacket(IPPROTO_ICMP, id, 0, 1, 'A', 8); - FAIL_IF_NULL(p1); -- p2 = BuildTestPacket(IPPROTO_ICMP, id, 1, 1, 'B', 8); -+ p2 = BuildIpv4TestPacket(IPPROTO_ICMP, id, 1, 1, 'B', 8); - FAIL_IF_NULL(p2); -- p3 = BuildTestPacket(IPPROTO_ICMP, id, 2, 0, 'C', 3); -+ p3 = BuildIpv4TestPacket(IPPROTO_ICMP, id, 2, 0, 'C', 3); - FAIL_IF_NULL(p3); - - FAIL_IF(Defrag(NULL, NULL, p1) != NULL); -@@ -1335,11 +1335,11 @@ static int DefragReverseSimpleTest(void) - - DefragInit(); - -- p1 = BuildTestPacket(IPPROTO_ICMP, id, 0, 1, 'A', 8); -+ p1 = BuildIpv4TestPacket(IPPROTO_ICMP, id, 0, 1, 'A', 8); - FAIL_IF_NULL(p1); -- p2 = BuildTestPacket(IPPROTO_ICMP, id, 1, 1, 'B', 8); -+ p2 = BuildIpv4TestPacket(IPPROTO_ICMP, id, 1, 1, 'B', 8); - FAIL_IF_NULL(p2); -- p3 = BuildTestPacket(IPPROTO_ICMP, id, 2, 0, 'C', 3); -+ p3 = BuildIpv4TestPacket(IPPROTO_ICMP, id, 2, 0, 'C', 3); - FAIL_IF_NULL(p3); - - FAIL_IF(Defrag(NULL, NULL, p3) != NULL); -@@ -1379,7 +1379,7 @@ static int DefragReverseSimpleTest(void) - * Test the simplest possible re-assembly scenario. All packet in - * order and no overlaps. - */ --static int IPV6DefragInOrderSimpleTest(void) -+static int DefragInOrderSimpleIpv6Test(void) - { - Packet *p1 = NULL, *p2 = NULL, *p3 = NULL; - Packet *reassembled = NULL; -@@ -1388,11 +1388,11 @@ static int IPV6DefragInOrderSimpleTest(void) - - DefragInit(); - -- p1 = IPV6BuildTestPacket(IPPROTO_ICMPV6, id, 0, 1, 'A', 8); -+ p1 = BuildIpv6TestPacket(IPPROTO_ICMPV6, id, 0, 1, 'A', 8); - FAIL_IF_NULL(p1); -- p2 = IPV6BuildTestPacket(IPPROTO_ICMPV6, id, 1, 1, 'B', 8); -+ p2 = BuildIpv6TestPacket(IPPROTO_ICMPV6, id, 1, 1, 'B', 8); - FAIL_IF_NULL(p2); -- p3 = IPV6BuildTestPacket(IPPROTO_ICMPV6, id, 2, 0, 'C', 3); -+ p3 = BuildIpv6TestPacket(IPPROTO_ICMPV6, id, 2, 0, 'C', 3); - FAIL_IF_NULL(p3); - - FAIL_IF(Defrag(NULL, NULL, p1) != NULL); -@@ -1426,7 +1426,7 @@ static int IPV6DefragInOrderSimpleTest(void) - PASS; - } - --static int IPV6DefragReverseSimpleTest(void) -+static int DefragReverseSimpleIpv6Test(void) - { - DefragContext *dc = NULL; - Packet *p1 = NULL, *p2 = NULL, *p3 = NULL; -@@ -1439,11 +1439,11 @@ static int IPV6DefragReverseSimpleTest(void) - dc = DefragContextNew(); - FAIL_IF_NULL(dc); - -- p1 = IPV6BuildTestPacket(IPPROTO_ICMPV6, id, 0, 1, 'A', 8); -+ p1 = BuildIpv6TestPacket(IPPROTO_ICMPV6, id, 0, 1, 'A', 8); - FAIL_IF_NULL(p1); -- p2 = IPV6BuildTestPacket(IPPROTO_ICMPV6, id, 1, 1, 'B', 8); -+ p2 = BuildIpv6TestPacket(IPPROTO_ICMPV6, id, 1, 1, 'B', 8); - FAIL_IF_NULL(p2); -- p3 = IPV6BuildTestPacket(IPPROTO_ICMPV6, id, 2, 0, 'C', 3); -+ p3 = BuildIpv6TestPacket(IPPROTO_ICMPV6, id, 2, 0, 'C', 3); - FAIL_IF_NULL(p3); - - FAIL_IF(Defrag(NULL, NULL, p3) != NULL); -@@ -1496,59 +1496,59 @@ static int DefragDoSturgesNovakTest(int policy, u_char *expected, - */ - - /* A*24 at 0. */ -- packets[0] = BuildTestPacket(IPPROTO_ICMP, id, 0, 1, 'A', 24); -+ packets[0] = BuildIpv4TestPacket(IPPROTO_ICMP, id, 0, 1, 'A', 24); - - /* B*15 at 32. */ -- packets[1] = BuildTestPacket(IPPROTO_ICMP, id, 32 >> 3, 1, 'B', 16); -+ packets[1] = BuildIpv4TestPacket(IPPROTO_ICMP, id, 32 >> 3, 1, 'B', 16); - - /* C*24 at 48. */ -- packets[2] = BuildTestPacket(IPPROTO_ICMP, id, 48 >> 3, 1, 'C', 24); -+ packets[2] = BuildIpv4TestPacket(IPPROTO_ICMP, id, 48 >> 3, 1, 'C', 24); - - /* D*8 at 80. */ -- packets[3] = BuildTestPacket(IPPROTO_ICMP, id, 80 >> 3, 1, 'D', 8); -+ packets[3] = BuildIpv4TestPacket(IPPROTO_ICMP, id, 80 >> 3, 1, 'D', 8); - - /* E*16 at 104. */ -- packets[4] = BuildTestPacket(IPPROTO_ICMP, id, 104 >> 3, 1, 'E', 16); -+ packets[4] = BuildIpv4TestPacket(IPPROTO_ICMP, id, 104 >> 3, 1, 'E', 16); - - /* F*24 at 120. */ -- packets[5] = BuildTestPacket(IPPROTO_ICMP, id, 120 >> 3, 1, 'F', 24); -+ packets[5] = BuildIpv4TestPacket(IPPROTO_ICMP, id, 120 >> 3, 1, 'F', 24); - - /* G*16 at 144. */ -- packets[6] = BuildTestPacket(IPPROTO_ICMP, id, 144 >> 3, 1, 'G', 16); -+ packets[6] = BuildIpv4TestPacket(IPPROTO_ICMP, id, 144 >> 3, 1, 'G', 16); - - /* H*16 at 160. */ -- packets[7] = BuildTestPacket(IPPROTO_ICMP, id, 160 >> 3, 1, 'H', 16); -+ packets[7] = BuildIpv4TestPacket(IPPROTO_ICMP, id, 160 >> 3, 1, 'H', 16); - - /* I*8 at 176. */ -- packets[8] = BuildTestPacket(IPPROTO_ICMP, id, 176 >> 3, 1, 'I', 8); -+ packets[8] = BuildIpv4TestPacket(IPPROTO_ICMP, id, 176 >> 3, 1, 'I', 8); - - /* - * Overlapping subsequent fragments. - */ - - /* J*32 at 8. */ -- packets[9] = BuildTestPacket(IPPROTO_ICMP, id, 8 >> 3, 1, 'J', 32); -+ packets[9] = BuildIpv4TestPacket(IPPROTO_ICMP, id, 8 >> 3, 1, 'J', 32); - - /* K*24 at 48. */ -- packets[10] = BuildTestPacket(IPPROTO_ICMP, id, 48 >> 3, 1, 'K', 24); -+ packets[10] = BuildIpv4TestPacket(IPPROTO_ICMP, id, 48 >> 3, 1, 'K', 24); - - /* L*24 at 72. */ -- packets[11] = BuildTestPacket(IPPROTO_ICMP, id, 72 >> 3, 1, 'L', 24); -+ packets[11] = BuildIpv4TestPacket(IPPROTO_ICMP, id, 72 >> 3, 1, 'L', 24); - - /* M*24 at 96. */ -- packets[12] = BuildTestPacket(IPPROTO_ICMP, id, 96 >> 3, 1, 'M', 24); -+ packets[12] = BuildIpv4TestPacket(IPPROTO_ICMP, id, 96 >> 3, 1, 'M', 24); - - /* N*8 at 128. */ -- packets[13] = BuildTestPacket(IPPROTO_ICMP, id, 128 >> 3, 1, 'N', 8); -+ packets[13] = BuildIpv4TestPacket(IPPROTO_ICMP, id, 128 >> 3, 1, 'N', 8); - - /* O*8 at 152. */ -- packets[14] = BuildTestPacket(IPPROTO_ICMP, id, 152 >> 3, 1, 'O', 8); -+ packets[14] = BuildIpv4TestPacket(IPPROTO_ICMP, id, 152 >> 3, 1, 'O', 8); - - /* P*8 at 160. */ -- packets[15] = BuildTestPacket(IPPROTO_ICMP, id, 160 >> 3, 1, 'P', 8); -+ packets[15] = BuildIpv4TestPacket(IPPROTO_ICMP, id, 160 >> 3, 1, 'P', 8); - - /* Q*16 at 176. */ -- packets[16] = BuildTestPacket(IPPROTO_ICMP, id, 176 >> 3, 0, 'Q', 16); -+ packets[16] = BuildIpv4TestPacket(IPPROTO_ICMP, id, 176 >> 3, 0, 'Q', 16); - - default_policy = policy; - -@@ -1588,8 +1588,7 @@ static int DefragDoSturgesNovakTest(int policy, u_char *expected, - PASS; - } - --static int IPV6DefragDoSturgesNovakTest(int policy, u_char *expected, -- size_t expected_len) -+static int DefragDoSturgesNovakIpv6Test(int policy, u_char *expected, size_t expected_len) - { - int i; - -@@ -1608,59 +1607,59 @@ static int IPV6DefragDoSturgesNovakTest(int policy, u_char *expected, - */ - - /* A*24 at 0. */ -- packets[0] = IPV6BuildTestPacket(IPPROTO_ICMPV6, id, 0, 1, 'A', 24); -+ packets[0] = BuildIpv6TestPacket(IPPROTO_ICMPV6, id, 0, 1, 'A', 24); - - /* B*15 at 32. */ -- packets[1] = IPV6BuildTestPacket(IPPROTO_ICMPV6, id, 32 >> 3, 1, 'B', 16); -+ packets[1] = BuildIpv6TestPacket(IPPROTO_ICMPV6, id, 32 >> 3, 1, 'B', 16); - - /* C*24 at 48. */ -- packets[2] = IPV6BuildTestPacket(IPPROTO_ICMPV6, id, 48 >> 3, 1, 'C', 24); -+ packets[2] = BuildIpv6TestPacket(IPPROTO_ICMPV6, id, 48 >> 3, 1, 'C', 24); - - /* D*8 at 80. */ -- packets[3] = IPV6BuildTestPacket(IPPROTO_ICMPV6, id, 80 >> 3, 1, 'D', 8); -+ packets[3] = BuildIpv6TestPacket(IPPROTO_ICMPV6, id, 80 >> 3, 1, 'D', 8); - - /* E*16 at 104. */ -- packets[4] = IPV6BuildTestPacket(IPPROTO_ICMPV6, id, 104 >> 3, 1, 'E', 16); -+ packets[4] = BuildIpv6TestPacket(IPPROTO_ICMPV6, id, 104 >> 3, 1, 'E', 16); - - /* F*24 at 120. */ -- packets[5] = IPV6BuildTestPacket(IPPROTO_ICMPV6, id, 120 >> 3, 1, 'F', 24); -+ packets[5] = BuildIpv6TestPacket(IPPROTO_ICMPV6, id, 120 >> 3, 1, 'F', 24); - - /* G*16 at 144. */ -- packets[6] = IPV6BuildTestPacket(IPPROTO_ICMPV6, id, 144 >> 3, 1, 'G', 16); -+ packets[6] = BuildIpv6TestPacket(IPPROTO_ICMPV6, id, 144 >> 3, 1, 'G', 16); - - /* H*16 at 160. */ -- packets[7] = IPV6BuildTestPacket(IPPROTO_ICMPV6, id, 160 >> 3, 1, 'H', 16); -+ packets[7] = BuildIpv6TestPacket(IPPROTO_ICMPV6, id, 160 >> 3, 1, 'H', 16); - - /* I*8 at 176. */ -- packets[8] = IPV6BuildTestPacket(IPPROTO_ICMPV6, id, 176 >> 3, 1, 'I', 8); -+ packets[8] = BuildIpv6TestPacket(IPPROTO_ICMPV6, id, 176 >> 3, 1, 'I', 8); - - /* - * Overlapping subsequent fragments. - */ - - /* J*32 at 8. */ -- packets[9] = IPV6BuildTestPacket(IPPROTO_ICMPV6, id, 8 >> 3, 1, 'J', 32); -+ packets[9] = BuildIpv6TestPacket(IPPROTO_ICMPV6, id, 8 >> 3, 1, 'J', 32); - - /* K*24 at 48. */ -- packets[10] = IPV6BuildTestPacket(IPPROTO_ICMPV6, id, 48 >> 3, 1, 'K', 24); -+ packets[10] = BuildIpv6TestPacket(IPPROTO_ICMPV6, id, 48 >> 3, 1, 'K', 24); - - /* L*24 at 72. */ -- packets[11] = IPV6BuildTestPacket(IPPROTO_ICMPV6, id, 72 >> 3, 1, 'L', 24); -+ packets[11] = BuildIpv6TestPacket(IPPROTO_ICMPV6, id, 72 >> 3, 1, 'L', 24); - - /* M*24 at 96. */ -- packets[12] = IPV6BuildTestPacket(IPPROTO_ICMPV6, id, 96 >> 3, 1, 'M', 24); -+ packets[12] = BuildIpv6TestPacket(IPPROTO_ICMPV6, id, 96 >> 3, 1, 'M', 24); - - /* N*8 at 128. */ -- packets[13] = IPV6BuildTestPacket(IPPROTO_ICMPV6, id, 128 >> 3, 1, 'N', 8); -+ packets[13] = BuildIpv6TestPacket(IPPROTO_ICMPV6, id, 128 >> 3, 1, 'N', 8); - - /* O*8 at 152. */ -- packets[14] = IPV6BuildTestPacket(IPPROTO_ICMPV6, id, 152 >> 3, 1, 'O', 8); -+ packets[14] = BuildIpv6TestPacket(IPPROTO_ICMPV6, id, 152 >> 3, 1, 'O', 8); - - /* P*8 at 160. */ -- packets[15] = IPV6BuildTestPacket(IPPROTO_ICMPV6, id, 160 >> 3, 1, 'P', 8); -+ packets[15] = BuildIpv6TestPacket(IPPROTO_ICMPV6, id, 160 >> 3, 1, 'P', 8); - - /* Q*16 at 176. */ -- packets[16] = IPV6BuildTestPacket(IPPROTO_ICMPV6, id, 176 >> 3, 0, 'Q', 16); -+ packets[16] = BuildIpv6TestPacket(IPPROTO_ICMPV6, id, 176 >> 3, 0, 'Q', 16); - - default_policy = policy; - -@@ -1735,7 +1734,7 @@ DefragSturgesNovakBsdTest(void) - PASS; - } - --static int IPV6DefragSturgesNovakBsdTest(void) -+static int DefragSturgesNovakBsdIpv6Test(void) - { - /* Expected data. */ - u_char expected[] = { -@@ -1765,8 +1764,7 @@ static int IPV6DefragSturgesNovakBsdTest(void) - "QQQQQQQQ" - }; - -- FAIL_IF_NOT(IPV6DefragDoSturgesNovakTest(DEFRAG_POLICY_BSD, expected, -- sizeof(expected))); -+ FAIL_IF_NOT(DefragDoSturgesNovakIpv6Test(DEFRAG_POLICY_BSD, expected, sizeof(expected))); - PASS; - } - -@@ -1805,7 +1803,7 @@ static int DefragSturgesNovakLinuxIpv4Test(void) - PASS; - } - --static int IPV6DefragSturgesNovakLinuxTest(void) -+static int DefragSturgesNovakLinuxIpv6Test(void) - { - /* Expected data. */ - u_char expected[] = { -@@ -1835,8 +1833,7 @@ static int IPV6DefragSturgesNovakLinuxTest(void) - "QQQQQQQQ" - }; - -- FAIL_IF_NOT(IPV6DefragDoSturgesNovakTest(DEFRAG_POLICY_LINUX, expected, -- sizeof(expected))); -+ FAIL_IF_NOT(DefragDoSturgesNovakIpv6Test(DEFRAG_POLICY_LINUX, expected, sizeof(expected))); - PASS; - } - -@@ -1875,7 +1872,7 @@ static int DefragSturgesNovakWindowsIpv4Test(void) - PASS; - } - --static int IPV6DefragSturgesNovakWindowsTest(void) -+static int DefragSturgesNovakWindowsIpv6Test(void) - { - /* Expected data. */ - u_char expected[] = { -@@ -1905,8 +1902,7 @@ static int IPV6DefragSturgesNovakWindowsTest(void) - "QQQQQQQQ" - }; - -- FAIL_IF_NOT(IPV6DefragDoSturgesNovakTest(DEFRAG_POLICY_WINDOWS, expected, -- sizeof(expected))); -+ FAIL_IF_NOT(DefragDoSturgesNovakIpv6Test(DEFRAG_POLICY_WINDOWS, expected, sizeof(expected))); - PASS; - } - -@@ -1945,7 +1941,7 @@ static int DefragSturgesNovakSolarisTest(void) - PASS; - } - --static int IPV6DefragSturgesNovakSolarisTest(void) -+static int DefragSturgesNovakSolarisIpv6Test(void) - { - /* Expected data. */ - u_char expected[] = { -@@ -1975,8 +1971,7 @@ static int IPV6DefragSturgesNovakSolarisTest(void) - "QQQQQQQQ" - }; - -- FAIL_IF_NOT(IPV6DefragDoSturgesNovakTest(DEFRAG_POLICY_SOLARIS, expected, -- sizeof(expected))); -+ FAIL_IF_NOT(DefragDoSturgesNovakIpv6Test(DEFRAG_POLICY_SOLARIS, expected, sizeof(expected))); - PASS; - } - -@@ -2015,7 +2010,7 @@ static int DefragSturgesNovakFirstTest(void) - PASS; - } - --static int IPV6DefragSturgesNovakFirstTest(void) -+static int DefragSturgesNovakFirstIpv6Test(void) - { - /* Expected data. */ - u_char expected[] = { -@@ -2045,8 +2040,7 @@ static int IPV6DefragSturgesNovakFirstTest(void) - "QQQQQQQQ" - }; - -- return IPV6DefragDoSturgesNovakTest(DEFRAG_POLICY_FIRST, expected, -- sizeof(expected)); -+ return DefragDoSturgesNovakIpv6Test(DEFRAG_POLICY_FIRST, expected, sizeof(expected)); - } - - static int -@@ -2085,7 +2079,7 @@ DefragSturgesNovakLastTest(void) - PASS; - } - --static int IPV6DefragSturgesNovakLastTest(void) -+static int DefragSturgesNovakLastIpv6Test(void) - { - /* Expected data. */ - u_char expected[] = { -@@ -2115,8 +2109,7 @@ static int IPV6DefragSturgesNovakLastTest(void) - "QQQQQQQQ" - }; - -- FAIL_IF_NOT(IPV6DefragDoSturgesNovakTest(DEFRAG_POLICY_LAST, expected, -- sizeof(expected))); -+ FAIL_IF_NOT(DefragDoSturgesNovakIpv6Test(DEFRAG_POLICY_LAST, expected, sizeof(expected))); - PASS; - } - -@@ -2131,7 +2124,7 @@ static int DefragTimeoutTest(void) - - /* Load in 16 packets. */ - for (i = 0; i < 16; i++) { -- Packet *p = BuildTestPacket(IPPROTO_ICMP,i, 0, 1, 'A' + i, 16); -+ Packet *p = BuildIpv4TestPacket(IPPROTO_ICMP, i, 0, 1, 'A' + i, 16); - FAIL_IF_NULL(p); - - Packet *tp = Defrag(NULL, NULL, p); -@@ -2141,7 +2134,7 @@ static int DefragTimeoutTest(void) - - /* Build a new packet but push the timestamp out by our timeout. - * This should force our previous fragments to be timed out. */ -- Packet *p = BuildTestPacket(IPPROTO_ICMP, 99, 0, 1, 'A' + i, 16); -+ Packet *p = BuildIpv4TestPacket(IPPROTO_ICMP, 99, 0, 1, 'A' + i, 16); - FAIL_IF_NULL(p); - - p->ts = SCTIME_ADD_SECS(p->ts, defrag_context->timeout + 1); -@@ -2166,7 +2159,7 @@ static int DefragTimeoutTest(void) - * fail. The fix was simple, but this unit test is just to make sure - * its not introduced. - */ --static int DefragIPv4NoDataTest(void) -+static int DefragNoDataIpv4Test(void) - { - DefragContext *dc = NULL; - Packet *p = NULL; -@@ -2178,7 +2171,7 @@ static int DefragIPv4NoDataTest(void) - FAIL_IF_NULL(dc); - - /* This packet has an offset > 0, more frags set to 0 and no data. */ -- p = BuildTestPacket(IPPROTO_ICMP, id, 1, 0, 'A', 0); -+ p = BuildIpv4TestPacket(IPPROTO_ICMP, id, 1, 0, 'A', 0); - FAIL_IF_NULL(p); - - /* We do not expect a packet returned. */ -@@ -2195,7 +2188,7 @@ static int DefragIPv4NoDataTest(void) - PASS; - } - --static int DefragIPv4TooLargeTest(void) -+static int DefragTooLargeIpv4Test(void) - { - DefragContext *dc = NULL; - Packet *p = NULL; -@@ -2207,7 +2200,7 @@ static int DefragIPv4TooLargeTest(void) - - /* Create a fragment that would extend past the max allowable size - * for an IPv4 packet. */ -- p = BuildTestPacket(IPPROTO_ICMP, 1, 8183, 0, 'A', 71); -+ p = BuildIpv4TestPacket(IPPROTO_ICMP, 1, 8183, 0, 'A', 71); - FAIL_IF_NULL(p); - - /* We do not expect a packet returned. */ -@@ -2238,9 +2231,9 @@ static int DefragVlanTest(void) - - DefragInit(); - -- p1 = BuildTestPacket(IPPROTO_ICMP, 1, 0, 1, 'A', 8); -+ p1 = BuildIpv4TestPacket(IPPROTO_ICMP, 1, 0, 1, 'A', 8); - FAIL_IF_NULL(p1); -- p2 = BuildTestPacket(IPPROTO_ICMP, 1, 1, 0, 'B', 8); -+ p2 = BuildIpv4TestPacket(IPPROTO_ICMP, 1, 1, 0, 'B', 8); - FAIL_IF_NULL(p2); - - /* With no VLAN IDs set, packets should re-assemble. */ -@@ -2270,9 +2263,9 @@ static int DefragVlanQinQTest(void) - - DefragInit(); - -- p1 = BuildTestPacket(IPPROTO_ICMP, 1, 0, 1, 'A', 8); -+ p1 = BuildIpv4TestPacket(IPPROTO_ICMP, 1, 0, 1, 'A', 8); - FAIL_IF_NULL(p1); -- p2 = BuildTestPacket(IPPROTO_ICMP, 1, 1, 0, 'B', 8); -+ p2 = BuildIpv4TestPacket(IPPROTO_ICMP, 1, 1, 0, 'B', 8); - FAIL_IF_NULL(p2); - - /* With no VLAN IDs set, packets should re-assemble. */ -@@ -2304,9 +2297,9 @@ static int DefragVlanQinQinQTest(void) - - DefragInit(); - -- Packet *p1 = BuildTestPacket(IPPROTO_ICMP, 1, 0, 1, 'A', 8); -+ Packet *p1 = BuildIpv4TestPacket(IPPROTO_ICMP, 1, 0, 1, 'A', 8); - FAIL_IF_NULL(p1); -- Packet *p2 = BuildTestPacket(IPPROTO_ICMP, 1, 1, 0, 'B', 8); -+ Packet *p2 = BuildIpv4TestPacket(IPPROTO_ICMP, 1, 1, 0, 'B', 8); - FAIL_IF_NULL(p2); - - /* With no VLAN IDs set, packets should re-assemble. */ -@@ -2340,7 +2333,7 @@ static int DefragTrackerReuseTest(void) - - /* Build a packet, its not a fragment but shouldn't matter for - * this test. */ -- p1 = BuildTestPacket(IPPROTO_ICMP, id, 0, 0, 'A', 8); -+ p1 = BuildIpv4TestPacket(IPPROTO_ICMP, id, 0, 0, 'A', 8); - FAIL_IF_NULL(p1); - - /* Get a tracker. It shouldn't look like its already in use. */ -@@ -2387,9 +2380,9 @@ static int DefragMfIpv4Test(void) - - DefragInit(); - -- Packet *p1 = BuildTestPacket(IPPROTO_ICMP, ip_id, 2, 1, 'C', 8); -- Packet *p2 = BuildTestPacket(IPPROTO_ICMP, ip_id, 0, 1, 'A', 8); -- Packet *p3 = BuildTestPacket(IPPROTO_ICMP, ip_id, 1, 0, 'B', 8); -+ Packet *p1 = BuildIpv4TestPacket(IPPROTO_ICMP, ip_id, 2, 1, 'C', 8); -+ Packet *p2 = BuildIpv4TestPacket(IPPROTO_ICMP, ip_id, 0, 1, 'A', 8); -+ Packet *p3 = BuildIpv4TestPacket(IPPROTO_ICMP, ip_id, 1, 0, 'B', 8); - FAIL_IF(p1 == NULL || p2 == NULL || p3 == NULL); - - p = Defrag(NULL, NULL, p1); -@@ -2434,9 +2427,9 @@ static int DefragMfIpv6Test(void) - - DefragInit(); - -- Packet *p1 = IPV6BuildTestPacket(IPPROTO_ICMPV6, ip_id, 2, 1, 'C', 8); -- Packet *p2 = IPV6BuildTestPacket(IPPROTO_ICMPV6, ip_id, 0, 1, 'A', 8); -- Packet *p3 = IPV6BuildTestPacket(IPPROTO_ICMPV6, ip_id, 1, 0, 'B', 8); -+ Packet *p1 = BuildIpv6TestPacket(IPPROTO_ICMPV6, ip_id, 2, 1, 'C', 8); -+ Packet *p2 = BuildIpv6TestPacket(IPPROTO_ICMPV6, ip_id, 0, 1, 'A', 8); -+ Packet *p3 = BuildIpv6TestPacket(IPPROTO_ICMPV6, ip_id, 1, 0, 'B', 8); - FAIL_IF(p1 == NULL || p2 == NULL || p3 == NULL); - - p = Defrag(NULL, NULL, p1); -@@ -2476,11 +2469,11 @@ static int DefragTestBadProto(void) - - DefragInit(); - -- p1 = BuildTestPacket(IPPROTO_ICMP, id, 0, 1, 'A', 8); -+ p1 = BuildIpv4TestPacket(IPPROTO_ICMP, id, 0, 1, 'A', 8); - FAIL_IF_NULL(p1); -- p2 = BuildTestPacket(IPPROTO_UDP, id, 1, 1, 'B', 8); -+ p2 = BuildIpv4TestPacket(IPPROTO_UDP, id, 1, 1, 'B', 8); - FAIL_IF_NULL(p2); -- p3 = BuildTestPacket(IPPROTO_ICMP, id, 2, 0, 'C', 3); -+ p3 = BuildIpv4TestPacket(IPPROTO_ICMP, id, 2, 0, 'C', 3); - FAIL_IF_NULL(p3); - - FAIL_IF_NOT_NULL(Defrag(NULL, NULL, p1)); -@@ -2522,10 +2515,10 @@ static int DefragTestJeremyLinux(void) - Packet *packets[4]; - int i = 0; - -- packets[0] = BuildTestPacket(IPPROTO_ICMP, id, 0, 1, 'A', 24); -- packets[1] = BuildTestPacket(IPPROTO_ICMP, id, 40 >> 3, 1, 'B', 48); -- packets[2] = BuildTestPacket(IPPROTO_ICMP, id, 24 >> 3, 1, 'C', 48); -- packets[3] = BuildTestPacket(IPPROTO_ICMP, id, 88 >> 3, 0, 'D', 14); -+ packets[0] = BuildIpv4TestPacket(IPPROTO_ICMP, id, 0, 1, 'A', 24); -+ packets[1] = BuildIpv4TestPacket(IPPROTO_ICMP, id, 40 >> 3, 1, 'B', 48); -+ packets[2] = BuildIpv4TestPacket(IPPROTO_ICMP, id, 24 >> 3, 1, 'C', 48); -+ packets[3] = BuildIpv4TestPacket(IPPROTO_ICMP, id, 88 >> 3, 0, 'D', 14); - - Packet *r = Defrag(NULL, NULL, packets[0]); - FAIL_IF_NOT_NULL(r); -@@ -2657,23 +2650,17 @@ void DefragRegisterTests(void) - UtRegisterTest("DefragSturgesNovakFirstTest", DefragSturgesNovakFirstTest); - UtRegisterTest("DefragSturgesNovakLastTest", DefragSturgesNovakLastTest); - -- UtRegisterTest("DefragIPv4NoDataTest", DefragIPv4NoDataTest); -- UtRegisterTest("DefragIPv4TooLargeTest", DefragIPv4TooLargeTest); -- -- UtRegisterTest("IPV6DefragInOrderSimpleTest", IPV6DefragInOrderSimpleTest); -- UtRegisterTest("IPV6DefragReverseSimpleTest", IPV6DefragReverseSimpleTest); -- UtRegisterTest("IPV6DefragSturgesNovakBsdTest", -- IPV6DefragSturgesNovakBsdTest); -- UtRegisterTest("IPV6DefragSturgesNovakLinuxTest", -- IPV6DefragSturgesNovakLinuxTest); -- UtRegisterTest("IPV6DefragSturgesNovakWindowsTest", -- IPV6DefragSturgesNovakWindowsTest); -- UtRegisterTest("IPV6DefragSturgesNovakSolarisTest", -- IPV6DefragSturgesNovakSolarisTest); -- UtRegisterTest("IPV6DefragSturgesNovakFirstTest", -- IPV6DefragSturgesNovakFirstTest); -- UtRegisterTest("IPV6DefragSturgesNovakLastTest", -- IPV6DefragSturgesNovakLastTest); -+ UtRegisterTest("DefragNoDataIpv4Test", DefragNoDataIpv4Test); -+ UtRegisterTest("DefragTooLargeIpv4Test", DefragTooLargeIpv4Test); -+ -+ UtRegisterTest("DefragInOrderSimpleIpv6Test", DefragInOrderSimpleIpv6Test); -+ UtRegisterTest("DefragReverseSimpleIpv6Test", DefragReverseSimpleIpv6Test); -+ UtRegisterTest("DefragSturgesNovakBsdIpv6Test", DefragSturgesNovakBsdIpv6Test); -+ UtRegisterTest("DefragSturgesNovakLinuxIpv6Test", DefragSturgesNovakLinuxIpv6Test); -+ UtRegisterTest("DefragSturgesNovakWindowsIpv6Test", DefragSturgesNovakWindowsIpv6Test); -+ UtRegisterTest("DefragSturgesNovakSolarisIpv6Test", DefragSturgesNovakSolarisIpv6Test); -+ UtRegisterTest("DefragSturgesNovakFirstIpv6Test", DefragSturgesNovakFirstIpv6Test); -+ UtRegisterTest("DefragSturgesNovakLastIpv6Test", DefragSturgesNovakLastIpv6Test); - - UtRegisterTest("DefragVlanTest", DefragVlanTest); - UtRegisterTest("DefragVlanQinQTest", DefragVlanQinQTest); --- -2.50.1 - diff --git a/recipes-ids/suricata/files/CVE-2024-32867-003.patch b/recipes-ids/suricata/files/CVE-2024-32867-003.patch deleted file mode 100644 index 15ee1f4..0000000 --- a/recipes-ids/suricata/files/CVE-2024-32867-003.patch +++ /dev/null @@ -1,472 +0,0 @@ -From 1e110d0a71db46571040b937e17a4bc9f91d6de9 Mon Sep 17 00:00:00 2001 -From: Jason Ish -Date: Thu, 7 Dec 2023 16:44:56 -0600 -Subject: [PATCH] defrag: fix subsequent overlap of start of original (bsd) - -Fix the BSD policy case where a subsequent fragment starts before an -original fragment and overlaps the beginning of the original -fragment. In this case the overlapping data from the new fragment is -preferred. - -Suricata was preferring the data from the original fragment, but it -should only do that when the original fragment has an offset <= to the -new fragment. - -- Adds test for this case - -Bug: #6669 -(cherry picked from commit f1709ea551124e1a64fdc509993ad022ab27aa77) - -CVE: CVE-2024-32867 -Upstream-Status: Backport [https://github.com/OISF/suricata/commit/1e110d0a71db46571040b937e17a4bc9f91d6de9] -Signed-off-by: Hitendra Prajapati ---- - src/defrag.c | 387 ++++++++++++++++++++++++++++++++++++++++++++++++++- - 1 file changed, 380 insertions(+), 7 deletions(-) - -diff --git a/src/defrag.c b/src/defrag.c -index 99fbab3..28d085d 100644 ---- a/src/defrag.c -+++ b/src/defrag.c -@@ -692,16 +692,45 @@ DefragInsertFrag(ThreadVars *tv, DecodeThreadVars *dtv, DefragTracker *tracker, - switch (tracker->policy) { - case DEFRAG_POLICY_BSD: - if (frag_offset < prev->offset + prev->data_len) { -- if (frag_offset >= prev->offset) { -- ltrim = prev->offset + prev->data_len - frag_offset; -+ if (prev->offset <= frag_offset) { -+ /* We prefer the data from the previous -+ * fragment, so trim off the data in the new -+ * fragment that exists in the previous -+ * fragment. */ -+ uint16_t prev_end = prev->offset + prev->data_len; -+ if (prev_end > frag_end) { -+ /* Just skip. */ -+ /* TODO: Set overlap flag. */ -+ goto done; -+ } -+ ltrim = prev_end - frag_offset; -+ -+ if ((next != NULL) && (frag_end > next->offset)) { -+ next->ltrim = frag_end - next->offset; -+ } -+ -+ goto insert; - } -+ -+ /* If the end of this fragment overlaps the start -+ * of the previous fragment, then trim up the -+ * start of previous fragment so this fragment is -+ * used. -+ * -+ * See: -+ * DefragBsdSubsequentOverlapsStartOfOriginal. -+ */ -+ if (frag_offset <= prev->offset && frag_end > prev->offset + prev->ltrim) { -+ uint16_t prev_ltrim = frag_end - prev->offset; -+ if (prev_ltrim > prev->ltrim) { -+ prev->ltrim = prev_ltrim; -+ } -+ } -+ - if ((next != NULL) && (frag_end > next->offset)) { - next->ltrim = frag_end - next->offset; - } -- if ((frag_offset < prev->offset) && -- (frag_end >= prev->offset + prev->data_len)) { -- prev->skip = 1; -- } -+ - goto insert; - } - break; -@@ -1199,6 +1228,77 @@ error: - return NULL; - } - -+/** -+ * Allocate a test packet, much like BuildIpv4TestPacket, but with -+ * the full content provided by the caller. -+ */ -+static Packet *BuildIpv4TestPacketWithContent( -+ uint8_t proto, uint16_t id, uint16_t off, int mf, const uint8_t *content, int content_len) -+{ -+ Packet *p = NULL; -+ int hlen = 20; -+ int ttl = 64; -+ IPV4Hdr ip4h; -+ -+ p = SCCalloc(1, sizeof(*p) + default_packet_size); -+ if (unlikely(p == NULL)) -+ return NULL; -+ -+ PacketInit(p); -+ -+ struct timeval tval; -+ gettimeofday(&tval, NULL); -+ p->ts = SCTIME_FROM_TIMEVAL(&tval); -+ ip4h.ip_verhl = 4 << 4; -+ ip4h.ip_verhl |= hlen >> 2; -+ ip4h.ip_len = htons(hlen + content_len); -+ ip4h.ip_id = htons(id); -+ if (mf) -+ ip4h.ip_off = htons(IP_MF | off); -+ else -+ ip4h.ip_off = htons(off); -+ ip4h.ip_ttl = ttl; -+ ip4h.ip_proto = proto; -+ -+ ip4h.s_ip_src.s_addr = 0x01010101; /* 1.1.1.1 */ -+ ip4h.s_ip_dst.s_addr = 0x02020202; /* 2.2.2.2 */ -+ -+ /* copy content_len crap, we need full length */ -+ PacketCopyData(p, (uint8_t *)&ip4h, sizeof(ip4h)); -+ p->ip4h = (IPV4Hdr *)GET_PKT_DATA(p); -+ SET_IPV4_SRC_ADDR(p, &p->src); -+ SET_IPV4_DST_ADDR(p, &p->dst); -+ -+ PacketCopyDataOffset(p, hlen, content, content_len); -+ SET_PKT_LEN(p, hlen + content_len); -+ -+ p->ip4h->ip_csum = IPV4Checksum((uint16_t *)GET_PKT_DATA(p), hlen, 0); -+ -+ /* Self test. */ -+ if (IPV4_GET_VER(p) != 4) -+ goto error; -+ if (IPV4_GET_HLEN(p) != hlen) -+ goto error; -+ if (IPV4_GET_IPLEN(p) != hlen + content_len) -+ goto error; -+ if (IPV4_GET_IPID(p) != id) -+ goto error; -+ if (IPV4_GET_IPOFFSET(p) != off) -+ goto error; -+ if (IPV4_GET_MF(p) != mf) -+ goto error; -+ if (IPV4_GET_IPTTL(p) != ttl) -+ goto error; -+ if (IPV4_GET_IPPROTO(p) != proto) -+ goto error; -+ -+ return p; -+error: -+ if (p != NULL) -+ SCFree(p); -+ return NULL; -+} -+ - static Packet *BuildIpv6TestPacket( - uint8_t proto, uint32_t id, uint16_t off, int mf, const char content, int content_len) - { -@@ -1270,6 +1370,71 @@ error: - return NULL; - } - -+static Packet *BuildIpv6TestPacketWithContent( -+ uint8_t proto, uint32_t id, uint16_t off, int mf, const uint8_t *content, int content_len) -+{ -+ Packet *p = NULL; -+ IPV6Hdr ip6h; -+ -+ p = SCCalloc(1, sizeof(*p) + default_packet_size); -+ if (unlikely(p == NULL)) -+ return NULL; -+ -+ PacketInit(p); -+ -+ struct timeval tval; -+ gettimeofday(&tval, NULL); -+ p->ts = SCTIME_FROM_TIMEVAL(&tval); -+ -+ ip6h.s_ip6_nxt = 44; -+ ip6h.s_ip6_hlim = 2; -+ -+ /* Source and dest address - very bogus addresses. */ -+ ip6h.s_ip6_src[0] = 0x01010101; -+ ip6h.s_ip6_src[1] = 0x01010101; -+ ip6h.s_ip6_src[2] = 0x01010101; -+ ip6h.s_ip6_src[3] = 0x01010101; -+ ip6h.s_ip6_dst[0] = 0x02020202; -+ ip6h.s_ip6_dst[1] = 0x02020202; -+ ip6h.s_ip6_dst[2] = 0x02020202; -+ ip6h.s_ip6_dst[3] = 0x02020202; -+ -+ /* copy content_len crap, we need full length */ -+ PacketCopyData(p, (uint8_t *)&ip6h, sizeof(IPV6Hdr)); -+ -+ p->ip6h = (IPV6Hdr *)GET_PKT_DATA(p); -+ IPV6_SET_RAW_VER(p->ip6h, 6); -+ /* Fragmentation header. */ -+ IPV6FragHdr *fh = (IPV6FragHdr *)(GET_PKT_DATA(p) + sizeof(IPV6Hdr)); -+ fh->ip6fh_nxt = proto; -+ fh->ip6fh_ident = htonl(id); -+ fh->ip6fh_offlg = htons((off << 3) | mf); -+ -+ DecodeIPV6FragHeader(p, (uint8_t *)fh, 8, 8 + content_len, 0); -+ -+ PacketCopyDataOffset(p, sizeof(IPV6Hdr) + sizeof(IPV6FragHdr), content, content_len); -+ SET_PKT_LEN(p, sizeof(IPV6Hdr) + sizeof(IPV6FragHdr) + content_len); -+ -+ p->ip6h->s_ip6_plen = htons(sizeof(IPV6FragHdr) + content_len); -+ -+ SET_IPV6_SRC_ADDR(p, &p->src); -+ SET_IPV6_DST_ADDR(p, &p->dst); -+ -+ /* Self test. */ -+ if (IPV6_GET_VER(p) != 6) -+ goto error; -+ if (IPV6_GET_NH(p) != 44) -+ goto error; -+ if (IPV6_GET_PLEN(p) != sizeof(IPV6FragHdr) + content_len) -+ goto error; -+ -+ return p; -+error: -+ if (p != NULL) -+ SCFree(p); -+ return NULL; -+} -+ - /** - * Test the simplest possible re-assembly scenario. All packet in - * order and no overlaps. -@@ -1575,7 +1740,13 @@ static int DefragDoSturgesNovakTest(int policy, u_char *expected, - FAIL_IF(IPV4_GET_HLEN(reassembled) != 20); - FAIL_IF(IPV4_GET_IPLEN(reassembled) != 20 + 192); - -- FAIL_IF(memcmp(GET_PKT_DATA(reassembled) + 20, expected, expected_len) != 0); -+ if (memcmp(expected, GET_PKT_DATA(reassembled) + 20, expected_len) != 0) { -+ printf("Expected:\n"); -+ PrintRawDataFp(stdout, expected, expected_len); -+ printf("Got:\n"); -+ PrintRawDataFp(stdout, GET_PKT_DATA(reassembled) + 20, GET_PKT_LEN(reassembled) - 20); -+ FAIL; -+ } - SCFree(reassembled); - - /* Make sure all frags were returned back to the pool. */ -@@ -2543,6 +2714,16 @@ static int DefragTestJeremyLinux(void) - PASS; - } - -+/** -+ * | 0 | 8 | 16 | 24 | 32 | -+ * |----------|----------|----------|----------|----------| -+ * | AAAAAAAA | AAAAAAAA | -+ * | | BBBBBBBB | BBBBBBBB | | | -+ * | | | CCCCCCCC | CCCCCCCC | | -+ * | DDDDDDDD | | | | | -+ * -+ * | DDDDDDDD | BBBBBBBB | BBBBBBBB | CCCCCCCC | AAAAAAAA | -+ */ - static int DefragBsdFragmentAfterNoMfIpv4Test(void) - { - DefragInit(); -@@ -2633,6 +2814,192 @@ static int DefragBsdFragmentAfterNoMfIpv6Test(void) - PASS; - } - -+static int DefragBsdSubsequentOverlapsStartOfOriginalIpv4Test_2(void) -+{ -+ DefragInit(); -+ default_policy = DEFRAG_POLICY_BSD; -+ Packet *packets[4]; -+ -+ /* Packet 1: off=16, mf=1 */ -+ packets[0] = BuildIpv4TestPacketWithContent( -+ IPPROTO_ICMP, 6, 16 >> 3, 1, (uint8_t *)"AABBCCDDAABBDDCC", 16); -+ -+ /* Packet 2: off=8, mf=1 */ -+ packets[1] = BuildIpv4TestPacketWithContent( -+ IPPROTO_ICMP, 6, 8 >> 3, 1, (uint8_t *)"AACCBBDDAACCDDBB", 16); -+ -+ /* Packet 3: off=0, mf=1: IP and ICMP header. */ -+ packets[2] = BuildIpv4TestPacketWithContent(IPPROTO_ICMP, 6, 0, 1, (uint8_t *)"ZZZZZZZZ", 8); -+ -+ /* Packet 4: off=8, mf=1 */ -+ packets[3] = -+ BuildIpv4TestPacketWithContent(IPPROTO_ICMP, 6, 32 >> 3, 0, (uint8_t *)"DDCCBBAA", 8); -+ -+ Packet *r = Defrag(NULL, NULL, packets[0]); -+ FAIL_IF_NOT_NULL(r); -+ -+ r = Defrag(NULL, NULL, packets[1]); -+ FAIL_IF_NOT_NULL(r); -+ -+ r = Defrag(NULL, NULL, packets[2]); -+ FAIL_IF_NOT_NULL(r); -+ -+ r = Defrag(NULL, NULL, packets[3]); -+ FAIL_IF_NULL(r); -+ -+ // clang-format off -+ const uint8_t expected[] = { -+ // AACCBBDD -+ // AACCDDBB -+ // AABBDDCC -+ // DDCCBBAA -+ 'A', 'A', 'C', 'C', 'B', 'B', 'D', 'D', -+ 'A', 'A', 'C', 'C', 'D', 'D', 'B', 'B', -+ 'A', 'A', 'B', 'B', 'D', 'D', 'C', 'C', -+ 'D', 'D', 'C', 'C', 'B', 'B', 'A', 'A', -+ }; -+ // clang-format on -+ -+ FAIL_IF(memcmp(expected, GET_PKT_DATA(r) + 20 + 8, sizeof(expected)) != 0); -+ -+ DefragDestroy(); -+ PASS; -+} -+ -+static int DefragBsdSubsequentOverlapsStartOfOriginalIpv6Test_2(void) -+{ -+ DefragInit(); -+ default_policy = DEFRAG_POLICY_BSD; -+ Packet *packets[4]; -+ -+ /* Packet 1: off=16, mf=1 */ -+ packets[0] = BuildIpv6TestPacketWithContent( -+ IPPROTO_ICMP, 6, 16 >> 3, 1, (uint8_t *)"AABBCCDDAABBDDCC", 16); -+ -+ /* Packet 2: off=8, mf=1 */ -+ packets[1] = BuildIpv6TestPacketWithContent( -+ IPPROTO_ICMP, 6, 8 >> 3, 1, (uint8_t *)"AACCBBDDAACCDDBB", 16); -+ -+ /* Packet 3: off=0, mf=1: IP and ICMP header. */ -+ packets[2] = BuildIpv6TestPacketWithContent(IPPROTO_ICMP, 6, 0, 1, (uint8_t *)"ZZZZZZZZ", 8); -+ -+ /* Packet 4: off=8, mf=1 */ -+ packets[3] = -+ BuildIpv6TestPacketWithContent(IPPROTO_ICMP, 6, 32 >> 3, 0, (uint8_t *)"DDCCBBAA", 8); -+ -+ Packet *r = Defrag(NULL, NULL, packets[0]); -+ FAIL_IF_NOT_NULL(r); -+ -+ r = Defrag(NULL, NULL, packets[1]); -+ FAIL_IF_NOT_NULL(r); -+ -+ r = Defrag(NULL, NULL, packets[2]); -+ FAIL_IF_NOT_NULL(r); -+ -+ r = Defrag(NULL, NULL, packets[3]); -+ FAIL_IF_NULL(r); -+ -+ // clang-format off -+ const uint8_t expected[] = { -+ // AACCBBDD -+ // AACCDDBB -+ // AABBDDCC -+ // DDCCBBAA -+ 'A', 'A', 'C', 'C', 'B', 'B', 'D', 'D', -+ 'A', 'A', 'C', 'C', 'D', 'D', 'B', 'B', -+ 'A', 'A', 'B', 'B', 'D', 'D', 'C', 'C', -+ 'D', 'D', 'C', 'C', 'B', 'B', 'A', 'A', -+ }; -+ // clang-format on -+ -+ FAIL_IF(memcmp(expected, GET_PKT_DATA(r) + 40 + 8, sizeof(expected)) != 0); -+ -+ DefragDestroy(); -+ PASS; -+} -+ -+/** -+ * #### Input -+ * -+ * | 96 (0) | 104 (8) | 112 (16) | 120 (24) | -+ * |----------|----------|----------|----------| -+ * | | EEEEEEEE | EEEEEEEE | EEEEEEEE | -+ * | MMMMMMMM | MMMMMMMM | MMMMMMMM | | -+ * -+ * #### Expected Output -+ * -+ * | MMMMMMMM | MMMMMMMM | MMMMMMMM | EEEEEEEE | -+ */ -+static int DefragBsdSubsequentOverlapsStartOfOriginalIpv4Test(void) -+{ -+ DefragInit(); -+ default_policy = DEFRAG_POLICY_BSD; -+ Packet *packets[2]; -+ -+ packets[0] = BuildIpv4TestPacket(IPPROTO_ICMP, 1, 8 >> 3, 0, 'E', 24); -+ packets[1] = BuildIpv4TestPacket(IPPROTO_ICMP, 1, 0, 1, 'M', 24); -+ -+ Packet *r = Defrag(NULL, NULL, packets[0]); -+ FAIL_IF_NOT_NULL(r); -+ -+ r = Defrag(NULL, NULL, packets[1]); -+ FAIL_IF_NULL(r); -+ -+ // clang-format off -+ const uint8_t expected[] = { -+ 'M', 'M', 'M', 'M', 'M', 'M', 'M', 'M', -+ 'M', 'M', 'M', 'M', 'M', 'M', 'M', 'M', -+ 'M', 'M', 'M', 'M', 'M', 'M', 'M', 'M', -+ 'E', 'E', 'E', 'E', 'E', 'E', 'E', 'E', -+ }; -+ // clang-format on -+ -+ if (memcmp(expected, GET_PKT_DATA(r) + 20, sizeof(expected)) != 0) { -+ printf("Expected:\n"); -+ PrintRawDataFp(stdout, expected, sizeof(expected)); -+ printf("Got:\n"); -+ PrintRawDataFp(stdout, GET_PKT_DATA(r) + 20, GET_PKT_LEN(r) - 20); -+ FAIL; -+ } -+ -+ PASS; -+} -+ -+static int DefragBsdSubsequentOverlapsStartOfOriginalIpv6Test(void) -+{ -+ DefragInit(); -+ default_policy = DEFRAG_POLICY_BSD; -+ Packet *packets[2]; -+ -+ packets[0] = BuildIpv6TestPacket(IPPROTO_ICMP, 1, 8 >> 3, 0, 'E', 24); -+ packets[1] = BuildIpv6TestPacket(IPPROTO_ICMP, 1, 0, 1, 'M', 24); -+ -+ Packet *r = Defrag(NULL, NULL, packets[0]); -+ FAIL_IF_NOT_NULL(r); -+ -+ r = Defrag(NULL, NULL, packets[1]); -+ FAIL_IF_NULL(r); -+ -+ // clang-format off -+ const uint8_t expected[] = { -+ 'M', 'M', 'M', 'M', 'M', 'M', 'M', 'M', -+ 'M', 'M', 'M', 'M', 'M', 'M', 'M', 'M', -+ 'M', 'M', 'M', 'M', 'M', 'M', 'M', 'M', -+ 'E', 'E', 'E', 'E', 'E', 'E', 'E', 'E', -+ }; -+ // clang-format on -+ -+ if (memcmp(expected, GET_PKT_DATA(r) + 40, sizeof(expected)) != 0) { -+ printf("Expected:\n"); -+ PrintRawDataFp(stdout, expected, sizeof(expected)); -+ printf("Got:\n"); -+ PrintRawDataFp(stdout, GET_PKT_DATA(r) + 40, GET_PKT_LEN(r) - 40); -+ FAIL; -+ } -+ -+ PASS; -+} -+ - #endif /* UNITTESTS */ - - void DefragRegisterTests(void) -@@ -2675,5 +3042,11 @@ void DefragRegisterTests(void) - - UtRegisterTest("DefragBsdFragmentAfterNoMfIpv4Test", DefragBsdFragmentAfterNoMfIpv4Test); - UtRegisterTest("DefragBsdFragmentAfterNoMfIpv6Test", DefragBsdFragmentAfterNoMfIpv6Test); -+ UtRegisterTest("DefragBsdSubsequentOverlapsStartOfOriginalIpv4Test", -+ DefragBsdSubsequentOverlapsStartOfOriginalIpv4Test); -+ UtRegisterTest("DefragBsdSubsequentOverlapsStartOfOriginalIpv6Test", -+ DefragBsdSubsequentOverlapsStartOfOriginalIpv6Test); -+ UtRegisterTest("DefragBsdSubsequentOverlapsStartOfOriginalIpv4Test_2", DefragBsdSubsequentOverlapsStartOfOriginalIpv4Test_2); -+ UtRegisterTest("DefragBsdSubsequentOverlapsStartOfOriginalIpv6Test_2", DefragBsdSubsequentOverlapsStartOfOriginalIpv6Test_2); - #endif /* UNITTESTS */ - } --- -2.50.1 - diff --git a/recipes-ids/suricata/files/CVE-2024-32867-004.patch b/recipes-ids/suricata/files/CVE-2024-32867-004.patch deleted file mode 100644 index 7edb3b3..0000000 --- a/recipes-ids/suricata/files/CVE-2024-32867-004.patch +++ /dev/null @@ -1,169 +0,0 @@ -From e6267758ed5da27f804f0c1c07f9423bdf4d72b8 Mon Sep 17 00:00:00 2001 -From: Jason Ish -Date: Fri, 12 Jan 2024 11:09:59 -0600 -Subject: [PATCH] defrag: fix check for complete packet - -The list of fragments may still contain overlaps, so adding up the -fragment lengths is flawed. Instead track the largest size of -contiguous data that can be re-assembled. - -Bug: #6675 -(cherry picked from commit d226d0a3fce8837936e1bdfaee496c80d417e0a5) - -CVE: CVE-2024-32867 -Upstream-Status: Backport [https://github.com/OISF/suricata/commit/e6267758ed5da27f804f0c1c07f9423bdf4d72b8] -Signed-off-by: Hitendra Prajapati ---- - src/defrag.c | 116 ++++++++++++++++++++++++++++++++++++++++++++++++++- - 1 file changed, 114 insertions(+), 2 deletions(-) - -diff --git a/src/defrag.c b/src/defrag.c -index 28d085d..fc46411 100644 ---- a/src/defrag.c -+++ b/src/defrag.c -@@ -276,7 +276,8 @@ Defrag4Reassemble(ThreadVars *tv, DefragTracker *tracker, Packet *p) - goto done; - } - else { -- len += frag->data_len; -+ /* Update the packet length to the largest known data offset. */ -+ len = MAX(len, frag->offset + frag->data_len); - } - } - -@@ -434,7 +435,7 @@ Defrag6Reassemble(ThreadVars *tv, DefragTracker *tracker, Packet *p) - goto done; - } - else { -- len += frag->data_len; -+ len = MAX(len, frag->offset + frag->data_len); - } - } - } -@@ -3000,6 +3001,115 @@ static int DefragBsdSubsequentOverlapsStartOfOriginalIpv6Test(void) - PASS; - } - -+/** -+ * Reassembly should fail. -+ * -+ * |0 |8 |16 |24 |32 |40 |48 | -+ * |========|========|========|========|========|========|========| -+ * | | |AABBCCDD|AABBDDCC| | | | -+ * | | | | | |AACCBBDD| | -+ * | |AACCDDBB|AADDBBCC| | | | | -+ * |ZZZZZZZZ| | | | | | | -+ * | | | | | | |DDCCBBAA| -+ */ -+static int DefragBsdMissingFragmentIpv4Test(void) -+{ -+ DefragInit(); -+ default_policy = DEFRAG_POLICY_BSD; -+ Packet *packets[5]; -+ -+ packets[0] = BuildIpv4TestPacketWithContent( -+ IPPROTO_ICMP, 189, 16 >> 3, 1, (uint8_t *)"AABBCCDDAABBDDCC", 16); -+ -+ packets[1] = -+ BuildIpv4TestPacketWithContent(IPPROTO_ICMP, 189, 40 >> 3, 1, (uint8_t *)"AACCBBDD", 8); -+ -+ packets[2] = BuildIpv4TestPacketWithContent( -+ IPPROTO_ICMP, 189, 8 >> 3, 1, (uint8_t *)"AACCDDBBAADDBBCC", 16); -+ -+ /* ICMP header. */ -+ packets[3] = BuildIpv4TestPacketWithContent(IPPROTO_ICMP, 189, 0, 1, (uint8_t *)"ZZZZZZZZ", 8); -+ -+ packets[4] = -+ BuildIpv4TestPacketWithContent(IPPROTO_ICMP, 189, 48 >> 3, 0, (uint8_t *)"DDCCBBAA", 8); -+ -+ Packet *r = Defrag(NULL, NULL, packets[0]); -+ FAIL_IF_NOT_NULL(r); -+ -+ r = Defrag(NULL, NULL, packets[1]); -+ FAIL_IF_NOT_NULL(r); -+ -+ r = Defrag(NULL, NULL, packets[2]); -+ FAIL_IF_NOT_NULL(r); -+ -+ r = Defrag(NULL, NULL, packets[3]); -+ FAIL_IF_NOT_NULL(r); -+ -+ r = Defrag(NULL, NULL, packets[4]); -+ FAIL_IF_NOT_NULL(r); -+ -+#if 0 -+ PrintRawDataFp(stdout, GET_PKT_DATA(r) + 20, GET_PKT_LEN(r) - 20); -+#endif -+ -+ for (int i = 0; i < 5; i++) { -+ SCFree(packets[i]); -+ } -+ -+ DefragDestroy(); -+ -+ PASS; -+} -+ -+static int DefragBsdMissingFragmentIpv6Test(void) -+{ -+ DefragInit(); -+ default_policy = DEFRAG_POLICY_BSD; -+ Packet *packets[5]; -+ -+ packets[0] = BuildIpv6TestPacketWithContent( -+ IPPROTO_ICMP, 189, 16 >> 3, 1, (uint8_t *)"AABBCCDDAABBDDCC", 16); -+ -+ packets[1] = -+ BuildIpv6TestPacketWithContent(IPPROTO_ICMP, 189, 40 >> 3, 1, (uint8_t *)"AACCBBDD", 8); -+ -+ packets[2] = BuildIpv6TestPacketWithContent( -+ IPPROTO_ICMP, 189, 8 >> 3, 1, (uint8_t *)"AACCDDBBAADDBBCC", 16); -+ -+ /* ICMP header. */ -+ packets[3] = BuildIpv6TestPacketWithContent(IPPROTO_ICMP, 189, 0, 1, (uint8_t *)"ZZZZZZZZ", 8); -+ -+ packets[4] = -+ BuildIpv6TestPacketWithContent(IPPROTO_ICMP, 189, 48 >> 3, 0, (uint8_t *)"DDCCBBAA", 8); -+ -+ Packet *r = Defrag(NULL, NULL, packets[0]); -+ FAIL_IF_NOT_NULL(r); -+ -+ r = Defrag(NULL, NULL, packets[1]); -+ FAIL_IF_NOT_NULL(r); -+ -+ r = Defrag(NULL, NULL, packets[2]); -+ FAIL_IF_NOT_NULL(r); -+ -+ r = Defrag(NULL, NULL, packets[3]); -+ FAIL_IF_NOT_NULL(r); -+ -+ r = Defrag(NULL, NULL, packets[4]); -+ FAIL_IF_NOT_NULL(r); -+ -+#if 0 -+ PrintRawDataFp(stdout, GET_PKT_DATA(r) + 40, GET_PKT_LEN(r) - 40); -+#endif -+ -+ for (int i = 0; i < 5; i++) { -+ SCFree(packets[i]); -+ } -+ -+ DefragDestroy(); -+ -+ PASS; -+} -+ - #endif /* UNITTESTS */ - - void DefragRegisterTests(void) -@@ -3048,5 +3158,7 @@ void DefragRegisterTests(void) - DefragBsdSubsequentOverlapsStartOfOriginalIpv6Test); - UtRegisterTest("DefragBsdSubsequentOverlapsStartOfOriginalIpv4Test_2", DefragBsdSubsequentOverlapsStartOfOriginalIpv4Test_2); - UtRegisterTest("DefragBsdSubsequentOverlapsStartOfOriginalIpv6Test_2", DefragBsdSubsequentOverlapsStartOfOriginalIpv6Test_2); -+ UtRegisterTest("DefragBsdMissingFragmentIpv4Test", DefragBsdMissingFragmentIpv4Test); -+ UtRegisterTest("DefragBsdMissingFragmentIpv6Test", DefragBsdMissingFragmentIpv6Test); - #endif /* UNITTESTS */ - } --- -2.50.1 - diff --git a/recipes-ids/suricata/files/CVE-2024-45795.patch b/recipes-ids/suricata/files/CVE-2024-45795.patch deleted file mode 100644 index 10363c5..0000000 --- a/recipes-ids/suricata/files/CVE-2024-45795.patch +++ /dev/null @@ -1,123 +0,0 @@ -From 72456d359bf3064306b62024c809bb30b162f18c Mon Sep 17 00:00:00 2001 -From: Philippe Antoine -Date: Mon, 12 Aug 2024 09:54:43 +0200 -Subject: [PATCH] detect/datasets: implement unset command - -Ticket: 7195 - -Otherwise, Suricata aborted on such a rule - -(cherry picked from commit e47598110a557bb9f87ea498d85ba91a45bb0cb6) - -Upstream-Status: Backport [https://github.com/OISF/suricata/commit/72456d359bf3064306b62024c809bb30b162f18c && https://github.com/OISF/suricata/commit/96d5c81aed01f2bc0cd3e2e60057d0deb38caa99] -CVE: CVE-2024-45795 -Signed-off-by: Hitendra Prajapati ---- - doc/userguide/rules/datasets.rst | 2 +- - src/datasets.c | 20 ++++++++++++++++++++ - src/datasets.h | 1 + - src/detect-dataset.c | 11 +++++++++++ - src/detect-dataset.h | 5 ----- - 5 files changed, 33 insertions(+), 6 deletions(-) - -diff --git a/doc/userguide/rules/datasets.rst b/doc/userguide/rules/datasets.rst -index 647b12e..dd9ecd2 100644 ---- a/doc/userguide/rules/datasets.rst -+++ b/doc/userguide/rules/datasets.rst -@@ -78,7 +78,7 @@ Syntax:: - - dataset:,,; - -- dataset:, \ -+ dataset:, \ - [, type , save , load , state , memcap , hashsize ]; - - type -diff --git a/src/datasets.c b/src/datasets.c -index d89ed8d..32bcf6e 100644 ---- a/src/datasets.c -+++ b/src/datasets.c -@@ -1741,3 +1741,23 @@ int DatasetRemoveSerialized(Dataset *set, const char *string) - return DatasetOpSerialized(set, string, DatasetRemoveString, DatasetRemoveMd5, - DatasetRemoveSha256, DatasetRemoveIPv4, DatasetRemoveIPv6); - } -+ -+int DatasetRemove(Dataset *set, const uint8_t *data, const uint32_t data_len) -+{ -+ if (set == NULL) -+ return -1; -+ -+ switch (set->type) { -+ case DATASET_TYPE_STRING: -+ return DatasetRemoveString(set, data, data_len); -+ case DATASET_TYPE_MD5: -+ return DatasetRemoveMd5(set, data, data_len); -+ case DATASET_TYPE_SHA256: -+ return DatasetRemoveSha256(set, data, data_len); -+ case DATASET_TYPE_IPV4: -+ return DatasetRemoveIPv4(set, data, data_len); -+ case DATASET_TYPE_IPV6: -+ return DatasetRemoveIPv6(set, data, data_len); -+ } -+ return -1; -+} -diff --git a/src/datasets.h b/src/datasets.h -index af4fc17..0f28a9f 100644 ---- a/src/datasets.h -+++ b/src/datasets.h -@@ -56,6 +56,7 @@ Dataset *DatasetFind(const char *name, enum DatasetTypes type); - Dataset *DatasetGet(const char *name, enum DatasetTypes type, const char *save, const char *load, - uint64_t memcap, uint32_t hashsize); - int DatasetAdd(Dataset *set, const uint8_t *data, const uint32_t data_len); -+int DatasetRemove(Dataset *set, const uint8_t *data, const uint32_t data_len); - int DatasetLookup(Dataset *set, const uint8_t *data, const uint32_t data_len); - DataRepResultType DatasetLookupwRep(Dataset *set, const uint8_t *data, const uint32_t data_len, - const DataRepType *rep); -diff --git a/src/detect-dataset.c b/src/detect-dataset.c -index 3d29646..aad5cf0 100644 ---- a/src/detect-dataset.c -+++ b/src/detect-dataset.c -@@ -41,6 +41,11 @@ - #include "util-path.h" - #include "util-conf.h" - -+#define DETECT_DATASET_CMD_SET 0 -+#define DETECT_DATASET_CMD_UNSET 1 -+#define DETECT_DATASET_CMD_ISNOTSET 2 -+#define DETECT_DATASET_CMD_ISSET 3 -+ - int DetectDatasetMatch (ThreadVars *, DetectEngineThreadCtx *, Packet *, - const Signature *, const SigMatchCtx *); - static int DetectDatasetSetup (DetectEngineCtx *, Signature *, const char *); -@@ -91,6 +96,12 @@ int DetectDatasetBufferMatch(DetectEngineThreadCtx *det_ctx, - return 1; - break; - } -+ case DETECT_DATASET_CMD_UNSET: { -+ int r = DatasetRemove(sd->set, data, data_len); -+ if (r == 1) -+ return 1; -+ break; -+ } - default: - abort(); - } -diff --git a/src/detect-dataset.h b/src/detect-dataset.h -index ca83267..d243552 100644 ---- a/src/detect-dataset.h -+++ b/src/detect-dataset.h -@@ -26,11 +26,6 @@ - - #include "datasets.h" - --#define DETECT_DATASET_CMD_SET 0 --#define DETECT_DATASET_CMD_UNSET 1 --#define DETECT_DATASET_CMD_ISNOTSET 2 --#define DETECT_DATASET_CMD_ISSET 3 -- - typedef struct DetectDatasetData_ { - Dataset *set; - uint8_t cmd; --- -2.25.1 - diff --git a/recipes-ids/suricata/files/CVE-2024-45796.patch b/recipes-ids/suricata/files/CVE-2024-45796.patch deleted file mode 100644 index ae00a5f..0000000 --- a/recipes-ids/suricata/files/CVE-2024-45796.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 9203656496c4081260817cce018a0d8fd57869b5 Mon Sep 17 00:00:00 2001 -From: Philippe Antoine -Date: Mon, 15 Jul 2024 09:52:00 +0200 -Subject: [PATCH] defrag: fix off by one - -Ticket: 7067 - -This off by one could lead to an empty fragment being inserted -in the rb tree, which led to integer underflow. - -Upstream-Status: Backport [https://github.com/OISF/suricata/commit/9203656496c4081260817cce018a0d8fd57869b5] -CVE: CVE-2024-45796 -Signed-off-by: Hitendra Prajapati ---- - src/defrag.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/defrag.c b/src/defrag.c -index 71cf420..38704c9 100644 ---- a/src/defrag.c -+++ b/src/defrag.c -@@ -808,7 +808,7 @@ DefragInsertFrag(ThreadVars *tv, DecodeThreadVars *dtv, DefragTracker *tracker, - } - } - -- if (ltrim > data_len) { -+ if (ltrim >= data_len) { - /* Full packet has been trimmed due to the overlap policy. Overlap - * already set. */ - goto done; --- -2.25.1 - diff --git a/recipes-ids/suricata/files/CVE-2024-45797.patch b/recipes-ids/suricata/files/CVE-2024-45797.patch deleted file mode 100644 index 3db4625..0000000 --- a/recipes-ids/suricata/files/CVE-2024-45797.patch +++ /dev/null @@ -1,148 +0,0 @@ -From 0d550de551b91d5e57ba23e2b1e2c6430fad6818 Mon Sep 17 00:00:00 2001 -From: Philippe Antoine -Date: Mon, 12 Aug 2024 14:06:40 +0200 -Subject: [PATCH] headers: put a configurable limit on their numbers - -So as to avoid quadratic complexity - -Ticket: 7191 - -Upstream-Status: Backport [https://github.com/OISF/libhtp/commit/0d550de551b91d5e57ba23e2b1e2c6430fad6818] -CVE: CVE-2024-45797 -Signed-off-by: Hitendra Prajapati ---- - htp/htp_config.c | 8 ++++++++ - htp/htp_config.h | 8 ++++++++ - htp/htp_config_private.h | 6 ++++++ - htp/htp_core.h | 1 + - htp/htp_request_generic.c | 11 +++++++++++ - htp/htp_response_generic.c | 10 ++++++++++ - 6 files changed, 44 insertions(+) - -diff --git a/htp/htp_config.c b/htp/htp_config.c -index 767458f..9e0eee3 100644 ---- a/htp/htp_config.c -+++ b/htp/htp_config.c -@@ -145,6 +145,8 @@ static unsigned char bestfit_1252[] = { - 0xff, 0x5d, 0x7d, 0xff, 0x5e, 0x7e, 0x00, 0x00, 0x00 - }; - -+#define HTP_HEADERS_LIMIT 1024 -+ - htp_cfg_t *htp_config_create(void) { - htp_cfg_t *cfg = calloc(1, sizeof (htp_cfg_t)); - if (cfg == NULL) return NULL; -@@ -163,6 +165,7 @@ htp_cfg_t *htp_config_create(void) { - cfg->response_lzma_layer_limit = 1; // default is only one layer - cfg->compression_bomb_limit = HTP_COMPRESSION_BOMB_LIMIT; - cfg->compression_time_limit = HTP_COMPRESSION_TIME_LIMIT_USEC; -+ cfg->number_headers_limit = HTP_HEADERS_LIMIT; - cfg->allow_space_uri = 0; - - // Default settings for URL-encoded data. -@@ -542,6 +545,11 @@ void htp_config_set_compression_time_limit(htp_cfg_t *cfg, size_t useclimit) { - } - } - -+void htp_config_set_number_headers_limit(htp_cfg_t *cfg, uint32_t limit) { -+ if (cfg == NULL) return; -+ cfg->number_headers_limit = limit; -+} -+ - void htp_config_set_log_level(htp_cfg_t *cfg, enum htp_log_level_t log_level) { - if (cfg == NULL) return; - cfg->log_level = log_level; -diff --git a/htp/htp_config.h b/htp/htp_config.h -index d1365dc..ed0eaeb 100644 ---- a/htp/htp_config.h -+++ b/htp/htp_config.h -@@ -466,6 +466,14 @@ void htp_config_set_compression_time_limit(htp_cfg_t *cfg, size_t useclimit); - */ - void htp_config_set_log_level(htp_cfg_t *cfg, enum htp_log_level_t log_level); - -+/** -+ * Configures the maximum number of headers LibHTP will accept per request or response. -+ * -+ * @param[in] cfg -+ * @param[in] limit -+ */ -+void htp_config_set_number_headers_limit(htp_cfg_t *cfg, uint32_t limit); -+ - /** - * Configures how the server reacts to encoded NUL bytes. Some servers will stop at - * at NUL, while some will respond with 400 or 404. When the termination option is not -diff --git a/htp/htp_config_private.h b/htp/htp_config_private.h -index 5f1d60d..ecc8717 100644 ---- a/htp/htp_config_private.h -+++ b/htp/htp_config_private.h -@@ -360,6 +360,12 @@ struct htp_cfg_t { - - /** Whether to decompress compressed request bodies. */ - int request_decompression_enabled; -+ -+ /** Maximum number of transactions. */ -+ uint32_t max_tx; -+ -+ /** Maximum number of headers. */ -+ uint32_t number_headers_limit; - }; - - #ifdef __cplusplus -diff --git a/htp/htp_core.h b/htp/htp_core.h -index e4c933e..7c23212 100644 ---- a/htp/htp_core.h -+++ b/htp/htp_core.h -@@ -235,6 +235,7 @@ enum htp_file_source_t { - #define HTP_REQUEST_INVALID 0x100000000ULL - #define HTP_REQUEST_INVALID_C_L 0x200000000ULL - #define HTP_AUTH_INVALID 0x400000000ULL -+#define HTP_HEADERS_TOO_MANY 0x800000000ULL - - #define HTP_MAX_HEADERS_REPETITIONS 64 - -diff --git a/htp/htp_request_generic.c b/htp/htp_request_generic.c -index 435cf0a..1350e57 100644 ---- a/htp/htp_request_generic.c -+++ b/htp/htp_request_generic.c -@@ -120,6 +120,17 @@ htp_status_t htp_process_request_header_generic(htp_connp_t *connp, unsigned cha - bstr_free(h->value); - free(h); - } else { -+ if (htp_table_size(connp->in_tx->request_headers) > connp->cfg->number_headers_limit) { -+ if (!(connp->in_tx->flags & HTP_HEADERS_TOO_MANY)) { -+ connp->in_tx->flags |= HTP_HEADERS_TOO_MANY; -+ htp_log(connp, HTP_LOG_MARK, HTP_LOG_WARNING, 0, "Too many request headers"); -+ } -+ bstr_free(h->name); -+ bstr_free(h->value); -+ free(h); -+ // give up on what comes next -+ return HTP_ERROR; -+ } - // Add as a new header. - if (htp_table_add(connp->in_tx->request_headers, h->name, h) != HTP_OK) { - bstr_free(h->name); -diff --git a/htp/htp_response_generic.c b/htp/htp_response_generic.c -index f5fa59e..69da625 100644 ---- a/htp/htp_response_generic.c -+++ b/htp/htp_response_generic.c -@@ -321,6 +321,16 @@ htp_status_t htp_process_response_header_generic(htp_connp_t *connp, unsigned ch - bstr_free(h->value); - free(h); - } else { -+ if (htp_table_size(connp->out_tx->response_headers) > connp->cfg->number_headers_limit) { -+ if (!(connp->out_tx->flags & HTP_HEADERS_TOO_MANY)) { -+ connp->out_tx->flags |= HTP_HEADERS_TOO_MANY; -+ htp_log(connp, HTP_LOG_MARK, HTP_LOG_WARNING, 0, "Too many response headers"); -+ } -+ bstr_free(h->name); -+ bstr_free(h->value); -+ free(h); -+ return HTP_ERROR; -+ } - // Add as a new header. - if (htp_table_add(connp->out_tx->response_headers, h->name, h) != HTP_OK) { - bstr_free(h->name); --- -2.25.1 - diff --git a/recipes-ids/suricata/files/CVE-2024-55605.patch b/recipes-ids/suricata/files/CVE-2024-55605.patch deleted file mode 100644 index c8bfead..0000000 --- a/recipes-ids/suricata/files/CVE-2024-55605.patch +++ /dev/null @@ -1,205 +0,0 @@ -From f80ebd5a30b02db5915f749f0c067c7adefbbe76 Mon Sep 17 00:00:00 2001 -From: Philippe Antoine -Date: Thu, 7 Nov 2024 17:49:45 +0100 -Subject: [PATCH] detect/transforms: write directly in inspect buffer - -instead of writing to a temporary buffer and then copying, -to save the cost of copying. - -Ticket: 7229 - -Upstream-Status: Backport [https://github.com/OISF/suricata/commit/f80ebd5a30b02db5915f749f0c067c7adefbbe76 && https://github.com/OISF/suricata/commit/c3a6abf60134c2993ee3802ee52206e9fdbf55ba] -CVE: CVE-2024-55605 -Signed-off-by: Hitendra Prajapati ---- - src/detect-engine.c | 23 ++++++++++++++++++++-- - src/detect-engine.h | 3 ++- - src/detect-transform-compress-whitespace.c | 8 ++++++-- - src/detect-transform-dotprefix.c | 10 +++++++--- - src/detect-transform-strip-whitespace.c | 8 ++++++-- - src/detect-transform-urldecode.c | 8 ++++++-- - src/detect-transform-xor.c | 7 +++++-- - 7 files changed, 53 insertions(+), 14 deletions(-) - -diff --git a/src/detect-engine.c b/src/detect-engine.c -index 141b48a..cdb24d8 100644 ---- a/src/detect-engine.c -+++ b/src/detect-engine.c -@@ -1647,11 +1647,13 @@ void InspectionBufferFree(InspectionBuffer *buffer) - /** - * \brief make sure that the buffer has at least 'min_size' bytes - * Expand the buffer if necessary -+ * -+ * \retval pointer to inner buffer to use, or NULL if realloc failed - */ --void InspectionBufferCheckAndExpand(InspectionBuffer *buffer, uint32_t min_size) -+uint8_t *InspectionBufferCheckAndExpand(InspectionBuffer *buffer, uint32_t min_size) - { - if (likely(buffer->size >= min_size)) -- return; -+ return buffer->buf; - - uint32_t new_size = (buffer->size == 0) ? 4096 : buffer->size; - while (new_size < min_size) { -@@ -1662,7 +1664,24 @@ void InspectionBufferCheckAndExpand(InspectionBuffer *buffer, uint32_t min_size) - if (ptr != NULL) { - buffer->buf = ptr; - buffer->size = new_size; -+ } else { -+ return NULL; - } -+ return buffer->buf; -+} -+ -+/** -+ * \brief set inspect length of inspect buffer -+ * The inspect buffer may have been overallocated (by strip_whitespace for example) -+ * so, this sets the final length -+ */ -+void InspectionBufferTruncate(InspectionBuffer *buffer, uint32_t buf_len) -+{ -+ DEBUG_VALIDATE_BUG_ON(buffer->buf == NULL); -+ DEBUG_VALIDATE_BUG_ON(buf_len > buffer->size); -+ buffer->inspect = buffer->buf; -+ buffer->inspect_len = buf_len; -+ buffer->initialized = true; - } - - void InspectionBufferCopy(InspectionBuffer *buffer, uint8_t *buf, uint32_t buf_len) -diff --git a/src/detect-engine.h b/src/detect-engine.h -index 7617e66..04713a7 100644 ---- a/src/detect-engine.h -+++ b/src/detect-engine.h -@@ -31,7 +31,8 @@ void InspectionBufferInit(InspectionBuffer *buffer, uint32_t initial_size); - void InspectionBufferSetup(DetectEngineThreadCtx *det_ctx, const int list_id, - InspectionBuffer *buffer, const uint8_t *data, const uint32_t data_len); - void InspectionBufferFree(InspectionBuffer *buffer); --void InspectionBufferCheckAndExpand(InspectionBuffer *buffer, uint32_t min_size); -+uint8_t *InspectionBufferCheckAndExpand(InspectionBuffer *buffer, uint32_t min_size); -+void InspectionBufferTruncate(InspectionBuffer *buffer, uint32_t buf_len); - void InspectionBufferCopy(InspectionBuffer *buffer, uint8_t *buf, uint32_t buf_len); - void InspectionBufferApplyTransforms(InspectionBuffer *buffer, - const DetectEngineTransforms *transforms); -diff --git a/src/detect-transform-compress-whitespace.c b/src/detect-transform-compress-whitespace.c -index 5cbf0fd..cc78c7e 100644 ---- a/src/detect-transform-compress-whitespace.c -+++ b/src/detect-transform-compress-whitespace.c -@@ -111,7 +111,11 @@ static void TransformCompressWhitespace(InspectionBuffer *buffer, void *options) - return; - } - -- uint8_t output[input_len]; // we can only shrink -+ // we can only shrink -+ uint8_t *output = InspectionBufferCheckAndExpand(buffer, input_len); -+ if (output == NULL) { -+ return; -+ } - uint8_t *oi = output, *os = output; - - //PrintRawDataFp(stdout, input, input_len); -@@ -132,7 +136,7 @@ static void TransformCompressWhitespace(InspectionBuffer *buffer, void *options) - uint32_t output_size = oi - os; - //PrintRawDataFp(stdout, output, output_size); - -- InspectionBufferCopy(buffer, os, output_size); -+ InspectionBufferTruncate(buffer, output_size); - } - - #ifdef UNITTESTS -diff --git a/src/detect-transform-dotprefix.c b/src/detect-transform-dotprefix.c -index 52a2633..d58e1d4 100644 ---- a/src/detect-transform-dotprefix.c -+++ b/src/detect-transform-dotprefix.c -@@ -110,11 +110,15 @@ static void TransformDotPrefix(InspectionBuffer *buffer, void *options) - const size_t input_len = buffer->inspect_len; - - if (input_len) { -- uint8_t output[input_len + 1]; // For the leading '.' -+ // For the leading '.' -+ uint8_t *output = InspectionBufferCheckAndExpand(buffer, input_len + 1); -+ if (output == NULL) { -+ return; -+ } - -+ memmove(&output[1], buffer->inspect, input_len); - output[0] = '.'; -- memcpy(&output[1], buffer->inspect, input_len); -- InspectionBufferCopy(buffer, output, input_len + 1); -+ InspectionBufferTruncate(buffer, input_len + 1); - } - } - -diff --git a/src/detect-transform-strip-whitespace.c b/src/detect-transform-strip-whitespace.c -index 32fb96f..6040592 100644 ---- a/src/detect-transform-strip-whitespace.c -+++ b/src/detect-transform-strip-whitespace.c -@@ -106,7 +106,11 @@ static void TransformStripWhitespace(InspectionBuffer *buffer, void *options) - if (input_len == 0) { - return; - } -- uint8_t output[input_len]; // we can only shrink -+ // we can only shrink -+ uint8_t *output = InspectionBufferCheckAndExpand(buffer, input_len); -+ if (output == NULL) { -+ return; -+ } - uint8_t *oi = output, *os = output; - - //PrintRawDataFp(stdout, input, input_len); -@@ -119,7 +123,7 @@ static void TransformStripWhitespace(InspectionBuffer *buffer, void *options) - uint32_t output_size = oi - os; - //PrintRawDataFp(stdout, output, output_size); - -- InspectionBufferCopy(buffer, os, output_size); -+ InspectionBufferTruncate(buffer, output_size); - } - - #ifdef UNITTESTS -diff --git a/src/detect-transform-urldecode.c b/src/detect-transform-urldecode.c -index 13ef033..a4e9655 100644 ---- a/src/detect-transform-urldecode.c -+++ b/src/detect-transform-urldecode.c -@@ -125,12 +125,16 @@ static void TransformUrlDecode(InspectionBuffer *buffer, void *options) - if (input_len == 0) { - return; - } -- uint8_t output[input_len]; // we can only shrink -+ // we can only shrink -+ uint8_t *output = InspectionBufferCheckAndExpand(buffer, input_len); -+ if (output == NULL) { -+ return; -+ } - - changed = BufferUrlDecode(input, input_len, output, &output_size); - - if (changed) { -- InspectionBufferCopy(buffer, output, output_size); -+ InspectionBufferTruncate(buffer, output_size); - } - } - -diff --git a/src/detect-transform-xor.c b/src/detect-transform-xor.c -index e42700f..18f96df 100644 ---- a/src/detect-transform-xor.c -+++ b/src/detect-transform-xor.c -@@ -133,12 +133,15 @@ static void DetectTransformXor(InspectionBuffer *buffer, void *options) - if (input_len == 0) { - return; - } -- uint8_t output[input_len]; -+ uint8_t *output = InspectionBufferCheckAndExpand(buffer, input_len); -+ if (output == NULL) { -+ return; -+ } - - for (uint32_t i = 0; i < input_len; i++) { - output[i] = input[i] ^ pxd->key[i % pxd->length]; - } -- InspectionBufferCopy(buffer, output, input_len); -+ InspectionBufferTruncate(buffer, input_len); - } - - #ifdef UNITTESTS --- -2.25.1 - diff --git a/recipes-ids/suricata/files/CVE-2024-55627-001.patch b/recipes-ids/suricata/files/CVE-2024-55627-001.patch deleted file mode 100644 index 50b4f06..0000000 --- a/recipes-ids/suricata/files/CVE-2024-55627-001.patch +++ /dev/null @@ -1,59 +0,0 @@ -From 0dc364aef2dec122fc0e7ee4c190864f4cc5f1bd Mon Sep 17 00:00:00 2001 -From: Philippe Antoine -Date: Thu, 21 Nov 2024 14:55:32 +0100 -Subject: [PATCH] util/streaming-buffer: fix regions intersection - -This was not a problem for current callers in Suricata, -as RegionsIntersect is only called through StreamingBufferInsertAt -which is only used by TCP... - -And TCP uses default region gap = 256kb, and only calls -StreamingBufferInsertAt with a u16, so TCP never inserts a new -data that will strictly contain an existing region augmented -with region gap, which was the only case where RegionsIntersect -returned the wrong result, which could later lead to a -buffer overflow. - -Ticket: 7393 -(cherry picked from commit 282509f70c4ce805098e59535af445362e3e9ebd) - -CVE: CVE-2024-55627 -Upstream-Status: Backport [https://github.com/OISF/suricata/commit/0dc364aef2dec122fc0e7ee4c190864f4cc5f1bd] -Signed-off-by: Hitendra Prajapati ---- - src/util-streaming-buffer.c | 19 ++++++++----------- - 1 file changed, 8 insertions(+), 11 deletions(-) - -diff --git a/src/util-streaming-buffer.c b/src/util-streaming-buffer.c -index 7608b50..d1d20e8 100644 ---- a/src/util-streaming-buffer.c -+++ b/src/util-streaming-buffer.c -@@ -133,17 +133,14 @@ static inline bool RegionsIntersect(const StreamingBuffer *sb, const StreamingBu - SCLogDebug("r %p: %" PRIu64 "/%" PRIu64 " - adjusted %" PRIu64 "/%" PRIu64, r, r->stream_offset, - r->stream_offset + r->buf_size, reg_o, reg_re); - /* check if data range intersects with region range */ -- if (offset >= reg_o && offset <= reg_re) { -- SCLogDebug("r %p is in-scope", r); -- return true; -- } -- if (re >= reg_o && re <= reg_re) { -- SCLogDebug("r %p is in-scope: %" PRIu64 " >= %" PRIu64 " && %" PRIu64 " <= %" PRIu64, r, re, -- reg_o, re, reg_re); -- return true; -- } -- SCLogDebug("r %p is out of scope: %" PRIu64 "/%" PRIu64, r, offset, re); -- return false; -+ /* [offset:re] and [reg_o:reg_re] do not intersect if and only if -+ * re < reg_o or if reg_re < offset (one segment is strictly before the other) -+ * trusting that offset<=re and reg_o<=reg_re -+ */ -+ if (re < reg_o || reg_re < offset) { -+ return false; -+ } -+ return true; - } - - /** \internal --- -2.50.1 - diff --git a/recipes-ids/suricata/files/CVE-2024-55627-002.patch b/recipes-ids/suricata/files/CVE-2024-55627-002.patch deleted file mode 100644 index 8e2ca6b..0000000 --- a/recipes-ids/suricata/files/CVE-2024-55627-002.patch +++ /dev/null @@ -1,44 +0,0 @@ -From 949bfeca0e5f92212dc3d79f4a87c7c482d376aa Mon Sep 17 00:00:00 2001 -From: Philippe Antoine -Date: Thu, 21 Nov 2024 15:17:21 +0100 -Subject: [PATCH] util/streaming-buffer: check need to grow region - -Ticket: 7393 - -As it was possible before earlier patches to get here -with mem_size lesser than start->buf_size, -which caused then an unsigned underflow and a buffer overflow. - -(cherry picked from commit 8900041405dbb5f9584edae994af2100733fb4be) - -CVE: CVE-2024-55627 -Upstream-Status: Backport [https://github.com/OISF/suricata/commit/949bfeca0e5f92212dc3d79f4a87c7c482d376aa] -Signed-off-by: Hitendra Prajapati ---- - src/util-streaming-buffer.c | 10 +++++++--- - 1 file changed, 7 insertions(+), 3 deletions(-) - -diff --git a/src/util-streaming-buffer.c b/src/util-streaming-buffer.c -index d1d20e8..2625e49 100644 ---- a/src/util-streaming-buffer.c -+++ b/src/util-streaming-buffer.c -@@ -931,9 +931,13 @@ static inline void StreamingBufferSlideToOffsetWithRegions( - goto done; - } else { - /* using "main", expand to include "next" */ -- if (GrowRegionToSize(sb, cfg, start, mem_size) != 0) { -- new_mem_size = new_data_size; -- goto just_main; -+ if (mem_size > start->buf_size) { -+ // Check that start->buf_size is actually not big enough -+ // As mem_size computation and earlier checks do not make it clear. -+ if (GrowRegionToSize(sb, cfg, start, mem_size) != 0) { -+ new_mem_size = new_data_size; -+ goto just_main; -+ } - } - SCLogDebug("start->buf now size %u", mem_size); - --- -2.50.1 - diff --git a/recipes-ids/suricata/files/CVE-2024-55627-003.patch b/recipes-ids/suricata/files/CVE-2024-55627-003.patch deleted file mode 100644 index 63d5016..0000000 --- a/recipes-ids/suricata/files/CVE-2024-55627-003.patch +++ /dev/null @@ -1,41 +0,0 @@ -From 7d47fcf7f7fefacd2b0d8f482534a83b35a3c45e Mon Sep 17 00:00:00 2001 -From: Philippe Antoine -Date: Thu, 21 Nov 2024 15:20:44 +0100 -Subject: [PATCH] util/streaming-buffer: add extra safety check - -Ticket: 7393 - -Check if GrowRegionToSize is called with an argument -trying to shrink the region size, and if so do nothing, -ie do not try to shrink, and just return ok. - -This way, we avoid a buffer overflow from memeset using an -unsigned having underflowed. - -(cherry picked from commit 9a53ec43b13f0039a083950511a18bf6f408e432) - -CVE: CVE-2024-55627 -Upstream-Status: Backport [https://github.com/OISF/suricata/commit/7d47fcf7f7fefacd2b0d8f482534a83b35a3c45e] -Signed-off-by: Hitendra Prajapati ---- - src/util-streaming-buffer.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/src/util-streaming-buffer.c b/src/util-streaming-buffer.c -index 2625e49..077f8af 100644 ---- a/src/util-streaming-buffer.c -+++ b/src/util-streaming-buffer.c -@@ -715,6 +715,10 @@ static inline int WARN_UNUSED GrowRegionToSize(StreamingBuffer *sb, - /* try to grow in multiples of cfg->buf_size */ - const uint32_t grow = ToNextMultipleOf(size, cfg->buf_size); - SCLogDebug("grow %u", grow); -+ if (grow <= region->buf_size) { -+ // do not try to shrink, and do not memset with diff having unsigned underflow -+ return SC_OK; -+ } - - void *ptr = REALLOC(cfg, region->buf, region->buf_size, grow); - if (ptr == NULL) { --- -2.50.1 - diff --git a/recipes-ids/suricata/files/CVE-2024-55628-001.patch b/recipes-ids/suricata/files/CVE-2024-55628-001.patch deleted file mode 100644 index 6371729..0000000 --- a/recipes-ids/suricata/files/CVE-2024-55628-001.patch +++ /dev/null @@ -1,738 +0,0 @@ -From 58c41a7fa99f62d9a8688e970ab1a9b09c79723a Mon Sep 17 00:00:00 2001 -From: Jason Ish -Date: Thu, 31 Oct 2024 15:40:40 -0600 -Subject: [PATCH] dns: truncate names larger than 1025 characters - -Once a name has gone over 1025 chars it will be truncated to 1025 -chars and no more labels will be added to it, however the name will -continue to be parsed up to the label limit in attempt to find the end -so parsing can continue. - -This introduces a new struct, DNSName which contains the name and any -flags which indicate any name parsing errors which should not error -out parsing the complete message, for example, infinite recursion -after some labels are parsed can continue, or truncation of name where -compression was used so we know the start of the next data to be -parsed. - -This limits the logged DNS messages from being over our maximum size -of 10Mb in the case of really long names. - -Ticket: #7280 - -CVE: CVE-2024-55628 -Upstream-Status: Backport [https://github.com/OISF/suricata/commit/58c41a7fa99f62d9a8688e970ab1a9b09c79723a] -Signed-off-by: Hitendra Prajapati ---- - rust/src/dns/dns.rs | 41 +++++--- - rust/src/dns/log.rs | 41 ++++---- - rust/src/dns/lua.rs | 36 ++++--- - rust/src/dns/parser.rs | 231 ++++++++++++++++++++++++++++++++++++----- - 4 files changed, 277 insertions(+), 72 deletions(-) - -diff --git a/rust/src/dns/dns.rs b/rust/src/dns/dns.rs -index 382c76a..680bf7e 100644 ---- a/rust/src/dns/dns.rs -+++ b/rust/src/dns/dns.rs -@@ -144,7 +144,7 @@ pub struct DNSHeader { - - #[derive(Debug)] - pub struct DNSQueryEntry { -- pub name: Vec, -+ pub name: DNSName, - pub rrtype: u16, - pub rrclass: u16, - } -@@ -152,9 +152,9 @@ pub struct DNSQueryEntry { - #[derive(Debug, PartialEq, Eq)] - pub struct DNSRDataSOA { - /// Primary name server for this zone -- pub mname: Vec, -+ pub mname: DNSName, - /// Authority's mailbox -- pub rname: Vec, -+ pub rname: DNSName, - /// Serial version number - pub serial: u32, - /// Refresh interval (seconds) -@@ -186,7 +186,22 @@ pub struct DNSRDataSRV { - /// Port - pub port: u16, - /// Target -- pub target: Vec, -+ pub target: DNSName, -+} -+ -+bitflags! { -+ #[derive(Default)] -+ pub struct DNSNameFlags: u8 { -+ const INFINITE_LOOP = 0b0000_0001; -+ const TRUNCATED = 0b0000_0010; -+ const LABEL_LIMIT = 0b0000_0100; -+ } -+} -+ -+#[derive(Debug, Clone, PartialEq, Eq)] -+pub struct DNSName { -+ pub value: Vec, -+ pub flags: DNSNameFlags, - } - - /// Represents RData of various formats -@@ -196,10 +211,10 @@ pub enum DNSRData { - A(Vec), - AAAA(Vec), - // RData is a domain name -- CNAME(Vec), -- PTR(Vec), -- MX(Vec), -- NS(Vec), -+ CNAME(DNSName), -+ PTR(DNSName), -+ MX(DNSName), -+ NS(DNSName), - // RData is text - TXT(Vec), - NULL(Vec), -@@ -213,7 +228,7 @@ pub enum DNSRData { - - #[derive(Debug, PartialEq, Eq)] - pub struct DNSAnswerEntry { -- pub name: Vec, -+ pub name: DNSName, - pub rrtype: u16, - pub rrclass: u16, - pub ttl: u32, -@@ -871,9 +886,9 @@ pub unsafe extern "C" fn rs_dns_tx_get_query_name( - if let Some(request) = &tx.request { - if (i as usize) < request.queries.len() { - let query = &request.queries[i as usize]; -- if !query.name.is_empty() { -- *len = query.name.len() as u32; -- *buf = query.name.as_ptr(); -+ if !query.name.value.is_empty() { -+ *len = query.name.value.len() as u32; -+ *buf = query.name.value.as_ptr(); - return 1; - } - } -@@ -904,7 +919,7 @@ pub unsafe extern "C" fn rs_dns_tx_get_query_rrtype( - if let Some(request) = &tx.request { - if (i as usize) < request.queries.len() { - let query = &request.queries[i as usize]; -- if !query.name.is_empty() { -+ if !query.name.value.is_empty() { - *rrtype = query.rrtype; - return 1; - } -diff --git a/rust/src/dns/log.rs b/rust/src/dns/log.rs -index 5212b1a..6bf9589 100644 ---- a/rust/src/dns/log.rs -+++ b/rust/src/dns/log.rs -@@ -398,8 +398,8 @@ pub fn dns_print_addr(addr: &Vec) -> std::string::String { - fn dns_log_soa(soa: &DNSRDataSOA) -> Result { - let mut js = JsonBuilder::try_new_object()?; - -- js.set_string_from_bytes("mname", &soa.mname)?; -- js.set_string_from_bytes("rname", &soa.rname)?; -+ js.set_string_from_bytes("mname", &soa.mname.value)?; -+ js.set_string_from_bytes("rname", &soa.rname.value)?; - js.set_uint("serial", soa.serial as u64)?; - js.set_uint("refresh", soa.refresh as u64)?; - js.set_uint("retry", soa.retry as u64)?; -@@ -434,7 +434,7 @@ fn dns_log_srv(srv: &DNSRDataSRV) -> Result { - js.set_uint("priority", srv.priority as u64)?; - js.set_uint("weight", srv.weight as u64)?; - js.set_uint("port", srv.port as u64)?; -- js.set_string_from_bytes("name", &srv.target)?; -+ js.set_string_from_bytes("name", &srv.target.value)?; - - js.close()?; - return Ok(js); -@@ -443,7 +443,7 @@ fn dns_log_srv(srv: &DNSRDataSRV) -> Result { - fn dns_log_json_answer_detail(answer: &DNSAnswerEntry) -> Result { - let mut jsa = JsonBuilder::try_new_object()?; - -- jsa.set_string_from_bytes("rrname", &answer.name)?; -+ jsa.set_string_from_bytes("rrname", &answer.name.value)?; - jsa.set_string("rrtype", &dns_rrtype_string(answer.rrtype))?; - jsa.set_uint("ttl", answer.ttl as u64)?; - -@@ -451,12 +451,10 @@ fn dns_log_json_answer_detail(answer: &DNSAnswerEntry) -> Result { - jsa.set_string("rdata", &dns_print_addr(addr))?; - } -- DNSRData::CNAME(bytes) -- | DNSRData::MX(bytes) -- | DNSRData::NS(bytes) -- | DNSRData::TXT(bytes) -- | DNSRData::NULL(bytes) -- | DNSRData::PTR(bytes) => { -+ DNSRData::CNAME(name) | DNSRData::MX(name) | DNSRData::NS(name) | DNSRData::PTR(name) => { -+ jsa.set_string_from_bytes("rdata", &name.value)?; -+ } -+ DNSRData::TXT(bytes) | DNSRData::NULL(bytes) => { - jsa.set_string_from_bytes("rdata", bytes)?; - } - DNSRData::SOA(soa) => { -@@ -507,7 +505,7 @@ fn dns_log_json_answer( - js.set_uint("opcode", opcode as u64)?; - - if let Some(query) = response.queries.first() { -- js.set_string_from_bytes("rrname", &query.name)?; -+ js.set_string_from_bytes("rrname", &query.name.value)?; - js.set_string("rrtype", &dns_rrtype_string(query.rrtype))?; - } - js.set_string("rcode", &dns_rcode_string(header.flags))?; -@@ -530,12 +528,19 @@ fn dns_log_json_answer( - a.append_string(&dns_print_addr(addr))?; - } - } -- DNSRData::CNAME(bytes) -- | DNSRData::MX(bytes) -- | DNSRData::NS(bytes) -- | DNSRData::TXT(bytes) -- | DNSRData::NULL(bytes) -- | DNSRData::PTR(bytes) => { -+ DNSRData::CNAME(name) -+ | DNSRData::MX(name) -+ | DNSRData::NS(name) -+ | DNSRData::PTR(name) => { -+ if !answer_types.contains_key(&type_string) { -+ answer_types -+ .insert(type_string.to_string(), JsonBuilder::try_new_array()?); -+ } -+ if let Some(a) = answer_types.get_mut(&type_string) { -+ a.append_string_from_bytes(&name.value)?; -+ } -+ } -+ DNSRData::TXT(bytes) | DNSRData::NULL(bytes) => { - if !answer_types.contains_key(&type_string) { - answer_types.insert(type_string.to_string(), JsonBuilder::try_new_array()?); - } -@@ -614,7 +619,7 @@ fn dns_log_query( - if dns_log_rrtype_enabled(query.rrtype, flags) { - jb.set_string("type", "query")?; - jb.set_uint("id", request.header.tx_id as u64)?; -- jb.set_string_from_bytes("rrname", &query.name)?; -+ jb.set_string_from_bytes("rrname", &query.name.value)?; - jb.set_string("rrtype", &dns_rrtype_string(query.rrtype))?; - jb.set_uint("tx_id", tx.id - 1)?; - if request.header.flags & 0x0040 != 0 { -diff --git a/rust/src/dns/lua.rs b/rust/src/dns/lua.rs -index b9935f8..f7b0c15 100644 ---- a/rust/src/dns/lua.rs -+++ b/rust/src/dns/lua.rs -@@ -34,12 +34,12 @@ pub extern "C" fn rs_dns_lua_get_rrname(clua: &mut CLuaState, tx: &mut DNSTransa - - if let Some(request) = &tx.request { - if let Some(query) = request.queries.first() { -- lua.pushstring(&String::from_utf8_lossy(&query.name)); -+ lua.pushstring(&String::from_utf8_lossy(&query.name.value)); - return 1; - } - } else if let Some(response) = &tx.response { - if let Some(query) = response.queries.first() { -- lua.pushstring(&String::from_utf8_lossy(&query.name)); -+ lua.pushstring(&String::from_utf8_lossy(&query.name.value)); - return 1; - } - } -@@ -86,7 +86,7 @@ pub extern "C" fn rs_dns_lua_get_query_table( - lua.settable(-3); - - lua.pushstring("rrname"); -- lua.pushstring(&String::from_utf8_lossy(&query.name)); -+ lua.pushstring(&String::from_utf8_lossy(&query.name.value)); - lua.settable(-3); - - lua.settable(-3); -@@ -103,7 +103,7 @@ pub extern "C" fn rs_dns_lua_get_query_table( - lua.settable(-3); - - lua.pushstring("rrname"); -- lua.pushstring(&String::from_utf8_lossy(&query.name)); -+ lua.pushstring(&String::from_utf8_lossy(&query.name.value)); - lua.settable(-3); - - lua.settable(-3); -@@ -142,11 +142,11 @@ pub extern "C" fn rs_dns_lua_get_answer_table( - lua.settable(-3); - - lua.pushstring("rrname"); -- lua.pushstring(&String::from_utf8_lossy(&answer.name)); -+ lua.pushstring(&String::from_utf8_lossy(&answer.name.value)); - lua.settable(-3); - - // All rdata types are pushed to "addr" for backwards compatibility -- match answer.data { -+ match &answer.data { - DNSRData::A(ref bytes) | DNSRData::AAAA(ref bytes) => { - if !bytes.is_empty() { - lua.pushstring("addr"); -@@ -154,12 +154,18 @@ pub extern "C" fn rs_dns_lua_get_answer_table( - lua.settable(-3); - } - } -- DNSRData::CNAME(ref bytes) -- | DNSRData::MX(ref bytes) -- | DNSRData::NS(ref bytes) -- | DNSRData::TXT(ref bytes) -+ DNSRData::CNAME(name) -+ | DNSRData::MX(name) -+ | DNSRData::NS(name) -+ | DNSRData::PTR(name) => { -+ if !name.value.is_empty() { -+ lua.pushstring("addr"); -+ lua.pushstring(&String::from_utf8_lossy(&name.value)); -+ lua.settable(-3); -+ } -+ } -+ DNSRData::TXT(ref bytes) - | DNSRData::NULL(ref bytes) -- | DNSRData::PTR(ref bytes) - | DNSRData::Unknown(ref bytes) => { - if !bytes.is_empty() { - lua.pushstring("addr"); -@@ -168,9 +174,9 @@ pub extern "C" fn rs_dns_lua_get_answer_table( - } - } - DNSRData::SOA(ref soa) => { -- if !soa.mname.is_empty() { -+ if !soa.mname.value.is_empty() { - lua.pushstring("addr"); -- lua.pushstring(&String::from_utf8_lossy(&soa.mname)); -+ lua.pushstring(&String::from_utf8_lossy(&soa.mname.value)); - lua.settable(-3); - } - } -@@ -181,7 +187,7 @@ pub extern "C" fn rs_dns_lua_get_answer_table( - } - DNSRData::SRV(ref srv) => { - lua.pushstring("addr"); -- lua.pushstring(&String::from_utf8_lossy(&srv.target)); -+ lua.pushstring(&String::from_utf8_lossy(&srv.target.value)); - lua.settable(-3); - } - } -@@ -221,7 +227,7 @@ pub extern "C" fn rs_dns_lua_get_authority_table( - lua.settable(-3); - - lua.pushstring("rrname"); -- lua.pushstring(&String::from_utf8_lossy(&answer.name)); -+ lua.pushstring(&String::from_utf8_lossy(&answer.name.value)); - lua.settable(-3); - - lua.settable(-3); -diff --git a/rust/src/dns/parser.rs b/rust/src/dns/parser.rs -index a1d97a5..12929bc 100644 ---- a/rust/src/dns/parser.rs -+++ b/rust/src/dns/parser.rs -@@ -45,16 +45,48 @@ pub fn dns_parse_header(i: &[u8]) -> IResult<&[u8], DNSHeader> { - )) - } - -+// Set a maximum assembled hostname length of 1025, this value was -+// chosen as its what DNSMasq uses, a popular DNS server, even if most -+// tooling limits names to 256 chars without special options. -+static MAX_NAME_LEN: usize = 1025; -+ - /// Parse a DNS name. - /// -+/// Names are parsed with the following restrictions: -+/// -+/// - Only 255 segments will be processed, if more the parser may -+/// error out. This is also our safeguard against an infinite loop. If -+/// a pointer had been followed a truncated name will be -+/// returned. However if pointer has been processed we error out as we -+/// don't know where the next data point starts without more -+/// iterations. -+/// -+/// - The maximum name parsed in representation format is MAX_NAME_LEN -+/// characters. Once larger, the truncated name will be returned with -+/// a flag specifying the name was truncated. Note that parsing -+/// continues if no pointer has been used as we still need to find the -+/// start of the next protocol unit. -+/// -+/// As some error in parsing the name are recoverable, a DNSName -+/// object is returned with flags signifying a recoverable -+/// error. These errors include: -+/// -+/// - infinite loop: as we know the end of the name in the input -+/// stream, we can return what we've parsed with the remain data. -+/// -+/// - maximum number of segments/labels parsed -+/// -+/// - truncation of name when too long -+/// - /// Parameters: - /// start: the start of the name - /// message: the complete message that start is a part of with the DNS header --pub fn dns_parse_name<'b>(start: &'b [u8], message: &'b [u8]) -> IResult<&'b [u8], Vec> { -+pub fn dns_parse_name<'b>(start: &'b [u8], message: &'b [u8]) -> IResult<&'b [u8], DNSName> { - let mut pos = start; - let mut pivot = start; - let mut name: Vec = Vec::with_capacity(32); - let mut count = 0; -+ let mut flags = DNSNameFlags::default(); - - loop { - if pos.is_empty() { -@@ -68,10 +100,12 @@ pub fn dns_parse_name<'b>(start: &'b [u8], message: &'b [u8]) -> IResult<&'b [u8 - break; - } else if len & 0b1100_0000 == 0 { - let (rem, label) = length_data(be_u8)(pos)?; -- if !name.is_empty() { -- name.push(b'.'); -+ if !flags.contains(DNSNameFlags::TRUNCATED) { -+ if !name.is_empty() { -+ name.push(b'.'); -+ } -+ name.extend(label); - } -- name.extend(label); - pos = rem; - } else if len & 0b1100_0000 == 0b1100_0000 { - let (rem, leader) = be_u16(pos)?; -@@ -79,6 +113,21 @@ pub fn dns_parse_name<'b>(start: &'b [u8], message: &'b [u8]) -> IResult<&'b [u8 - if offset > message.len() { - return Err(Err::Error(error_position!(pos, ErrorKind::OctDigit))); - } -+ -+ if &message[offset..] == pos { -+ // Self reference, immedate infinite loop. -+ flags.insert(DNSNameFlags::INFINITE_LOOP); -+ -+ // If we have followed a pointer, we can just break as -+ // we've already found the end of the input. But if we -+ // have not followed a pointer yet return a parse -+ // error. -+ if pivot != start { -+ break; -+ } -+ return Err(Err::Error(error_position!(pos, ErrorKind::OctDigit))); -+ } -+ - pos = &message[offset..]; - if pivot == start { - pivot = rem; -@@ -89,19 +138,43 @@ pub fn dns_parse_name<'b>(start: &'b [u8], message: &'b [u8]) -> IResult<&'b [u8 - - // Return error if we've looped a certain number of times. - count += 1; -+ - if count > 255 { -+ flags.insert(DNSNameFlags::LABEL_LIMIT); -+ -+ // Our segment limit has been reached, if we have hit a -+ // pointer we can just return the truncated name. If we -+ // have not hit a pointer, we need to bail with an error. -+ if pivot != start { -+ flags.insert(DNSNameFlags::TRUNCATED); -+ break; -+ } - return Err(Err::Error(error_position!(pos, ErrorKind::OctDigit))); - } -+ -+ if name.len() > MAX_NAME_LEN { -+ name.truncate(MAX_NAME_LEN); -+ flags.insert(DNSNameFlags::TRUNCATED); -+ -+ // If we have pivoted due to a pointer we know where the -+ // end of the data is, so we can break early. Otherwise -+ // we'll keep parsing in hopes to find the end of the name -+ // so parsing can continue. -+ if pivot != start { -+ break; -+ } -+ } - } - - // If we followed a pointer we return the position after the first - // pointer followed. Is there a better way to see if these slices - // diverged from each other? A straight up comparison would - // actually check the contents. -- if pivot.len() != start.len() { -- return Ok((pivot, name)); -+ if pivot != start { -+ Ok((pivot, DNSName { value: name, flags })) -+ } else { -+ Ok((pos, DNSName { value: name, flags })) - } -- return Ok((pos, name)); - } - - /// Parse answer entries. -@@ -121,7 +194,7 @@ fn dns_parse_answer<'a>( - let mut input = slice; - - struct Answer<'a> { -- name: Vec, -+ name: DNSName, - rrtype: u16, - rrclass: u16, - ttl: u32, -@@ -375,7 +448,7 @@ mod tests { - ]; - let expected_remainder: &[u8] = &[0x00, 0x01, 0x00]; - let (remainder, name) = dns_parse_name(buf, buf).unwrap(); -- assert_eq!("client-cf.dropbox.com".as_bytes(), &name[..]); -+ assert_eq!("client-cf.dropbox.com".as_bytes(), &name.value[..]); - assert_eq!(remainder, expected_remainder); - } - -@@ -411,7 +484,13 @@ mod tests { - let res1 = dns_parse_name(start1, message); - assert_eq!( - res1, -- Ok((&start1[22..], "www.suricata-ids.org".as_bytes().to_vec())) -+ Ok(( -+ &start1[22..], -+ DNSName { -+ value: "www.suricata-ids.org".as_bytes().to_vec(), -+ flags: DNSNameFlags::default(), -+ } -+ )) - ); - - // The second name starts at offset 80, but is just a pointer -@@ -420,7 +499,13 @@ mod tests { - let res2 = dns_parse_name(start2, message); - assert_eq!( - res2, -- Ok((&start2[2..], "www.suricata-ids.org".as_bytes().to_vec())) -+ Ok(( -+ &start2[2..], -+ DNSName { -+ value: "www.suricata-ids.org".as_bytes().to_vec(), -+ flags: DNSNameFlags::default() -+ } -+ )) - ); - - // The third name starts at offset 94, but is a pointer to a -@@ -429,7 +514,13 @@ mod tests { - let res3 = dns_parse_name(start3, message); - assert_eq!( - res3, -- Ok((&start3[2..], "suricata-ids.org".as_bytes().to_vec())) -+ Ok(( -+ &start3[2..], -+ DNSName { -+ value: "suricata-ids.org".as_bytes().to_vec(), -+ flags: DNSNameFlags::default() -+ } -+ )) - ); - - // The fourth name starts at offset 110, but is a pointer to a -@@ -438,7 +529,13 @@ mod tests { - let res4 = dns_parse_name(start4, message); - assert_eq!( - res4, -- Ok((&start4[2..], "suricata-ids.org".as_bytes().to_vec())) -+ Ok(( -+ &start4[2..], -+ DNSName { -+ value: "suricata-ids.org".as_bytes().to_vec(), -+ flags: DNSNameFlags::default() -+ } -+ )) - ); - } - -@@ -473,7 +570,13 @@ mod tests { - let res = dns_parse_name(start, message); - assert_eq!( - res, -- Ok((&start[2..], "block.g1.dropbox.com".as_bytes().to_vec())) -+ Ok(( -+ &start[2..], -+ DNSName { -+ value: "block.g1.dropbox.com".as_bytes().to_vec(), -+ flags: DNSNameFlags::default() -+ } -+ )) - ); - } - -@@ -512,7 +615,7 @@ mod tests { - assert_eq!(request.queries.len(), 1); - - let query = &request.queries[0]; -- assert_eq!(query.name, "www.suricata-ids.org".as_bytes().to_vec()); -+ assert_eq!(query.name.value, "www.suricata-ids.org".as_bytes().to_vec()); - assert_eq!(query.rrtype, 1); - assert_eq!(query.rrclass, 1); - } -@@ -569,20 +672,26 @@ mod tests { - assert_eq!(response.answers.len(), 3); - - let answer1 = &response.answers[0]; -- assert_eq!(answer1.name, "www.suricata-ids.org".as_bytes().to_vec()); -+ assert_eq!(answer1.name.value, "www.suricata-ids.org".as_bytes().to_vec()); - assert_eq!(answer1.rrtype, 5); - assert_eq!(answer1.rrclass, 1); - assert_eq!(answer1.ttl, 3544); - assert_eq!( - answer1.data, -- DNSRData::CNAME("suricata-ids.org".as_bytes().to_vec()) -+ DNSRData::CNAME(DNSName { -+ value: "suricata-ids.org".as_bytes().to_vec(), -+ flags: Default::default(), -+ }) - ); - - let answer2 = &response.answers[1]; - assert_eq!( - answer2, - &DNSAnswerEntry { -- name: "suricata-ids.org".as_bytes().to_vec(), -+ name: DNSName { -+ value: "suricata-ids.org".as_bytes().to_vec(), -+ flags: Default::default(), -+ }, - rrtype: 1, - rrclass: 1, - ttl: 244, -@@ -594,7 +703,10 @@ mod tests { - assert_eq!( - answer3, - &DNSAnswerEntry { -- name: "suricata-ids.org".as_bytes().to_vec(), -+ name: DNSName { -+ value: "suricata-ids.org".as_bytes().to_vec(), -+ flags: Default::default(), -+ }, - rrtype: 1, - rrclass: 1, - ttl: 244, -@@ -653,15 +765,21 @@ mod tests { - assert_eq!(response.authorities.len(), 1); - - let authority = &response.authorities[0]; -- assert_eq!(authority.name, "oisf.net".as_bytes().to_vec()); -+ assert_eq!(authority.name.value, "oisf.net".as_bytes().to_vec()); - assert_eq!(authority.rrtype, 6); - assert_eq!(authority.rrclass, 1); - assert_eq!(authority.ttl, 899); - assert_eq!( - authority.data, - DNSRData::SOA(DNSRDataSOA { -- mname: "ns-110.awsdns-13.com".as_bytes().to_vec(), -- rname: "awsdns-hostmaster.amazon.com".as_bytes().to_vec(), -+ mname: DNSName { -+ value: "ns-110.awsdns-13.com".as_bytes().to_vec(), -+ flags: DNSNameFlags::default() -+ }, -+ rname: DNSName { -+ value: "awsdns-hostmaster.amazon.com".as_bytes().to_vec(), -+ flags: DNSNameFlags::default() -+ }, - serial: 1, - refresh: 7200, - retry: 900, -@@ -712,14 +830,14 @@ mod tests { - - assert_eq!(response.queries.len(), 1); - let query = &response.queries[0]; -- assert_eq!(query.name, "vaaaakardli.pirate.sea".as_bytes().to_vec()); -+ assert_eq!(query.name.value, "vaaaakardli.pirate.sea".as_bytes().to_vec()); - assert_eq!(query.rrtype, DNS_RECORD_TYPE_NULL); - assert_eq!(query.rrclass, 1); - - assert_eq!(response.answers.len(), 1); - - let answer = &response.answers[0]; -- assert_eq!(answer.name, "vaaaakardli.pirate.sea".as_bytes().to_vec()); -+ assert_eq!(answer.name.value, "vaaaakardli.pirate.sea".as_bytes().to_vec()); - assert_eq!(answer.rrtype, DNS_RECORD_TYPE_NULL); - assert_eq!(answer.rrclass, 1); - assert_eq!(answer.ttl, 0); -@@ -819,7 +937,7 @@ mod tests { - assert_eq!(srv.weight, 1); - assert_eq!(srv.port, 5060); - assert_eq!( -- srv.target, -+ srv.target.value, - "sip-anycast-2.voice.google.com".as_bytes().to_vec() - ); - } -@@ -834,7 +952,7 @@ mod tests { - assert_eq!(srv.weight, 1); - assert_eq!(srv.port, 5060); - assert_eq!( -- srv.target, -+ srv.target.value, - "sip-anycast-1.voice.google.com".as_bytes().to_vec() - ); - } -@@ -848,4 +966,65 @@ mod tests { - } - } - } -+ -+ #[test] -+ fn test_dns_parse_name_truncated() { -+ // Generate a non-compressed hostname over our maximum of 1024. -+ let mut buf: Vec = vec![]; -+ for _ in 0..17 { -+ buf.push(0b0011_1111); -+ for _ in 0..63 { -+ buf.push(b'a'); -+ } -+ } -+ -+ let (rem, name) = dns_parse_name(&buf, &buf).unwrap(); -+ assert_eq!(name.value.len(), MAX_NAME_LEN); -+ assert!(name.flags.contains(DNSNameFlags::TRUNCATED)); -+ assert!(rem.is_empty()); -+ } -+ -+ #[test] -+ fn test_dns_parse_name_truncated_max_segments_no_pointer() { -+ let mut buf: Vec = vec![]; -+ for _ in 0..256 { -+ buf.push(0b0000_0001); -+ buf.push(b'a'); -+ } -+ -+ // This should fail as we've hit the segment limit without a -+ // pointer, we'd need to keep parsing more segments to figure -+ // out where the next data point lies. -+ assert!(dns_parse_name(&buf, &buf).is_err()); -+ } -+ -+ #[test] -+ fn test_dns_parse_name_truncated_max_segments_with_pointer() { -+ let mut buf: Vec = vec![]; -+ -+ // "a" at the beginning of the buffer. -+ buf.push(0b0000_0001); -+ buf.push(b'a'); -+ -+ // Followed by a pointer back to the beginning. -+ buf.push(0b1100_0000); -+ buf.push(0b0000_0000); -+ -+ // The start of the name, which is pointer to the beginning of -+ // the buffer. -+ buf.push(0b1100_0000); -+ buf.push(0b000_0000); -+ -+ let (_rem, name) = dns_parse_name(&buf[4..], &buf).unwrap(); -+ assert_eq!(name.value.len(), 255); -+ assert!(name.flags.contains(DNSNameFlags::TRUNCATED)); -+ } -+ -+ #[test] -+ fn test_dns_parse_name_self_reference() { -+ let mut buf = vec![]; -+ buf.push(0b1100_0000); -+ buf.push(0b0000_0000); -+ assert!(dns_parse_name(&buf, &buf).is_err()); -+ } - } --- -2.50.1 - diff --git a/recipes-ids/suricata/files/CVE-2024-55628-002.patch b/recipes-ids/suricata/files/CVE-2024-55628-002.patch deleted file mode 100644 index 7bade5d..0000000 --- a/recipes-ids/suricata/files/CVE-2024-55628-002.patch +++ /dev/null @@ -1,4877 +0,0 @@ -From 284ad462fcb2e47f1518a1abc19e27ca84c6972e Mon Sep 17 00:00:00 2001 -From: Philippe Antoine -Date: Thu, 12 May 2022 20:31:25 +0200 -Subject: [PATCH] output: adds schema.json - -Ticket: #1369 - -CVE: CVE-2024-55628 -Upstream-Status: Backport [https://github.com/OISF/suricata/commit/284ad462fcb2e47f1518a1abc19e27ca84c6972e] -Signed-off-by: Hitendra Prajapati ---- - etc/schema.json | 4853 +++++++++++++++++++++++++++++++++++++++++++++++ - 1 file changed, 4853 insertions(+) - create mode 100644 etc/schema.json - -diff --git a/etc/schema.json b/etc/schema.json -new file mode 100644 -index 0000000..99f419f ---- /dev/null -+++ b/etc/schema.json -@@ -0,0 +1,4853 @@ -+{ -+ "type": "object", -+ "properties": { -+ "app_proto": { -+ "type": "string", -+ "optional": true -+ }, -+ "app_proto_expected": { -+ "type": "string" -+ }, -+ "app_proto_orig": { -+ "type": "string" -+ }, -+ "app_proto_tc": { -+ "type": "string" -+ }, -+ "app_proto_ts": { -+ "type": "string" -+ }, -+ "community_id": { -+ "type": "string" -+ }, -+ "dest_ip": { -+ "type": "string", -+ "optional": true -+ }, -+ "dest_port": { -+ "type": "integer", -+ "optional": true -+ }, -+ "event_type": { -+ "type": "string", -+ "optional": false -+ }, -+ "flow_id": { -+ "type": "integer", -+ "optional": true -+ }, -+ "icmp_code": { -+ "type": "integer" -+ }, -+ "icmp_type": { -+ "type": "integer" -+ }, -+ "log_level": { -+ "type": "string" -+ }, -+ "packet": { -+ "type": "string" -+ }, -+ "parent_id": { -+ "type": "integer" -+ }, -+ "payload": { -+ "type": "string" -+ }, -+ "payload_printable": { -+ "type": "string" -+ }, -+ "pcap_cnt": { -+ "type": "integer", -+ "optional": true -+ }, -+ "pkt_src": { -+ "type": "string" -+ }, -+ "proto": { -+ "type": "string", -+ "optional": true -+ }, -+ "response_icmp_code": { -+ "type": "integer" -+ }, -+ "response_icmp_type": { -+ "type": "integer" -+ }, -+ "spi": { -+ "type": "integer" -+ }, -+ "src_ip": { -+ "type": "string", -+ "optional": true -+ }, -+ "src_port": { -+ "type": "integer", -+ "optional": true -+ }, -+ "stream": { -+ "type": "integer" -+ }, -+ "timestamp": { -+ "type": "string", -+ "pattern": "^\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}\\.\\d+[+\\-]\\d+$", -+ "optional": false -+ }, -+ "tx_id": { -+ "type": "integer", -+ "optional": true -+ }, -+ "files": { -+ "type": "array", -+ "items": { -+ "type": "object", -+ "optional": true, -+ "properties": { -+ "end": { -+ "type": "integer" -+ }, -+ "filename": { -+ "type": "string" -+ }, -+ "gaps": { -+ "type": "boolean" -+ }, -+ "md5": { -+ "type": "string" -+ }, -+ "sha1": { -+ "type": "string" -+ }, -+ "sha256": { -+ "type": "string" -+ }, -+ "size": { -+ "type": "integer" -+ }, -+ "start": { -+ "type": "integer" -+ }, -+ "state": { -+ "type": "string" -+ }, -+ "stored": { -+ "type": "boolean" -+ }, -+ "tx_id": { -+ "type": "integer" -+ }, -+ "sid": { -+ "type": "array", -+ "items": { -+ "type": "integer" -+ } -+ } -+ }, -+ "additionalProperties": false -+ } -+ }, -+ "vlan": { -+ "type": "array", -+ "items": { -+ "type": "number" -+ } -+ }, -+ "alert": { -+ "type": "object", -+ "optional": true, -+ "properties": { -+ "action": { -+ "type": "string" -+ }, -+ "category": { -+ "type": "string" -+ }, -+ "gid": { -+ "type": "integer" -+ }, -+ "rev": { -+ "type": "integer" -+ }, -+ "rule": { -+ "type": "string" -+ }, -+ "severity": { -+ "type": "integer" -+ }, -+ "signature": { -+ "type": "string" -+ }, -+ "signature_id": { -+ "type": "integer" -+ }, -+ "xff": { -+ "type": "string" -+ }, -+ "metadata": { -+ "type": "object", -+ "properties": { -+ "affected_product": { -+ "type": "array", -+ "items": { -+ "type": "string" -+ } -+ }, -+ "attack_target": { -+ "type": "array", -+ "items": { -+ "type": "string" -+ } -+ }, -+ "created_at": { -+ "type": "array", -+ "items": { -+ "type": "string" -+ } -+ }, -+ "deployment": { -+ "type": "array", -+ "items": { -+ "type": "string" -+ } -+ }, -+ "signature_severity": { -+ "type": "array", -+ "items": { -+ "type": "string" -+ } -+ }, -+ "tag": { -+ "type": "array", -+ "items": { -+ "type": "string" -+ } -+ }, -+ "updated_at": { -+ "type": "array", -+ "items": { -+ "type": "string" -+ } -+ } -+ }, -+ "additionalProperties": false -+ }, -+ "source": { -+ "type": "object", -+ "properties": { -+ "ip": { -+ "type": "string" -+ } -+ }, -+ "additionalProperties": false -+ }, -+ "target": { -+ "type": "object", -+ "properties": { -+ "ip": { -+ "type": "string" -+ } -+ }, -+ "additionalProperties": false -+ } -+ }, -+ "additionalProperties": false -+ }, -+ "anomaly": { -+ "type": "object", -+ "optional": true, -+ "properties": { -+ "app_proto": { -+ "type": "string" -+ }, -+ "event": { -+ "type": "string" -+ }, -+ "layer": { -+ "type": "string" -+ }, -+ "type": { -+ "type": "string" -+ } -+ }, -+ "additionalProperties": false -+ }, -+ "dcerpc": { -+ "type": "object", -+ "optional": true, -+ "properties": { -+ "activityuuid": { -+ "type": "string" -+ }, -+ "call_id": { -+ "type": "integer" -+ }, -+ "request": { -+ "type": "string" -+ }, -+ "response": { -+ "type": "string" -+ }, -+ "rpc_version": { -+ "type": "string" -+ }, -+ "seqnum": { -+ "type": "integer" -+ }, -+ "interfaces": { -+ "type": "array", -+ "items": { -+ "type": "object", -+ "properties": { -+ "ack_result": { -+ "type": "integer" -+ }, -+ "uuid": { -+ "type": "string" -+ }, -+ "version": { -+ "type": "string" -+ } -+ }, -+ "additionalProperties": false -+ } -+ }, -+ "req": { -+ "type": "object", -+ "optional": true, -+ "properties": { -+ "frag_cnt": { -+ "type": "integer" -+ }, -+ "opnum": { -+ "type": "integer" -+ }, -+ "stub_data_size": { -+ "type": "integer" -+ } -+ }, -+ "additionalProperties": false -+ }, -+ "res": { -+ "type": "object", -+ "optional": true, -+ "properties": { -+ "frag_cnt": { -+ "type": "integer" -+ }, -+ "stub_data_size": { -+ "type": "integer" -+ } -+ }, -+ "additionalProperties": false -+ } -+ }, -+ "additionalProperties": false -+ }, -+ "dhcp": { -+ "type": "object", -+ "optional": true, -+ "properties": { -+ "assigned_ip": { -+ "type": "string" -+ }, -+ "client_id": { -+ "type": "string" -+ }, -+ "client_ip": { -+ "type": "string" -+ }, -+ "client_mac": { -+ "type": "string" -+ }, -+ "dhcp_type": { -+ "type": "string" -+ }, -+ "hostname": { -+ "type": "string" -+ }, -+ "id": { -+ "type": "integer" -+ }, -+ "lease_time": { -+ "type": "integer" -+ }, -+ "next_server_ip": { -+ "type": "string" -+ }, -+ "rebinding_time": { -+ "type": "integer" -+ }, -+ "relay_ip": { -+ "type": "string" -+ }, -+ "renewal_time": { -+ "type": "integer" -+ }, -+ "subnet_mask": { -+ "type": "string" -+ }, -+ "type": { -+ "type": "string" -+ }, -+ "dns_servers": { -+ "type": "array", -+ "items": { -+ "type": "string" -+ } -+ }, -+ "params": { -+ "type": "array", -+ "items": { -+ "type": "string" -+ } -+ }, -+ "routers": { -+ "type": "array", -+ "items": { -+ "type": "string" -+ } -+ } -+ }, -+ "additionalProperties": false -+ }, -+ "dnp3": { -+ "type": "object", -+ "optional": true, -+ "properties": { -+ "dst": { -+ "type": "integer" -+ }, -+ "src": { -+ "type": "integer" -+ }, -+ "type": { -+ "type": "string" -+ }, -+ "application": { -+ "type": "object", -+ "properties": { -+ "complete": { -+ "type": "boolean" -+ }, -+ "function_code": { -+ "type": "integer" -+ }, -+ "objects": { -+ "type": "array", -+ "items": { -+ "type": "object", -+ "properties": { -+ "count": { -+ "type": "integer" -+ }, -+ "group": { -+ "type": "integer" -+ }, -+ "prefix_code": { -+ "type": "integer" -+ }, -+ "qualifier": { -+ "type": "integer" -+ }, -+ "range_code": { -+ "type": "integer" -+ }, -+ "start": { -+ "type": "integer" -+ }, -+ "stop": { -+ "type": "integer" -+ }, -+ "variation": { -+ "type": "integer" -+ }, -+ "points": { -+ "type": "array", -+ "items": { -+ "type": "object", -+ "additionalProperties": true -+ } -+ } -+ }, -+ "additionalProperties": false -+ } -+ }, -+ "control": { -+ "type": "object", -+ "properties": { -+ "con": { -+ "type": "boolean" -+ }, -+ "fin": { -+ "type": "boolean" -+ }, -+ "fir": { -+ "type": "boolean" -+ }, -+ "sequence": { -+ "type": "integer" -+ }, -+ "uns": { -+ "type": "boolean" -+ } -+ }, -+ "additionalProperties": false -+ } -+ }, -+ "additionalProperties": false -+ }, -+ "control": { -+ "type": "object", -+ "properties": { -+ "dir": { -+ "type": "boolean" -+ }, -+ "fcb": { -+ "type": "boolean" -+ }, -+ "fcv": { -+ "type": "boolean" -+ }, -+ "function_code": { -+ "type": "integer" -+ }, -+ "pri": { -+ "type": "boolean" -+ } -+ }, -+ "additionalProperties": false -+ }, -+ "iin": { -+ "type": "object", -+ "properties": { -+ "indicators": { -+ "type": "array", -+ "items": { -+ "type": "string" -+ } -+ } -+ }, -+ "additionalProperties": false -+ }, -+ "request": { -+ "type": "object", -+ "properties": { -+ "dst": { -+ "type": "integer" -+ }, -+ "src": { -+ "type": "integer" -+ }, -+ "type": { -+ "type": "string" -+ }, -+ "application": { -+ "type": "object", -+ "properties": { -+ "complete": { -+ "type": "boolean" -+ }, -+ "function_code": { -+ "type": "integer" -+ }, -+ "objects": { -+ "type": "array", -+ "items": { -+ "type": "object", -+ "properties": { -+ "count": { -+ "type": "integer" -+ }, -+ "group": { -+ "type": "integer" -+ }, -+ "prefix_code": { -+ "type": "integer" -+ }, -+ "qualifier": { -+ "type": "integer" -+ }, -+ "range_code": { -+ "type": "integer" -+ }, -+ "start": { -+ "type": "integer" -+ }, -+ "stop": { -+ "type": "integer" -+ }, -+ "variation": { -+ "type": "integer" -+ }, -+ "points": { -+ "type": "array", -+ "items": { -+ "type": "object", -+ "additionalProperties": true -+ } -+ } -+ }, -+ "additionalProperties": false -+ } -+ }, -+ "control": { -+ "type": "object", -+ "properties": { -+ "con": { -+ "type": "boolean" -+ }, -+ "fin": { -+ "type": "boolean" -+ }, -+ "fir": { -+ "type": "boolean" -+ }, -+ "sequence": { -+ "type": "integer" -+ }, -+ "uns": { -+ "type": "boolean" -+ } -+ }, -+ "additionalProperties": false -+ } -+ }, -+ "additionalProperties": false -+ }, -+ "control": { -+ "type": "object", -+ "properties": { -+ "dir": { -+ "type": "boolean" -+ }, -+ "fcb": { -+ "type": "boolean" -+ }, -+ "fcv": { -+ "type": "boolean" -+ }, -+ "function_code": { -+ "type": "integer" -+ }, -+ "pri": { -+ "type": "boolean" -+ } -+ }, -+ "additionalProperties": false -+ } -+ }, -+ "additionalProperties": false -+ }, -+ "response": { -+ "type": "object", -+ "properties": { -+ "dst": { -+ "type": "integer" -+ }, -+ "src": { -+ "type": "integer" -+ }, -+ "type": { -+ "type": "string" -+ }, -+ "application": { -+ "type": "object", -+ "properties": { -+ "complete": { -+ "type": "boolean" -+ }, -+ "function_code": { -+ "type": "integer" -+ }, -+ "objects": { -+ "type": "array", -+ "items": { -+ "type": "object", -+ "properties": { -+ "count": { -+ "type": "integer" -+ }, -+ "group": { -+ "type": "integer" -+ }, -+ "prefix_code": { -+ "type": "integer" -+ }, -+ "qualifier": { -+ "type": "integer" -+ }, -+ "range_code": { -+ "type": "integer" -+ }, -+ "start": { -+ "type": "integer" -+ }, -+ "stop": { -+ "type": "integer" -+ }, -+ "variation": { -+ "type": "integer" -+ }, -+ "points": { -+ "type": "array", -+ "items": { -+ "type": "object", -+ "additionalProperties": true -+ } -+ } -+ }, -+ "additionalProperties": false -+ } -+ }, -+ "control": { -+ "type": "object", -+ "properties": { -+ "con": { -+ "type": "boolean" -+ }, -+ "fin": { -+ "type": "boolean" -+ }, -+ "fir": { -+ "type": "boolean" -+ }, -+ "sequence": { -+ "type": "integer" -+ }, -+ "uns": { -+ "type": "boolean" -+ } -+ }, -+ "additionalProperties": false -+ } -+ }, -+ "additionalProperties": false -+ }, -+ "control": { -+ "type": "object", -+ "properties": { -+ "dir": { -+ "type": "boolean" -+ }, -+ "fcb": { -+ "type": "boolean" -+ }, -+ "fcv": { -+ "type": "boolean" -+ }, -+ "function_code": { -+ "type": "integer" -+ }, -+ "pri": { -+ "type": "boolean" -+ } -+ }, -+ "additionalProperties": false -+ }, -+ "iin": { -+ "type": "object", -+ "properties": { -+ "indicators": { -+ "type": "array", -+ "items": { -+ "type": "string" -+ } -+ } -+ }, -+ "additionalProperties": false -+ } -+ }, -+ "additionalProperties": false -+ } -+ }, -+ "additionalProperties": false -+ }, -+ "dns": { -+ "type": "object", -+ "optional": true, -+ "properties": { -+ "aa": { -+ "type": "boolean" -+ }, -+ "flags": { -+ "type": "string" -+ }, -+ "id": { -+ "type": "integer" -+ }, -+ "qr": { -+ "type": "boolean" -+ }, -+ "ra": { -+ "type": "boolean" -+ }, -+ "rcode": { -+ "type": "string" -+ }, -+ "rd": { -+ "type": "boolean" -+ }, -+ "rrname": { -+ "type": "string" -+ }, -+ "rrtype": { -+ "type": "string" -+ }, -+ "tx_id": { -+ "type": "integer" -+ }, -+ "type": { -+ "type": "string" -+ }, -+ "version": { -+ "type": "integer" -+ }, -+ "answers": { -+ "type": "array", -+ "items": { -+ "type": "object", -+ "optional": true, -+ "properties": { -+ "rdata": { -+ "type": "string" -+ }, -+ "rrname": { -+ "type": "string" -+ }, -+ "rrtype": { -+ "type": "string" -+ }, -+ "ttl": { -+ "type": "integer" -+ }, -+ "srv": { -+ "type": "object", -+ "optional": true, -+ "properties": { -+ "name": { -+ "type": "string" -+ }, -+ "port": { -+ "type": "integer" -+ }, -+ "priority": { -+ "type": "integer" -+ }, -+ "weight": { -+ "type": "integer" -+ } -+ }, -+ "additionalProperties": false -+ } -+ }, -+ "additionalProperties": false -+ } -+ }, -+ "authorities": { -+ "type": "array", -+ "items": { -+ "type": "object", -+ "optional": true, -+ "properties": { -+ "rdata": { -+ "type": "string" -+ }, -+ "rrname": { -+ "type": "string" -+ }, -+ "rrtype": { -+ "type": "string" -+ }, -+ "ttl": { -+ "type": "integer" -+ }, -+ "soa": { -+ "type": "object", -+ "optional": true, -+ "properties": { -+ "expire": { -+ "type": "integer" -+ }, -+ "minimum": { -+ "type": "integer" -+ }, -+ "mname": { -+ "type": "string" -+ }, -+ "refresh": { -+ "type": "integer" -+ }, -+ "retry": { -+ "type": "integer" -+ }, -+ "rname": { -+ "type": "string" -+ }, -+ "serial": { -+ "type": "integer" -+ } -+ }, -+ "additionalProperties": false -+ } -+ }, -+ "additionalProperties": false -+ } -+ }, -+ "query": { -+ "type": "array", -+ "items": { -+ "type": "object", -+ "optional": true, -+ "properties": { -+ "id": { -+ "type": "integer" -+ }, -+ "rrname": { -+ "type": "string" -+ }, -+ "rrtype": { -+ "type": "string" -+ }, -+ "tx_id": { -+ "type": "integer" -+ }, -+ "type": { -+ "type": "string" -+ }, -+ "z": { -+ "type": "boolean" -+ } -+ }, -+ "additionalProperties": false -+ } -+ }, -+ "answer": { -+ "type": "object", -+ "properties": { -+ "flags": { -+ "type": "string" -+ }, -+ "id": { -+ "type": "integer" -+ }, -+ "qr": { -+ "type": "boolean" -+ }, -+ "ra": { -+ "type": "boolean" -+ }, -+ "rcode": { -+ "type": "string" -+ }, -+ "rd": { -+ "type": "boolean" -+ }, -+ "rrname": { -+ "type": "string" -+ }, -+ "rrtype": { -+ "type": "string" -+ }, -+ "type": { -+ "type": "string" -+ }, -+ "version": { -+ "type": "integer" -+ } -+ }, -+ "additionalProperties": false -+ }, -+ "grouped": { -+ "type": "object", -+ "optional": true, -+ "properties": { -+ "A": { -+ "type": "array", -+ "items": { -+ "type": "string" -+ } -+ }, -+ "AAAA": { -+ "type": "array", -+ "items": { -+ "type": "string" -+ } -+ }, -+ "CNAME": { -+ "type": "array", -+ "items": { -+ "type": "string" -+ } -+ }, -+ "MX": { -+ "type": "array", -+ "items": { -+ "type": "string" -+ } -+ }, -+ "NULL": { -+ "type": "array", -+ "items": { -+ "type": "string" -+ } -+ }, -+ "PTR": { -+ "type": "array", -+ "items": { -+ "type": "string" -+ } -+ }, -+ "SRV": { -+ "type": "array", -+ "items": { -+ "type": "object", -+ "optional": true, -+ "properties": { -+ "name": { -+ "type": "string" -+ }, -+ "port": { -+ "type": "integer" -+ }, -+ "priority": { -+ "type": "integer" -+ }, -+ "weight": { -+ "type": "integer" -+ } -+ }, -+ "additionalProperties": false -+ } -+ }, -+ "TXT": { -+ "type": "array", -+ "items": { -+ "type": "string" -+ } -+ } -+ }, -+ "additionalProperties": false -+ }, -+ "z": { -+ "type": "boolean" -+ } -+ }, -+ "additionalProperties": false -+ }, -+ "drop": { -+ "type": "object", -+ "optional": true, -+ "properties": { -+ "ack": { -+ "type": "boolean" -+ }, -+ "fin": { -+ "type": "boolean" -+ }, -+ "icmp_id": { -+ "type": "integer" -+ }, -+ "icmp_seq": { -+ "type": "integer" -+ }, -+ "ipid": { -+ "type": "integer" -+ }, -+ "len": { -+ "type": "integer" -+ }, -+ "psh": { -+ "type": "boolean" -+ }, -+ "rst": { -+ "type": "boolean" -+ }, -+ "syn": { -+ "type": "boolean" -+ }, -+ "tcpack": { -+ "type": "integer" -+ }, -+ "tcpres": { -+ "type": "integer" -+ }, -+ "tcpseq": { -+ "type": "integer" -+ }, -+ "tcpurgp": { -+ "type": "integer" -+ }, -+ "tcpwin": { -+ "type": "integer" -+ }, -+ "tos": { -+ "type": "integer" -+ }, -+ "ttl": { -+ "type": "integer" -+ }, -+ "urg": { -+ "type": "boolean" -+ } -+ }, -+ "additionalProperties": false -+ }, -+ "email": { -+ "type": "object", -+ "optional": true, -+ "properties": { -+ "body_md5": { -+ "type": "string" -+ }, -+ "from": { -+ "type": "string" -+ }, -+ "status": { -+ "type": "string" -+ }, -+ "subject": { -+ "type": "string" -+ }, -+ "subject_md5": { -+ "type": "string" -+ }, -+ "url": { -+ "type": "array", -+ "items": { -+ "type": "string" -+ } -+ }, -+ "attachment": { -+ "type": "array", -+ "items": { -+ "type": "string" -+ } -+ }, -+ "to": { -+ "type": "array", -+ "items": { -+ "type": "string" -+ } -+ } -+ }, -+ "additionalProperties": false -+ }, -+ "engine": { -+ "type": "object", -+ "optional": true, -+ "properties": { -+ "error": { -+ "type": "string" -+ }, -+ "error_code": { -+ "type": "integer" -+ }, -+ "message": { -+ "type": "string" -+ } -+ }, -+ "additionalProperties": false -+ }, -+ "ether": { -+ "type": "object", -+ "optional": true, -+ "properties": { -+ "dest_mac": { -+ "type": "string" -+ }, -+ "src_mac": { -+ "type": "string" -+ }, -+ "dest_macs": { -+ "type": "array", -+ "items": { -+ "type": "string" -+ } -+ }, -+ "src_macs": { -+ "type": "array", -+ "items": { -+ "type": "string" -+ } -+ } -+ }, -+ "additionalProperties": false -+ }, -+ "fileinfo": { -+ "type": "object", -+ "optional": true, -+ "properties": { -+ "end": { -+ "type": "integer" -+ }, -+ "file_id": { -+ "type": "integer" -+ }, -+ "filename": { -+ "type": "string" -+ }, -+ "gaps": { -+ "type": "boolean" -+ }, -+ "magic": { -+ "type": "string" -+ }, -+ "md5": { -+ "type": "string" -+ }, -+ "sha1": { -+ "type": "string" -+ }, -+ "sha256": { -+ "type": "string" -+ }, -+ "size": { -+ "type": "integer" -+ }, -+ "start": { -+ "type": "integer" -+ }, -+ "state": { -+ "type": "string" -+ }, -+ "stored": { -+ "type": "boolean" -+ }, -+ "tx_id": { -+ "type": "integer" -+ }, -+ "sid": { -+ "type": "array", -+ "items": { -+ "type": "integer" -+ } -+ } -+ }, -+ "additionalProperties": false -+ }, -+ "flow": { -+ "type": "object", -+ "optional": true, -+ "properties": { -+ "action": { -+ "type": "string" -+ }, -+ "age": { -+ "type": "integer" -+ }, -+ "alerted": { -+ "type": "boolean" -+ }, -+ "bypass": { -+ "type": "string" -+ }, -+ "bypassed": { -+ "type": "object", -+ "optional": false, -+ "properties": { -+ "pkts_toserver": { -+ "type": "integer" -+ }, -+ "pkts_toclient": { -+ "type": "integer" -+ }, -+ "bytes_toserver": { -+ "type": "integer" -+ }, -+ "bytes_toclient": { -+ "type": "integer" -+ } -+ }, -+ "additionalProperites": false -+ }, -+ "bytes_toclient": { -+ "type": "integer" -+ }, -+ "bytes_toserver": { -+ "type": "integer" -+ }, -+ "end": { -+ "type": "string" -+ }, -+ "pkts_toclient": { -+ "type": "integer" -+ }, -+ "pkts_toserver": { -+ "type": "integer" -+ }, -+ "reason": { -+ "type": "string" -+ }, -+ "start": { -+ "type": "string" -+ }, -+ "state": { -+ "type": "string" -+ } -+ }, -+ "additionalProperties": false -+ }, -+ "frame": { -+ "type": "object", -+ "properties": { -+ "type": { -+ "type": "string" -+ }, -+ "id": { -+ "type": "integer" -+ }, -+ "direction": { -+ "type": "string" -+ }, -+ "stream_offset": { -+ "type": "integer" -+ }, -+ "length": { -+ "type": "integer" -+ }, -+ "complete": { -+ "type": "boolean" -+ }, -+ "payload": { -+ "type": "string" -+ }, -+ "payload_printable": { -+ "type": "string" -+ }, -+ "tx_id": { -+ "type": "integer" -+ } -+ }, -+ "additionalProperties": false -+ }, -+ "ftp": { -+ "type": "object", -+ "optional": true, -+ "properties": { -+ "command": { -+ "type": "string" -+ }, -+ "command_data": { -+ "type": "string" -+ }, -+ "command_truncated": { -+ "type": "boolean" -+ }, -+ "dynamic_port": { -+ "type": "integer" -+ }, -+ "mode": { -+ "type": "string" -+ }, -+ "reply_received": { -+ "type": "string" -+ }, -+ "reply_truncated": { -+ "type": "boolean" -+ }, -+ "completion_code": { -+ "type": "array", -+ "items": { -+ "type": "string" -+ } -+ }, -+ "reply": { -+ "type": "array", -+ "items": { -+ "type": "string" -+ } -+ } -+ }, -+ "additionalProperties": false -+ }, -+ "ftp_data": { -+ "type": "object", -+ "optional": true, -+ "properties": { -+ "command": { -+ "type": "string" -+ }, -+ "filename": { -+ "type": "string" -+ } -+ }, -+ "additionalProperties": false -+ }, -+ "http": { -+ "type": "object", -+ "optional": true, -+ "properties": { -+ "hostname": { -+ "type": "string" -+ }, -+ "http_content_type": { -+ "type": "string" -+ }, -+ "http_method": { -+ "type": "string" -+ }, -+ "http_port": { -+ "type": "integer" -+ }, -+ "http_refer": { -+ "type": "string" -+ }, -+ "http_user_agent": { -+ "type": "string" -+ }, -+ "length": { -+ "type": "integer" -+ }, -+ "protocol": { -+ "type": "string" -+ }, -+ "redirect": { -+ "type": "string" -+ }, -+ "status": { -+ "type": "integer" -+ }, -+ "url": { -+ "type": "string" -+ }, -+ "version": { -+ "type": "string" -+ }, -+ "xff": { -+ "type": "string" -+ }, -+ "request_headers": { -+ "type": "array", -+ "items": { -+ "type": "object", -+ "properties": { -+ "name": { -+ "type": "string" -+ }, -+ "table_size_update": { -+ "type": "integer" -+ }, -+ "value": { -+ "type": "string" -+ } -+ }, -+ "additionalProperties": false -+ } -+ }, -+ "response_headers": { -+ "type": "array", -+ "items": { -+ "type": "object", -+ "properties": { -+ "name": { -+ "type": "string" -+ }, -+ "table_size_update": { -+ "type": "integer" -+ }, -+ "value": { -+ "type": "string" -+ } -+ }, -+ "additionalProperties": false -+ } -+ }, -+ "content_range": { -+ "type": "object", -+ "properties": { -+ "end": { -+ "type": "integer" -+ }, -+ "raw": { -+ "type": "string" -+ }, -+ "size": { -+ "type": "integer" -+ }, -+ "start": { -+ "type": "integer" -+ } -+ }, -+ "additionalProperties": false -+ }, -+ "http2": { -+ "type": "object", -+ "properties": { -+ "stream_id": { -+ "type": "integer" -+ }, -+ "request": { -+ "type": "object", -+ "properties": { -+ "error_code": { -+ "type": "string" -+ }, -+ "priority": { -+ "type": "integer" -+ }, -+ "settings": { -+ "type": "array", -+ "items": { -+ "type": "object", -+ "properties": { -+ "settings_id": { -+ "type": "string" -+ }, -+ "settings_value": { -+ "type": "integer" -+ } -+ }, -+ "additionalProperties": false -+ } -+ } -+ }, -+ "additionalProperties": false -+ }, -+ "response": { -+ "type": "object", -+ "properties": { -+ "error_code": { -+ "type": "string" -+ }, -+ "settings": { -+ "type": "array", -+ "items": { -+ "type": "object", -+ "properties": { -+ "settings_id": { -+ "type": "string" -+ }, -+ "settings_value": { -+ "type": "integer" -+ } -+ }, -+ "additionalProperties": false -+ } -+ } -+ }, -+ "additionalProperties": false -+ } -+ }, -+ "additionalProperties": false -+ } -+ }, -+ "additionalProperties": false -+ }, -+ "http2": { -+ "type": "object", -+ "optional": true, -+ "properties": { -+ "http_method": { -+ "type": "string" -+ }, -+ "http_user_agent": { -+ "type": "string" -+ }, -+ "length": { -+ "type": "integer" -+ }, -+ "status": { -+ "type": "integer" -+ }, -+ "url": { -+ "type": "string" -+ }, -+ "version": { -+ "type": "string" -+ }, -+ "request_headers": { -+ "type": "array", -+ "items": { -+ "type": "object", -+ "properties": { -+ "name": { -+ "type": "string" -+ }, -+ "table_size_update": { -+ "type": "integer" -+ }, -+ "value": { -+ "type": "string" -+ } -+ }, -+ "additionalProperties": false -+ } -+ }, -+ "response_headers": { -+ "type": "array", -+ "items": { -+ "type": "object", -+ "properties": { -+ "name": { -+ "type": "string" -+ }, -+ "table_size_update": { -+ "type": "integer" -+ }, -+ "value": { -+ "type": "string" -+ } -+ }, -+ "additionalProperties": false -+ } -+ }, -+ "http2": { -+ "type": "object", -+ "properties": { -+ "stream_id": { -+ "type": "integer" -+ }, -+ "request": { -+ "type": "object", -+ "properties": { -+ "priority": { -+ "type": "integer" -+ } -+ }, -+ "additionalProperties": false -+ }, -+ "response": { -+ "type": "object", -+ "properties": { -+ "error_code": { -+ "type": "string" -+ } -+ }, -+ "additionalProperties": false -+ } -+ }, -+ "additionalProperties": false -+ } -+ }, -+ "additionalProperties": false -+ }, -+ "ike": { -+ "type": "object", -+ "optional": true, -+ "properties": { -+ "alg_auth": { -+ "type": "string" -+ }, -+ "alg_auth_raw": { -+ "type": "integer" -+ }, -+ "alg_dh": { -+ "type": "string" -+ }, -+ "alg_dh_raw": { -+ "type": "integer" -+ }, -+ "alg_enc": { -+ "type": "string" -+ }, -+ "alg_enc_raw": { -+ "type": "integer" -+ }, -+ "alg_hash": { -+ "type": "string" -+ }, -+ "alg_hash_raw": { -+ "type": "integer" -+ }, -+ "exchange_type": { -+ "type": "integer" -+ }, -+ "exchange_type_verbose": { -+ "type": "string" -+ }, -+ "init_spi": { -+ "type": "string" -+ }, -+ "message_id": { -+ "type": "integer" -+ }, -+ "resp_spi": { -+ "type": "string" -+ }, -+ "role": { -+ "type": "string" -+ }, -+ "sa_key_length": { -+ "type": "string" -+ }, -+ "sa_key_length_raw": { -+ "type": "integer" -+ }, -+ "sa_life_duration": { -+ "type": "string" -+ }, -+ "sa_life_duration_raw": { -+ "type": "integer" -+ }, -+ "sa_life_type": { -+ "type": "string" -+ }, -+ "sa_life_type_raw": { -+ "type": "integer" -+ }, -+ "version_major": { -+ "type": "integer" -+ }, -+ "version_minor": { -+ "type": "integer" -+ }, -+ "payload": { -+ "type": "array", -+ "items": { -+ "type": "string" -+ } -+ }, -+ "ikev1": { -+ "type": "object", -+ "properties": { -+ "doi": { -+ "type": "integer" -+ }, -+ "encrypted_payloads": { -+ "type": "boolean" -+ }, -+ "vendor_ids": { -+ "type": "array", -+ "items": { -+ "type": "string" -+ } -+ }, -+ "client": { -+ "type": "object", -+ "properties": { -+ "key_exchange_payload": { -+ "type": "string" -+ }, -+ "key_exchange_payload_length": { -+ "type": "integer" -+ }, -+ "nonce_payload": { -+ "type": "string" -+ }, -+ "nonce_payload_length": { -+ "type": "integer" -+ }, -+ "proposals": { -+ "type": "array", -+ "items": { -+ "type": "object", -+ "properties": { -+ "alg_auth": { -+ "type": "string" -+ }, -+ "alg_auth_raw": { -+ "type": "integer" -+ }, -+ "alg_dh": { -+ "type": "string" -+ }, -+ "alg_dh_raw": { -+ "type": "integer" -+ }, -+ "alg_enc": { -+ "type": "string" -+ }, -+ "alg_enc_raw": { -+ "type": "integer" -+ }, -+ "alg_hash": { -+ "type": "string" -+ }, -+ "alg_hash_raw": { -+ "type": "integer" -+ }, -+ "sa_key_length": { -+ "type": "string" -+ }, -+ "sa_key_length_raw": { -+ "type": "integer" -+ }, -+ "sa_life_duration": { -+ "type": "string" -+ }, -+ "sa_life_duration_raw": { -+ "type": "integer" -+ }, -+ "sa_life_type": { -+ "type": "string" -+ }, -+ "sa_life_type_raw": { -+ "type": "integer" -+ } -+ }, -+ "additionalProperties": false -+ } -+ } -+ }, -+ "additionalProperties": false -+ }, -+ "server": { -+ "type": "object", -+ "properties": { -+ "key_exchange_payload": { -+ "type": "string" -+ }, -+ "key_exchange_payload_length": { -+ "type": "integer" -+ }, -+ "nonce_payload": { -+ "type": "string" -+ }, -+ "nonce_payload_length": { -+ "type": "integer" -+ } -+ }, -+ "additionalProperties": false -+ } -+ }, -+ "additionalProperties": false -+ }, -+ "ikev2": { -+ "type": "object", -+ "properties": { -+ "errors": { -+ "type": "integer" -+ }, -+ "notify": { -+ "type": "array" -+ } -+ }, -+ "additionalProperties": false -+ } -+ }, -+ "additionalProperties": false -+ }, -+ "krb5": { -+ "type": "object", -+ "optional": true, -+ "properties": { -+ "cname": { -+ "type": "string" -+ }, -+ "encryption": { -+ "type": "string" -+ }, -+ "error_code": { -+ "type": "string" -+ }, -+ "failed_request": { -+ "type": "string" -+ }, -+ "msg_type": { -+ "type": "string" -+ }, -+ "realm": { -+ "type": "string" -+ }, -+ "sname": { -+ "type": "string" -+ }, -+ "weak_encryption": { -+ "type": "boolean" -+ } -+ }, -+ "additionalProperties": false -+ }, -+ "metadata": { -+ "type": "object", -+ "optional": true, -+ "properties": { -+ "flowbits": { -+ "type": "array", -+ "items": { -+ "type": "string" -+ } -+ }, -+ "flowvars": { -+ "type": "array", -+ "items": { -+ "type": "object", -+ "properties": { -+ "gid": { -+ "type": "string" -+ }, -+ "key": { -+ "type": "string" -+ }, -+ "value": { -+ "type": "string" -+ } -+ }, -+ "additionalProperties": true -+ } -+ }, -+ "pktvars": { -+ "type": "array", -+ "items": { -+ "type": "object", -+ "properties": { -+ "uid": { -+ "type": "string" -+ }, -+ "username": { -+ "type": "string" -+ } -+ }, -+ "additionalProperties": false -+ } -+ }, -+ "flowints": { -+ "type": "object", -+ "additionalProperties": true -+ } -+ }, -+ "additionalProperties": false -+ }, -+ "modbus": { -+ "type": "object", -+ "optional": true, -+ "properties": { -+ "id": { -+ "type": "integer" -+ }, -+ "request": { -+ "type": "object", -+ "properties": { -+ "access_type": { -+ "type": "string" -+ }, -+ "category": { -+ "type": "string" -+ }, -+ "data": { -+ "type": "string" -+ }, -+ "error_flags": { -+ "type": "string" -+ }, -+ "function_code": { -+ "type": "string" -+ }, -+ "function_raw": { -+ "type": "integer" -+ }, -+ "protocol_id": { -+ "type": "integer" -+ }, -+ "transaction_id": { -+ "type": "integer" -+ }, -+ "unit_id": { -+ "type": "integer" -+ }, -+ "diagnostic": { -+ "type": "object", -+ "properties": { -+ "code": { -+ "type": "string" -+ }, -+ "data": { -+ "type": "string" -+ }, -+ "raw": { -+ "type": "integer" -+ } -+ }, -+ "additionalProperties": false -+ }, -+ "mei": { -+ "type": "object", -+ "properties": { -+ "code": { -+ "type": "string" -+ }, -+ "data": { -+ "type": "string" -+ }, -+ "raw": { -+ "type": "integer" -+ } -+ }, -+ "additionalProperties": false -+ }, -+ "read": { -+ "type": "object", -+ "properties": { -+ "address": { -+ "type": "integer" -+ }, -+ "quantity": { -+ "type": "integer" -+ } -+ }, -+ "additionalProperties": false -+ }, -+ "write": { -+ "type": "object", -+ "properties": { -+ "address": { -+ "type": "integer" -+ }, -+ "data": { -+ "type": "integer" -+ } -+ }, -+ "additionalProperties": false -+ } -+ }, -+ "additionalProperties": false -+ }, -+ "response": { -+ "type": "object", -+ "properties": { -+ "access_type": { -+ "type": "string" -+ }, -+ "category": { -+ "type": "string" -+ }, -+ "data": { -+ "type": "string" -+ }, -+ "error_flags": { -+ "type": "string" -+ }, -+ "function_code": { -+ "type": "string" -+ }, -+ "function_raw": { -+ "type": "integer" -+ }, -+ "protocol_id": { -+ "type": "integer" -+ }, -+ "transaction_id": { -+ "type": "integer" -+ }, -+ "unit_id": { -+ "type": "integer" -+ }, -+ "diagnostic": { -+ "type": "object", -+ "properties": { -+ "code": { -+ "type": "string" -+ }, -+ "data": { -+ "type": "string" -+ }, -+ "raw": { -+ "type": "integer" -+ } -+ }, -+ "additionalProperties": false -+ }, -+ "exception": { -+ "type": "object", -+ "properties": { -+ "code": { -+ "type": "string" -+ }, -+ "raw": { -+ "type": "integer" -+ } -+ }, -+ "additionalProperties": false -+ }, -+ "read": { -+ "type": "object", -+ "properties": { -+ "data": { -+ "type": "string" -+ } -+ }, -+ "additionalProperties": false -+ }, -+ "write": { -+ "type": "object", -+ "properties": { -+ "address": { -+ "type": "integer" -+ }, -+ "data": { -+ "type": "integer" -+ } -+ }, -+ "additionalProperties": false -+ } -+ }, -+ "additionalProperties": false -+ } -+ }, -+ "additionalProperties": false -+ }, -+ "mqtt": { -+ "type": "object", -+ "optional": true, -+ "properties": { -+ "connack": { -+ "type": "object", -+ "properties": { -+ "dup": { -+ "type": "boolean" -+ }, -+ "qos": { -+ "type": "integer" -+ }, -+ "retain": { -+ "type": "boolean" -+ }, -+ "return_code": { -+ "type": "integer" -+ }, -+ "session_present": { -+ "type": "boolean" -+ }, -+ "properties": { -+ "type": "object", -+ "additionalProperties": true -+ } -+ }, -+ "additionalProperties": false -+ }, -+ "connect": { -+ "type": "object", -+ "properties": { -+ "client_id": { -+ "type": "string" -+ }, -+ "dup": { -+ "type": "boolean" -+ }, -+ "password": { -+ "type": "string" -+ }, -+ "protocol_string": { -+ "type": "string" -+ }, -+ "protocol_version": { -+ "type": "integer" -+ }, -+ "qos": { -+ "type": "integer" -+ }, -+ "retain": { -+ "type": "boolean" -+ }, -+ "username": { -+ "type": "string" -+ }, -+ "flags": { -+ "type": "object", -+ "properties": { -+ "clean_session": { -+ "type": "boolean" -+ }, -+ "password": { -+ "type": "boolean" -+ }, -+ "username": { -+ "type": "boolean" -+ }, -+ "will": { -+ "type": "boolean" -+ }, -+ "will_retain": { -+ "type": "boolean" -+ } -+ }, -+ "additionalProperties": false -+ }, -+ "properties": { -+ "type": "object", -+ "additionalProperties": true -+ }, -+ "will": { -+ "type": "object", -+ "properties": { -+ "message": { -+ "type": "string" -+ }, -+ "topic": { -+ "type": "string" -+ }, -+ "properties": { -+ "type": "object", -+ "additionalProperties": true -+ } -+ }, -+ "additionalProperties": false -+ } -+ }, -+ "additionalProperties": false -+ }, -+ "disconnect": { -+ "type": "object", -+ "properties": { -+ "dup": { -+ "type": "boolean" -+ }, -+ "qos": { -+ "type": "integer" -+ }, -+ "reason_code": { -+ "type": "integer" -+ }, -+ "retain": { -+ "type": "boolean" -+ }, -+ "properties": { -+ "type": "object", -+ "additionalProperties": true -+ } -+ }, -+ "additionalProperties": false -+ }, -+ "pingreq": { -+ "type": "object", -+ "properties": { -+ "dup": { -+ "type": "boolean" -+ }, -+ "qos": { -+ "type": "integer" -+ }, -+ "retain": { -+ "type": "boolean" -+ } -+ }, -+ "additionalProperties": false -+ }, -+ "pingresp": { -+ "type": "object", -+ "properties": { -+ "dup": { -+ "type": "boolean" -+ }, -+ "qos": { -+ "type": "integer" -+ }, -+ "retain": { -+ "type": "boolean" -+ } -+ }, -+ "additionalProperties": false -+ }, -+ "puback": { -+ "type": "object", -+ "properties": { -+ "dup": { -+ "type": "boolean" -+ }, -+ "message_id": { -+ "type": "integer" -+ }, -+ "qos": { -+ "type": "integer" -+ }, -+ "reason_code": { -+ "type": "integer" -+ }, -+ "retain": { -+ "type": "boolean" -+ } -+ }, -+ "additionalProperties": false -+ }, -+ "pubcomp": { -+ "type": "object", -+ "properties": { -+ "dup": { -+ "type": "boolean" -+ }, -+ "message_id": { -+ "type": "integer" -+ }, -+ "qos": { -+ "type": "integer" -+ }, -+ "reason_code": { -+ "type": "integer" -+ }, -+ "retain": { -+ "type": "boolean" -+ } -+ }, -+ "additionalProperties": false -+ }, -+ "publish": { -+ "type": "object", -+ "properties": { -+ "dup": { -+ "type": "boolean" -+ }, -+ "message": { -+ "type": "string" -+ }, -+ "message_id": { -+ "type": "integer" -+ }, -+ "qos": { -+ "type": "integer" -+ }, -+ "retain": { -+ "type": "boolean" -+ }, -+ "skipped_length": { -+ "type": "integer" -+ }, -+ "topic": { -+ "type": "string" -+ }, -+ "truncated": { -+ "type": "boolean" -+ }, -+ "properties": { -+ "type": "object", -+ "additionalProperties": true -+ } -+ }, -+ "additionalProperties": false -+ }, -+ "pubrec": { -+ "type": "object", -+ "properties": { -+ "dup": { -+ "type": "boolean" -+ }, -+ "message_id": { -+ "type": "integer" -+ }, -+ "qos": { -+ "type": "integer" -+ }, -+ "reason_code": { -+ "type": "integer" -+ }, -+ "retain": { -+ "type": "boolean" -+ } -+ }, -+ "additionalProperties": false -+ }, -+ "pubrel": { -+ "type": "object", -+ "properties": { -+ "dup": { -+ "type": "boolean" -+ }, -+ "message_id": { -+ "type": "integer" -+ }, -+ "qos": { -+ "type": "integer" -+ }, -+ "reason_code": { -+ "type": "integer" -+ }, -+ "retain": { -+ "type": "boolean" -+ } -+ }, -+ "additionalProperties": false -+ }, -+ "suback": { -+ "type": "object", -+ "properties": { -+ "dup": { -+ "type": "boolean" -+ }, -+ "message_id": { -+ "type": "integer" -+ }, -+ "qos": { -+ "type": "integer" -+ }, -+ "retain": { -+ "type": "boolean" -+ }, -+ "qos_granted": { -+ "type": "array", -+ "items": { -+ "type": "integer" -+ } -+ } -+ }, -+ "additionalProperties": false -+ }, -+ "subscribe": { -+ "type": "object", -+ "properties": { -+ "dup": { -+ "type": "boolean" -+ }, -+ "message_id": { -+ "type": "integer" -+ }, -+ "qos": { -+ "type": "integer" -+ }, -+ "retain": { -+ "type": "boolean" -+ }, -+ "topics": { -+ "type": "array", -+ "items": { -+ "type": "object", -+ "properties": { -+ "qos": { -+ "type": "integer" -+ }, -+ "topic": { -+ "type": "string" -+ } -+ }, -+ "additionalProperties": false -+ } -+ } -+ }, -+ "additionalProperties": false -+ }, -+ "unsuback": { -+ "type": "object", -+ "properties": { -+ "dup": { -+ "type": "boolean" -+ }, -+ "message_id": { -+ "type": "integer" -+ }, -+ "qos": { -+ "type": "integer" -+ }, -+ "retain": { -+ "type": "boolean" -+ }, -+ "reason_codes": { -+ "type": "array", -+ "items": { -+ "type": "integer" -+ } -+ } -+ }, -+ "additionalProperties": false -+ }, -+ "unsubscribe": { -+ "type": "object", -+ "properties": { -+ "dup": { -+ "type": "boolean" -+ }, -+ "message_id": { -+ "type": "integer" -+ }, -+ "qos": { -+ "type": "integer" -+ }, -+ "retain": { -+ "type": "boolean" -+ }, -+ "topics": { -+ "type": "array", -+ "items": { -+ "type": "string" -+ } -+ } -+ }, -+ "additionalProperties": false -+ } -+ }, -+ "additionalProperties": false -+ }, -+ "netflow": { -+ "type": "object", -+ "optional": true, -+ "properties": { -+ "age": { -+ "type": "integer" -+ }, -+ "bytes": { -+ "type": "integer" -+ }, -+ "end": { -+ "type": "string" -+ }, -+ "max_ttl": { -+ "type": "integer" -+ }, -+ "min_ttl": { -+ "type": "integer" -+ }, -+ "pkts": { -+ "type": "integer" -+ }, -+ "start": { -+ "type": "string" -+ } -+ }, -+ "additionalProperties": false -+ }, -+ "nfs": { -+ "type": "object", -+ "optional": true, -+ "properties": { -+ "file_tx": { -+ "type": "boolean" -+ }, -+ "filename": { -+ "type": "string" -+ }, -+ "hhash": { -+ "type": "string" -+ }, -+ "id": { -+ "type": "integer" -+ }, -+ "procedure": { -+ "type": "string" -+ }, -+ "status": { -+ "type": "string" -+ }, -+ "type": { -+ "type": "string" -+ }, -+ "version": { -+ "type": "integer" -+ }, -+ "read": { -+ "type": "object", -+ "optional": true, -+ "properties": { -+ "chunks": { -+ "type": "integer" -+ }, -+ "first": { -+ "type": "boolean" -+ }, -+ "last": { -+ "type": "boolean" -+ }, -+ "last_xid": { -+ "type": "integer" -+ } -+ }, -+ "additionalProperties": false -+ }, -+ "rename": { -+ "type": "object", -+ "optional": true, -+ "properties": { -+ "from": { -+ "type": "string" -+ }, -+ "to": { -+ "type": "string" -+ } -+ }, -+ "additionalProperties": false -+ }, -+ "write": { -+ "type": "object", -+ "optional": true, -+ "properties": { -+ "chunks": { -+ "type": "integer" -+ }, -+ "first": { -+ "type": "boolean" -+ }, -+ "last": { -+ "type": "boolean" -+ }, -+ "last_xid": { -+ "type": "integer" -+ } -+ }, -+ "additionalProperties": false -+ } -+ }, -+ "additionalProperties": false -+ }, -+ "packet_info": { -+ "type": "object", -+ "optional": true, -+ "properties": { -+ "linktype": { -+ "type": "integer" -+ } -+ }, -+ "additionalProperties": false -+ }, -+ "pgsql": { -+ "type": "object", -+ "optional": true, -+ "properties": { -+ "request": { -+ "type": "object", -+ "properties": { -+ "message": { -+ "type": "string" -+ }, -+ "password": { -+ "type": "string" -+ }, -+ "password_message": { -+ "type": "string" -+ }, -+ "protocol_version": { -+ "type": "string" -+ }, -+ "sasl_authentication_mechanism": { -+ "type": "string" -+ }, -+ "sasl_param": { -+ "type": "string" -+ }, -+ "sasl_response": { -+ "type": "string" -+ }, -+ "simple_query": { -+ "type": "string" -+ }, -+ "startup_parameters": { -+ "type": "object", -+ "properties": { -+ "database": { -+ "type": "string" -+ }, -+ "optional_parameters": { -+ "type": "array", -+ "items": { -+ "type": "object", -+ "properties": { -+ "application_name": { -+ "type": "string" -+ }, -+ "client_encoding": { -+ "type": "string" -+ }, -+ "replication": { -+ "type": "string" -+ } -+ }, -+ "additionalProperties": false -+ } -+ }, -+ "user": { -+ "type": "string" -+ } -+ }, -+ "additionalProperties": false -+ } -+ }, -+ "additionalProperties": false -+ }, -+ "response": { -+ "type": "object", -+ "properties": { -+ "authentication_md5_password": { -+ "type": "string" -+ }, -+ "authentication_sasl_final": { -+ "type": "string" -+ }, -+ "code": { -+ "type": "string" -+ }, -+ "command_completed": { -+ "type": "string" -+ }, -+ "data_rows": { -+ "type": "integer" -+ }, -+ "data_size": { -+ "type": "integer" -+ }, -+ "field_count": { -+ "type": "integer" -+ }, -+ "file": { -+ "type": "string" -+ }, -+ "line": { -+ "type": "string" -+ }, -+ "message": { -+ "type": "string" -+ }, -+ "parameter_status": { -+ "type": "array", -+ "items": { -+ "type": "object", -+ "properties": { -+ "application_name": { -+ "type": "string" -+ }, -+ "client_encoding": { -+ "type": "string" -+ }, -+ "date_style": { -+ "type": "string" -+ }, -+ "integer_datetimes": { -+ "type": "string" -+ }, -+ "interval_style": { -+ "type": "string" -+ }, -+ "is_superuser": { -+ "type": "string" -+ }, -+ "server_encoding": { -+ "type": "string" -+ }, -+ "server_version": { -+ "type": "string" -+ }, -+ "session_authorization": { -+ "type": "string" -+ }, -+ "standard_conforming_strings": { -+ "type": "string" -+ }, -+ "time_zone": { -+ "type": "string" -+ } -+ }, -+ "additionalProperties": false -+ } -+ }, -+ "process_id": { -+ "type": "integer" -+ }, -+ "routine": { -+ "type": "string" -+ }, -+ "secret_key": { -+ "type": "integer" -+ }, -+ "severity_localizable": { -+ "type": "string" -+ }, -+ "severity_non_localizable": { -+ "type": "string" -+ }, -+ "ssl_accepted": { -+ "type": "boolean" -+ } -+ }, -+ "additionalProperties": false -+ }, -+ "tx_id": { -+ "type": "integer" -+ } -+ }, -+ "additionalProperties": false -+ }, -+ "quic": { -+ "type": "object", -+ "optional": true, -+ "properties": { -+ "cyu": { -+ "type": "array", -+ "items": { -+ "type": "object", -+ "properties": { -+ "hash": { -+ "type": "string" -+ }, -+ "string": { -+ "type": "string" -+ } -+ } -+ }, -+ "additionalProperties": false -+ }, -+ "sni": { -+ "type": "string" -+ }, -+ "ua": { -+ "type": "string" -+ }, -+ "version": { -+ "type": "string" -+ } -+ }, -+ "additionalProperties": false -+ }, -+ "rdp": { -+ "type": "object", -+ "optional": true, -+ "properties": { -+ "cookie": { -+ "type": "string" -+ }, -+ "event_type": { -+ "type": "string" -+ }, -+ "tx_id": { -+ "type": "integer" -+ }, -+ "channels": { -+ "type": "array", -+ "items": { -+ "type": "string" -+ } -+ }, -+ "client": { -+ "type": "object", -+ "properties": { -+ "build": { -+ "type": "string" -+ }, -+ "client_name": { -+ "type": "string" -+ }, -+ "color_depth": { -+ "type": "integer" -+ }, -+ "desktop_height": { -+ "type": "integer" -+ }, -+ "desktop_width": { -+ "type": "integer" -+ }, -+ "function_keys": { -+ "type": "integer" -+ }, -+ "id": { -+ "type": "string" -+ }, -+ "keyboard_layout": { -+ "type": "string" -+ }, -+ "keyboard_type": { -+ "type": "string" -+ }, -+ "product_id": { -+ "type": "integer" -+ }, -+ "version": { -+ "type": "string" -+ }, -+ "capabilities": { -+ "type": "array", -+ "items": { -+ "type": "string" -+ } -+ } -+ }, -+ "additionalProperties": false -+ } -+ }, -+ "additionalProperties": false -+ }, -+ "rfb": { -+ "type": "object", -+ "optional": true, -+ "properties": { -+ "screen_shared": { -+ "type": "boolean" -+ }, -+ "authentication": { -+ "type": "object", -+ "properties": { -+ "security_result": { -+ "type": "string" -+ }, -+ "security_type": { -+ "type": "integer" -+ }, -+ "vnc": { -+ "type": "object", -+ "properties": { -+ "challenge": { -+ "type": "string" -+ }, -+ "response": { -+ "type": "string" -+ } -+ }, -+ "additionalProperties": false -+ } -+ }, -+ "additionalProperties": false -+ }, -+ "client_protocol_version": { -+ "type": "object", -+ "properties": { -+ "major": { -+ "type": "string" -+ }, -+ "minor": { -+ "type": "string" -+ } -+ }, -+ "additionalProperties": false -+ }, -+ "framebuffer": { -+ "type": "object", -+ "properties": { -+ "height": { -+ "type": "integer" -+ }, -+ "name": { -+ "type": "string" -+ }, -+ "width": { -+ "type": "integer" -+ }, -+ "pixel_format": { -+ "type": "object", -+ "properties": { -+ "big_endian": { -+ "type": "boolean" -+ }, -+ "bits_per_pixel": { -+ "type": "integer" -+ }, -+ "blue_max": { -+ "type": "integer" -+ }, -+ "blue_shift": { -+ "type": "integer" -+ }, -+ "depth": { -+ "type": "integer" -+ }, -+ "green_max": { -+ "type": "integer" -+ }, -+ "green_shift": { -+ "type": "integer" -+ }, -+ "red_max": { -+ "type": "integer" -+ }, -+ "red_shift": { -+ "type": "integer" -+ }, -+ "true_color": { -+ "type": "boolean" -+ } -+ }, -+ "additionalProperties": false -+ } -+ }, -+ "additionalProperties": false -+ }, -+ "server_protocol_version": { -+ "type": "object", -+ "properties": { -+ "major": { -+ "type": "string" -+ }, -+ "minor": { -+ "type": "string" -+ } -+ }, -+ "additionalProperties": false -+ } -+ }, -+ "additionalProperties": false -+ }, -+ "rpc": { -+ "type": "object", -+ "optional": true, -+ "properties": { -+ "auth_type": { -+ "type": "string" -+ }, -+ "status": { -+ "type": "string" -+ }, -+ "xid": { -+ "type": "integer" -+ }, -+ "creds": { -+ "type": "object", -+ "optional": true, -+ "properties": { -+ "gid": { -+ "type": "integer" -+ }, -+ "machine_name": { -+ "type": "string" -+ }, -+ "uid": { -+ "type": "integer" -+ } -+ }, -+ "additionalProperties": false -+ } -+ }, -+ "additionalProperties": false -+ }, -+ "sip": { -+ "type": "object", -+ "optional": true, -+ "properties": { -+ "code": { -+ "type": "string" -+ }, -+ "method": { -+ "type": "string" -+ }, -+ "reason": { -+ "type": "string" -+ }, -+ "request_line": { -+ "type": "string" -+ }, -+ "response_line": { -+ "type": "string" -+ }, -+ "uri": { -+ "type": "string" -+ }, -+ "version": { -+ "type": "string" -+ } -+ }, -+ "additionalProperties": false -+ }, -+ "smb": { -+ "type": "object", -+ "optional": true, -+ "properties": { -+ "access": { -+ "type": "string" -+ }, -+ "accessed": { -+ "type": "integer" -+ }, -+ "changed": { -+ "type": "integer" -+ }, -+ "client_guid": { -+ "type": "string" -+ }, -+ "command": { -+ "type": "string" -+ }, -+ "created": { -+ "type": "integer" -+ }, -+ "dialect": { -+ "type": "string" -+ }, -+ "directory": { -+ "type": "string" -+ }, -+ "disposition": { -+ "type": "string" -+ }, -+ "filename": { -+ "type": "string" -+ }, -+ "fuid": { -+ "type": "string" -+ }, -+ "function": { -+ "type": "string" -+ }, -+ "id": { -+ "type": "integer" -+ }, -+ "max_read_size": { -+ "type": "integer" -+ }, -+ "max_write_size": { -+ "type": "integer" -+ }, -+ "modified": { -+ "type": "integer" -+ }, -+ "named_pipe": { -+ "type": "string" -+ }, -+ "request_done": { -+ "type": "boolean" -+ }, -+ "response_done": { -+ "type": "boolean" -+ }, -+ "server_guid": { -+ "type": "string" -+ }, -+ "session_id": { -+ "type": "integer" -+ }, -+ "share": { -+ "type": "string" -+ }, -+ "share_type": { -+ "type": "string" -+ }, -+ "size": { -+ "type": "integer" -+ }, -+ "status": { -+ "type": "string" -+ }, -+ "status_code": { -+ "type": "string" -+ }, -+ "tree_id": { -+ "type": "integer" -+ }, -+ "client_dialects": { -+ "type": "array", -+ "items": { -+ "type": "string" -+ } -+ }, -+ "dcerpc": { -+ "type": "object", -+ "optional": true, -+ "properties": { -+ "call_id": { -+ "type": "integer" -+ }, -+ "opnum": { -+ "type": "integer" -+ }, -+ "request": { -+ "type": "string" -+ }, -+ "response": { -+ "type": "string" -+ }, -+ "interfaces": { -+ "type": "array", -+ "items": { -+ "type": "object", -+ "optional": true, -+ "properties": { -+ "ack_reason": { -+ "type": "integer" -+ }, -+ "ack_result": { -+ "type": "integer" -+ }, -+ "uuid": { -+ "type": "string" -+ }, -+ "version": { -+ "type": "string" -+ } -+ }, -+ "additionalProperties": false -+ } -+ }, -+ "req": { -+ "type": "object", -+ "optional": true, -+ "properties": { -+ "frag_cnt": { -+ "type": "integer" -+ }, -+ "stub_data_size": { -+ "type": "integer" -+ } -+ }, -+ "additionalProperties": false -+ }, -+ "res": { -+ "type": "object", -+ "optional": true, -+ "properties": { -+ "frag_cnt": { -+ "type": "integer" -+ }, -+ "stub_data_size": { -+ "type": "integer" -+ } -+ }, -+ "additionalProperties": false -+ } -+ }, -+ "additionalProperties": false -+ }, -+ "kerberos": { -+ "type": "object", -+ "optional": true, -+ "properties": { -+ "realm": { -+ "type": "string" -+ }, -+ "snames": { -+ "type": "array", -+ "items": { -+ "type": "string" -+ } -+ } -+ }, -+ "additionalProperties": false -+ }, -+ "ntlmssp": { -+ "type": "object", -+ "optional": true, -+ "properties": { -+ "domain": { -+ "type": "string" -+ }, -+ "host": { -+ "type": "string" -+ }, -+ "user": { -+ "type": "string" -+ } -+ }, -+ "additionalProperties": false -+ }, -+ "request": { -+ "type": "object", -+ "optional": true, -+ "properties": { -+ "native_lm": { -+ "type": "string" -+ }, -+ "native_os": { -+ "type": "string" -+ } -+ }, -+ "additionalProperties": false -+ }, -+ "response": { -+ "type": "object", -+ "optional": true, -+ "properties": { -+ "native_lm": { -+ "type": "string" -+ }, -+ "native_os": { -+ "type": "string" -+ } -+ }, -+ "additionalProperties": false -+ }, -+ "service": { -+ "type": "object", -+ "optional": true, -+ "properties": { -+ "request": { -+ "type": "string" -+ }, -+ "response": { -+ "type": "string" -+ } -+ }, -+ "additionalProperties": false -+ } -+ }, -+ "additionalProperties": false -+ }, -+ "smtp": { -+ "type": "object", -+ "optional": true, -+ "properties": { -+ "helo": { -+ "type": "string" -+ }, -+ "mail_from": { -+ "type": "string" -+ }, -+ "rcpt_to": { -+ "type": "array", -+ "items": { -+ "type": "string" -+ } -+ } -+ }, -+ "additionalProperties": false -+ }, -+ "snmp": { -+ "type": "object", -+ "optional": true, -+ "properties": { -+ "community": { -+ "type": "string" -+ }, -+ "pdu_type": { -+ "type": "string" -+ }, -+ "usm": { -+ "type": "string" -+ }, -+ "version": { -+ "type": "integer" -+ }, -+ "vars": { -+ "type": "array", -+ "items": { -+ "type": "string" -+ } -+ } -+ }, -+ "additionalProperties": false -+ }, -+ "ssh": { -+ "type": "object", -+ "optional": true, -+ "properties": { -+ "client": { -+ "type": "object", -+ "properties": { -+ "proto_version": { -+ "type": "string" -+ }, -+ "software_version": { -+ "type": "string" -+ }, -+ "hassh": { -+ "type": "object", -+ "properties": { -+ "hash": { -+ "type": "string" -+ }, -+ "string": { -+ "type": "string" -+ } -+ }, -+ "additionalProperties": false -+ } -+ }, -+ "additionalProperties": false -+ }, -+ "server": { -+ "type": "object", -+ "properties": { -+ "proto_version": { -+ "type": "string" -+ }, -+ "software_version": { -+ "type": "string" -+ }, -+ "hassh": { -+ "type": "object", -+ "properties": { -+ "hash": { -+ "type": "string" -+ }, -+ "string": { -+ "type": "string" -+ } -+ }, -+ "additionalProperties": false -+ } -+ }, -+ "additionalProperties": false -+ } -+ }, -+ "additionalProperties": false -+ }, -+ "stats": { -+ "type": "object", -+ "optional": true, -+ "properties": { -+ "uptime": { -+ "type": "integer" -+ }, -+ "app_layer": { -+ "type": "object", -+ "properties": { -+ "expectations": { -+ "type": "integer" -+ }, -+ "error": { -+ "type": "object", -+ "properties": { -+ "dcerpc_tcp": { "$ref": "#/$defs/stats_applayer_error" }, -+ "dcerpc_udp": { "$ref": "#/$defs/stats_applayer_error" }, -+ "dhcp": { "$ref": "#/$defs/stats_applayer_error" }, -+ "dnp3": { "$ref": "#/$defs/stats_applayer_error" }, -+ "dns_tcp": { "$ref": "#/$defs/stats_applayer_error" }, -+ "dns_udp": { "$ref": "#/$defs/stats_applayer_error" }, -+ "enip_tcp": { "$ref": "#/$defs/stats_applayer_error" }, -+ "enip_udp": { "$ref": "#/$defs/stats_applayer_error" }, -+ "failed_tcp": { "$ref": "#/$defs/stats_applayer_error" }, -+ "ftp": { "$ref": "#/$defs/stats_applayer_error" }, -+ "ftp-data": { "$ref": "#/$defs/stats_applayer_error" }, -+ "http": { "$ref": "#/$defs/stats_applayer_error" }, -+ "http2": { "$ref": "#/$defs/stats_applayer_error" }, -+ "ike": { "$ref": "#/$defs/stats_applayer_error" }, -+ "imap": { "$ref": "#/$defs/stats_applayer_error" }, -+ "krb5_tcp": { "$ref": "#/$defs/stats_applayer_error" }, -+ "krb5_udp": { "$ref": "#/$defs/stats_applayer_error" }, -+ "mqtt": { "$ref": "#/$defs/stats_applayer_error" }, -+ "nfs_tcp": { "$ref": "#/$defs/stats_applayer_error" }, -+ "nfs_udp": { "$ref": "#/$defs/stats_applayer_error" }, -+ "ntp": { "$ref": "#/$defs/stats_applayer_error" }, -+ "pgsql": { "$ref": "#/$defs/stats_applayer_error" }, -+ "quic": { "$ref": "#/$defs/stats_applayer_error" }, -+ "rdp": { "$ref": "#/$defs/stats_applayer_error" }, -+ "rfb": { "$ref": "#/$defs/stats_applayer_error" }, -+ "sip": { "$ref": "#/$defs/stats_applayer_error" }, -+ "smb": { "$ref": "#/$defs/stats_applayer_error" }, -+ "smtp": { "$ref": "#/$defs/stats_applayer_error" }, -+ "snmp": { "$ref": "#/$defs/stats_applayer_error" }, -+ "ssh": { "$ref": "#/$defs/stats_applayer_error" }, -+ "telnet": { "$ref": "#/$defs/stats_applayer_error" }, -+ "tftp": { "$ref": "#/$defs/stats_applayer_error" }, -+ "tls": { "$ref": "#/$defs/stats_applayer_error" } -+ }, -+ "additionalProperties": false -+ }, -+ "flow": { -+ "type": "object", -+ "properties": { -+ "dcerpc_tcp": { -+ "type": "integer" -+ }, -+ "dcerpc_udp": { -+ "type": "integer" -+ }, -+ "dhcp": { -+ "type": "integer" -+ }, -+ "dnp3": { -+ "type": "integer" -+ }, -+ "dns_tcp": { -+ "type": "integer" -+ }, -+ "dns_udp": { -+ "type": "integer" -+ }, -+ "enip_tcp": { -+ "type": "integer" -+ }, -+ "enip_udp": { -+ "type": "integer" -+ }, -+ "failed_tcp": { -+ "type": "integer" -+ }, -+ "failed_udp": { -+ "type": "integer" -+ }, -+ "ftp": { -+ "type": "integer" -+ }, -+ "ftp-data": { -+ "type": "integer" -+ }, -+ "http": { -+ "type": "integer" -+ }, -+ "http2": { -+ "type": "integer" -+ }, -+ "ike": { -+ "type": "integer" -+ }, -+ "ikev2": { -+ "type": "integer" -+ }, -+ "imap": { -+ "type": "integer" -+ }, -+ "krb5_tcp": { -+ "type": "integer" -+ }, -+ "krb5_udp": { -+ "type": "integer" -+ }, -+ "modbus": { -+ "type": "integer" -+ }, -+ "mqtt": { -+ "type": "integer" -+ }, -+ "nfs_tcp": { -+ "type": "integer" -+ }, -+ "nfs_udp": { -+ "type": "integer" -+ }, -+ "ntp": { -+ "type": "integer" -+ }, -+ "pgsql": { -+ "type": "integer" -+ }, -+ "quic": { -+ "type": "integer" -+ }, -+ "rdp": { -+ "type": "integer" -+ }, -+ "rfb": { -+ "type": "integer" -+ }, -+ "sip": { -+ "type": "integer" -+ }, -+ "smb": { -+ "type": "integer" -+ }, -+ "smtp": { -+ "type": "integer" -+ }, -+ "snmp": { -+ "type": "integer" -+ }, -+ "ssh": { -+ "type": "integer" -+ }, -+ "telnet": { -+ "type": "integer" -+ }, -+ "tftp": { -+ "type": "integer" -+ }, -+ "tls": { -+ "type": "integer" -+ } -+ }, -+ "additionalProperties": false -+ }, -+ "tx": { -+ "type": "object", -+ "properties": { -+ "dcerpc_tcp": { -+ "type": "integer" -+ }, -+ "dcerpc_udp": { -+ "type": "integer" -+ }, -+ "dhcp": { -+ "type": "integer" -+ }, -+ "dnp3": { -+ "type": "integer" -+ }, -+ "dns_tcp": { -+ "type": "integer" -+ }, -+ "dns_udp": { -+ "type": "integer" -+ }, -+ "enip_tcp": { -+ "type": "integer" -+ }, -+ "enip_udp": { -+ "type": "integer" -+ }, -+ "ftp": { -+ "type": "integer" -+ }, -+ "ftp-data": { -+ "type": "integer" -+ }, -+ "http": { -+ "type": "integer" -+ }, -+ "http2": { -+ "type": "integer" -+ }, -+ "ike": { -+ "type": "integer" -+ }, -+ "ikev2": { -+ "type": "integer" -+ }, -+ "imap": { -+ "type": "integer" -+ }, -+ "krb5_tcp": { -+ "type": "integer" -+ }, -+ "krb5_udp": { -+ "type": "integer" -+ }, -+ "modbus": { -+ "type": "integer" -+ }, -+ "mqtt": { -+ "type": "integer" -+ }, -+ "nfs_tcp": { -+ "type": "integer" -+ }, -+ "nfs_udp": { -+ "type": "integer" -+ }, -+ "ntp": { -+ "type": "integer" -+ }, -+ "pgsql": { -+ "type": "integer" -+ }, -+ "quic": { -+ "type": "integer" -+ }, -+ "rdp": { -+ "type": "integer" -+ }, -+ "rfb": { -+ "type": "integer" -+ }, -+ "sip": { -+ "type": "integer" -+ }, -+ "smb": { -+ "type": "integer" -+ }, -+ "smtp": { -+ "type": "integer" -+ }, -+ "snmp": { -+ "type": "integer" -+ }, -+ "ssh": { -+ "type": "integer" -+ }, -+ "telnet": { -+ "type": "integer" -+ }, -+ "tftp": { -+ "type": "integer" -+ }, -+ "tls": { -+ "type": "integer" -+ } -+ }, -+ "additionalProperties": false -+ } -+ }, -+ "additionalProperties": false -+ }, -+ "decoder": { -+ "type": "object", -+ "properties": { -+ "avg_pkt_size": { -+ "type": "integer" -+ }, -+ "bytes": { -+ "type": "integer" -+ }, -+ "chdlc": { -+ "type": "integer" -+ }, -+ "erspan": { -+ "type": "integer" -+ }, -+ "esp": { -+ "type": "integer" -+ }, -+ "ethernet": { -+ "type": "integer" -+ }, -+ "geneve": { -+ "type": "integer" -+ }, -+ "gre": { -+ "type": "integer" -+ }, -+ "icmpv4": { -+ "type": "integer" -+ }, -+ "icmpv6": { -+ "type": "integer" -+ }, -+ "ieee8021ah": { -+ "type": "integer" -+ }, -+ "invalid": { -+ "type": "integer" -+ }, -+ "ipv4": { -+ "type": "integer" -+ }, -+ "ipv4_in_ipv6": { -+ "type": "integer" -+ }, -+ "ipv6": { -+ "type": "integer" -+ }, -+ "ipv6_in_ipv6": { -+ "type": "integer" -+ }, -+ "max_mac_addrs_dst": { -+ "type": "integer" -+ }, -+ "max_mac_addrs_src": { -+ "type": "integer" -+ }, -+ "max_pkt_size": { -+ "type": "integer" -+ }, -+ "mpls": { -+ "type": "integer" -+ }, -+ "nsh": { -+ "type": "integer" -+ }, -+ "null": { -+ "type": "integer" -+ }, -+ "pkts": { -+ "type": "integer" -+ }, -+ "ppp": { -+ "type": "integer" -+ }, -+ "pppoe": { -+ "type": "integer" -+ }, -+ "raw": { -+ "type": "integer" -+ }, -+ "sctp": { -+ "type": "integer" -+ }, -+ "sll": { -+ "type": "integer" -+ }, -+ "tcp": { -+ "type": "integer" -+ }, -+ "teredo": { -+ "type": "integer" -+ }, -+ "too_many_layers": { -+ "type": "integer" -+ }, -+ "udp": { -+ "type": "integer" -+ }, -+ "vlan": { -+ "type": "integer" -+ }, -+ "vlan_qinq": { -+ "type": "integer" -+ }, -+ "vntag": { -+ "type": "integer" -+ }, -+ "vxlan": { -+ "type": "integer" -+ }, -+ "event": { -+ "type": "object", -+ "properties": { -+ "chdlc": { -+ "type": "object", -+ "properties": { -+ "pkt_too_small": { -+ "type": "integer" -+ } -+ }, -+ "additionalProperties": false -+ }, -+ "dce": { -+ "type": "object", -+ "properties": { -+ "pkt_too_small": { -+ "type": "integer" -+ } -+ }, -+ "additionalProperties": false -+ }, -+ "erspan": { -+ "type": "object", -+ "properties": { -+ "header_too_small": { -+ "type": "integer" -+ }, -+ "too_many_vlan_layers": { -+ "type": "integer" -+ }, -+ "unsupported_version": { -+ "type": "integer" -+ } -+ }, -+ "additionalProperties": false -+ }, -+ "esp": { -+ "type": "object", -+ "properties": { -+ "pkt_too_small": { -+ "type": "integer" -+ } -+ }, -+ "additionalProperties": false -+ }, -+ "ethernet": { -+ "type": "object", -+ "properties": { -+ "pkt_too_small": { -+ "type": "integer" -+ } -+ }, -+ "additionalProperties": false -+ }, -+ "geneve": { -+ "type": "object", -+ "properties": { -+ "unknown_payload_type": { -+ "type": "integer" -+ } -+ }, -+ "additionalProperties": false -+ }, -+ "gre": { -+ "type": "object", -+ "properties": { -+ "pkt_too_small": { -+ "type": "integer" -+ }, -+ "version0_flags": { -+ "type": "integer" -+ }, -+ "version0_hdr_too_big": { -+ "type": "integer" -+ }, -+ "version0_malformed_sre_hdr": { -+ "type": "integer" -+ }, -+ "version0_recur": { -+ "type": "integer" -+ }, -+ "version1_chksum": { -+ "type": "integer" -+ }, -+ "version1_flags": { -+ "type": "integer" -+ }, -+ "version1_hdr_too_big": { -+ "type": "integer" -+ }, -+ "version1_malformed_sre_hdr": { -+ "type": "integer" -+ }, -+ "version1_no_key": { -+ "type": "integer" -+ }, -+ "version1_recur": { -+ "type": "integer" -+ }, -+ "version1_route": { -+ "type": "integer" -+ }, -+ "version1_ssr": { -+ "type": "integer" -+ }, -+ "version1_wrong_protocol": { -+ "type": "integer" -+ }, -+ "wrong_version": { -+ "type": "integer" -+ } -+ }, -+ "additionalProperties": false -+ }, -+ "icmpv4": { -+ "type": "object", -+ "properties": { -+ "ipv4_trunc_pkt": { -+ "type": "integer" -+ }, -+ "ipv4_unknown_ver": { -+ "type": "integer" -+ }, -+ "pkt_too_small": { -+ "type": "integer" -+ }, -+ "unknown_code": { -+ "type": "integer" -+ }, -+ "unknown_type": { -+ "type": "integer" -+ } -+ }, -+ "additionalProperties": false -+ }, -+ "icmpv6": { -+ "type": "object", -+ "properties": { -+ "experimentation_type": { -+ "type": "integer" -+ }, -+ "ipv6_trunc_pkt": { -+ "type": "integer" -+ }, -+ "ipv6_unknown_version": { -+ "type": "integer" -+ }, -+ "mld_message_with_invalid_hl": { -+ "type": "integer" -+ }, -+ "pkt_too_small": { -+ "type": "integer" -+ }, -+ "unassigned_type": { -+ "type": "integer" -+ }, -+ "unknown_code": { -+ "type": "integer" -+ }, -+ "unknown_type": { -+ "type": "integer" -+ } -+ }, -+ "additionalProperties": false -+ }, -+ "ieee8021ah": { -+ "type": "object", -+ "properties": { -+ "header_too_small": { -+ "type": "integer" -+ } -+ }, -+ "additionalProperties": false -+ }, -+ "ipraw": { -+ "type": "object", -+ "properties": { -+ "invalid_ip_version": { -+ "type": "integer" -+ } -+ }, -+ "additionalProperties": false -+ }, -+ "ipv4": { -+ "type": "object", -+ "properties": { -+ "frag_ignored": { -+ "type": "integer" -+ }, -+ "frag_overlap": { -+ "type": "integer" -+ }, -+ "frag_pkt_too_large": { -+ "type": "integer" -+ }, -+ "hlen_too_small": { -+ "type": "integer" -+ }, -+ "icmpv6": { -+ "type": "integer" -+ }, -+ "iplen_smaller_than_hlen": { -+ "type": "integer" -+ }, -+ "opt_duplicate": { -+ "type": "integer" -+ }, -+ "opt_eol_required": { -+ "type": "integer" -+ }, -+ "opt_invalid": { -+ "type": "integer" -+ }, -+ "opt_invalid_len": { -+ "type": "integer" -+ }, -+ "opt_malformed": { -+ "type": "integer" -+ }, -+ "opt_pad_required": { -+ "type": "integer" -+ }, -+ "opt_unknown": { -+ "type": "integer" -+ }, -+ "pkt_too_small": { -+ "type": "integer" -+ }, -+ "trunc_pkt": { -+ "type": "integer" -+ }, -+ "wrong_ip_version": { -+ "type": "integer" -+ } -+ }, -+ "additionalProperties": false -+ }, -+ "ipv6": { -+ "type": "object", -+ "properties": { -+ "data_after_none_header": { -+ "type": "integer" -+ }, -+ "dstopts_only_padding": { -+ "type": "integer" -+ }, -+ "dstopts_unknown_opt": { -+ "type": "integer" -+ }, -+ "exthdr_ah_res_not_null": { -+ "type": "integer" -+ }, -+ "exthdr_dupl_ah": { -+ "type": "integer" -+ }, -+ "exthdr_dupl_dh": { -+ "type": "integer" -+ }, -+ "exthdr_dupl_eh": { -+ "type": "integer" -+ }, -+ "exthdr_dupl_fh": { -+ "type": "integer" -+ }, -+ "exthdr_dupl_hh": { -+ "type": "integer" -+ }, -+ "exthdr_dupl_rh": { -+ "type": "integer" -+ }, -+ "exthdr_invalid_optlen": { -+ "type": "integer" -+ }, -+ "exthdr_useless_fh": { -+ "type": "integer" -+ }, -+ "fh_non_zero_reserved_field": { -+ "type": "integer" -+ }, -+ "frag_ignored": { -+ "type": "integer" -+ }, -+ "frag_invalid_length": { -+ "type": "integer" -+ }, -+ "frag_overlap": { -+ "type": "integer" -+ }, -+ "frag_pkt_too_large": { -+ "type": "integer" -+ }, -+ "hopopts_only_padding": { -+ "type": "integer" -+ }, -+ "hopopts_unknown_opt": { -+ "type": "integer" -+ }, -+ "icmpv4": { -+ "type": "integer" -+ }, -+ "ipv4_in_ipv6_too_small": { -+ "type": "integer" -+ }, -+ "ipv4_in_ipv6_wrong_version": { -+ "type": "integer" -+ }, -+ "ipv6_in_ipv6_too_small": { -+ "type": "integer" -+ }, -+ "ipv6_in_ipv6_wrong_version": { -+ "type": "integer" -+ }, -+ "pkt_too_small": { -+ "type": "integer" -+ }, -+ "rh_type_0": { -+ "type": "integer" -+ }, -+ "trunc_exthdr": { -+ "type": "integer" -+ }, -+ "trunc_pkt": { -+ "type": "integer" -+ }, -+ "unknown_next_header": { -+ "type": "integer" -+ }, -+ "wrong_ip_version": { -+ "type": "integer" -+ }, -+ "zero_len_padn": { -+ "type": "integer" -+ } -+ }, -+ "additionalProperties": false -+ }, -+ "ltnull": { -+ "type": "object", -+ "properties": { -+ "pkt_too_small": { -+ "type": "integer" -+ }, -+ "unsupported_type": { -+ "type": "integer" -+ } -+ }, -+ "additionalProperties": false -+ }, -+ "mpls": { -+ "type": "object", -+ "properties": { -+ "bad_label_implicit_null": { -+ "type": "integer" -+ }, -+ "bad_label_reserved": { -+ "type": "integer" -+ }, -+ "bad_label_router_alert": { -+ "type": "integer" -+ }, -+ "header_too_small": { -+ "type": "integer" -+ }, -+ "pkt_too_small": { -+ "type": "integer" -+ }, -+ "unknown_payload_type": { -+ "type": "integer" -+ } -+ }, -+ "additionalProperties": false -+ }, -+ "nsh": { -+ "type": "object", -+ "properties": { -+ "bad_header_length": { -+ "type": "integer" -+ }, -+ "header_too_small": { -+ "type": "integer" -+ }, -+ "reserved_type": { -+ "type": "integer" -+ }, -+ "unknown_payload": { -+ "type": "integer" -+ }, -+ "unsupported_type": { -+ "type": "integer" -+ }, -+ "unsupported_version": { -+ "type": "integer" -+ } -+ }, -+ "additionalProperties": false -+ }, -+ "ppp": { -+ "type": "object", -+ "properties": { -+ "ip4_pkt_too_small": { -+ "type": "integer" -+ }, -+ "ip6_pkt_too_small": { -+ "type": "integer" -+ }, -+ "pkt_too_small": { -+ "type": "integer" -+ }, -+ "unsup_proto": { -+ "type": "integer" -+ }, -+ "vju_pkt_too_small": { -+ "type": "integer" -+ }, -+ "wrong_type": { -+ "type": "integer" -+ } -+ }, -+ "additionalProperties": false -+ }, -+ "pppoe": { -+ "type": "object", -+ "properties": { -+ "malformed_tags": { -+ "type": "integer" -+ }, -+ "pkt_too_small": { -+ "type": "integer" -+ }, -+ "wrong_code": { -+ "type": "integer" -+ } -+ }, -+ "additionalProperties": false -+ }, -+ "sctp": { -+ "type": "object", -+ "properties": { -+ "pkt_too_small": { -+ "type": "integer" -+ } -+ }, -+ "additionalProperties": false -+ }, -+ "sll": { -+ "type": "object", -+ "properties": { -+ "pkt_too_small": { -+ "type": "integer" -+ } -+ }, -+ "additionalProperties": false -+ }, -+ "tcp": { -+ "type": "object", -+ "properties": { -+ "hlen_too_small": { -+ "type": "integer" -+ }, -+ "invalid_optlen": { -+ "type": "integer" -+ }, -+ "opt_duplicate": { -+ "type": "integer" -+ }, -+ "opt_invalid_len": { -+ "type": "integer" -+ }, -+ "pkt_too_small": { -+ "type": "integer" -+ } -+ }, -+ "additionalProperties": false -+ }, -+ "udp": { -+ "type": "object", -+ "properties": { -+ "hlen_invalid": { -+ "type": "integer" -+ }, -+ "hlen_too_small": { -+ "type": "integer" -+ }, -+ "pkt_too_small": { -+ "type": "integer" -+ } -+ }, -+ "additionalProperties": false -+ }, -+ "vlan": { -+ "type": "object", -+ "properties": { -+ "header_too_small": { -+ "type": "integer" -+ }, -+ "too_many_layers": { -+ "type": "integer" -+ }, -+ "unknown_type": { -+ "type": "integer" -+ } -+ }, -+ "additionalProperties": false -+ }, -+ "vntag": { -+ "type": "object", -+ "properties": { -+ "header_too_small": { -+ "type": "integer" -+ }, -+ "unknown_type": { -+ "type": "integer" -+ } -+ }, -+ "additionalProperties": false -+ }, -+ "vxlan": { -+ "type": "object", -+ "properties": { -+ "unknown_payload_type": { -+ "type": "integer" -+ } -+ }, -+ "additionalProperties": false -+ } -+ }, -+ "additionalProperties": false -+ } -+ }, -+ "additionalProperties": false -+ }, -+ "defrag": { -+ "type": "object", -+ "properties": { -+ "max_frag_hits": { -+ "type": "integer" -+ }, -+ "ipv4": { -+ "type": "object", -+ "properties": { -+ "fragments": { -+ "type": "integer" -+ }, -+ "reassembled": { -+ "type": "integer" -+ }, -+ "timeouts": { -+ "type": "integer" -+ } -+ }, -+ "additionalProperties": false -+ }, -+ "ipv6": { -+ "type": "object", -+ "properties": { -+ "fragments": { -+ "type": "integer" -+ }, -+ "reassembled": { -+ "type": "integer" -+ }, -+ "timeouts": { -+ "type": "integer" -+ } -+ }, -+ "additionalProperties": false -+ } -+ }, -+ "additionalProperties": false -+ }, -+ "detect": { -+ "type": "object", -+ "properties": { -+ "alert": { -+ "type": "integer" -+ }, -+ "alert_queue_overflow": { -+ "type": "integer" -+ }, -+ "alerts_suppressed": { -+ "type": "integer" -+ }, -+ "engines": { -+ "type": "array", -+ "items": [ -+ { -+ "type": "object", -+ "properties": { -+ "id": { -+ "type": "integer" -+ }, -+ "last_reload": { -+ "type": "string" -+ }, -+ "rules_loaded": { -+ "type": "integer" -+ }, -+ "rules_failed": { -+ "type": "integer" -+ } -+ }, -+ "additionalProperties": false -+ } -+ ] -+ } -+ }, -+ "additionalProperties": false -+ }, -+ "file_store": { -+ "type": "object", -+ "properties": { -+ "fs_errors": { -+ "type": "integer" -+ }, -+ "open_files": { -+ "type": "integer" -+ }, -+ "open_files_max_hit": { -+ "type": "integer" -+ } -+ }, -+ "additionalProperties": false -+ }, -+ "flow": { -+ "type": "object", -+ "properties": { -+ "emerg_mode_entered": { -+ "type": "integer" -+ }, -+ "emerg_mode_over": { -+ "type": "integer" -+ }, -+ "get_used": { -+ "type": "integer" -+ }, -+ "get_used_eval": { -+ "type": "integer" -+ }, -+ "get_used_eval_busy": { -+ "type": "integer" -+ }, -+ "get_used_eval_reject": { -+ "type": "integer" -+ }, -+ "get_used_failed": { -+ "type": "integer" -+ }, -+ "icmpv4": { -+ "type": "integer" -+ }, -+ "icmpv6": { -+ "type": "integer" -+ }, -+ "memcap": { -+ "type": "integer" -+ }, -+ "memuse": { -+ "type": "integer" -+ }, -+ "spare": { -+ "type": "integer" -+ }, -+ "tcp": { -+ "type": "integer" -+ }, -+ "tcp_reuse": { -+ "type": "integer" -+ }, -+ "udp": { -+ "type": "integer" -+ }, -+ "mgr": { -+ "type": "object", -+ "properties": { -+ "bypassed_pruned": { -+ "type": "integer" -+ }, -+ "closed_pruned": { -+ "type": "integer" -+ }, -+ "est_pruned": { -+ "type": "integer" -+ }, -+ "flows_checked": { -+ "type": "integer" -+ }, -+ "flows_evicted": { -+ "type": "integer" -+ }, -+ "flows_evicted_needs_work": { -+ "type": "integer" -+ }, -+ "flows_notimeout": { -+ "type": "integer" -+ }, -+ "flows_timeout": { -+ "type": "integer" -+ }, -+ "flows_timeout_inuse": { -+ "type": "integer" -+ }, -+ "full_hash_pass": { -+ "type": "integer" -+ }, -+ "new_pruned": { -+ "type": "integer" -+ }, -+ "rows_maxlen": { -+ "type": "integer" -+ } -+ }, -+ "additionalProperties": false -+ }, -+ "wrk": { -+ "type": "object", -+ "properties": { -+ "flows_evicted": { -+ "type": "integer" -+ }, -+ "flows_evicted_needs_work": { -+ "type": "integer" -+ }, -+ "flows_evicted_pkt_inject": { -+ "type": "integer" -+ }, -+ "flows_injected": { -+ "type": "integer" -+ }, -+ "spare_sync": { -+ "type": "integer" -+ }, -+ "spare_sync_avg": { -+ "type": "integer" -+ }, -+ "spare_sync_empty": { -+ "type": "integer" -+ }, -+ "spare_sync_incomplete": { -+ "type": "integer" -+ } -+ }, -+ "additionalProperties": false -+ } -+ }, -+ "additionalProperties": false -+ }, -+ "flow_bypassed": { -+ "type": "object", -+ "properties": { -+ "bytes": { -+ "type": "integer" -+ }, -+ "closed": { -+ "type": "integer" -+ }, -+ "local_bytes": { -+ "type": "integer" -+ }, -+ "local_capture_bytes": { -+ "type": "integer" -+ }, -+ "local_capture_pkts": { -+ "type": "integer" -+ }, -+ "local_pkts": { -+ "type": "integer" -+ }, -+ "pkts": { -+ "type": "integer" -+ } -+ }, -+ "additionalProperties": false -+ }, -+ "flow_mgr": { -+ "type": "object", -+ "properties": { -+ "bypassed_pruned": { -+ "type": "integer" -+ }, -+ "closed_pruned": { -+ "type": "integer" -+ }, -+ "est_pruned": { -+ "type": "integer" -+ }, -+ "flows_checked": { -+ "type": "integer" -+ }, -+ "flows_notimeout": { -+ "type": "integer" -+ }, -+ "flows_removed": { -+ "type": "integer" -+ }, -+ "flows_timeout": { -+ "type": "integer" -+ }, -+ "flows_timeout_inuse": { -+ "type": "integer" -+ }, -+ "new_pruned": { -+ "type": "integer" -+ }, -+ "rows_busy": { -+ "type": "integer" -+ }, -+ "rows_checked": { -+ "type": "integer" -+ }, -+ "rows_empty": { -+ "type": "integer" -+ }, -+ "rows_maxlen": { -+ "type": "integer" -+ }, -+ "rows_skipped": { -+ "type": "integer" -+ } -+ }, -+ "additionalProperties": false -+ }, -+ "ftp": { -+ "type": "object", -+ "properties": { -+ "memcap": { -+ "type": "integer" -+ }, -+ "memuse": { -+ "type": "integer" -+ } -+ }, -+ "additionalProperties": false -+ }, -+ "http": { -+ "type": "object", -+ "properties": { -+ "memcap": { -+ "type": "integer" -+ }, -+ "memuse": { -+ "type": "integer" -+ } -+ }, -+ "additionalProperties": false -+ }, -+ "tcp": { -+ "type": "object", -+ "properties": { -+ "insert_data_normal_fail": { -+ "type": "integer" -+ }, -+ "insert_data_overlap_fail": { -+ "type": "integer" -+ }, -+ "insert_list_fail": { -+ "type": "integer" -+ }, -+ "invalid_checksum": { -+ "type": "integer" -+ }, -+ "memuse": { -+ "type": "integer" -+ }, -+ "midstream_pickups": { -+ "type": "integer" -+ }, -+ "no_flow": { -+ "type": "integer" -+ }, -+ "overlap": { -+ "type": "integer" -+ }, -+ "overlap_diff_data": { -+ "type": "integer" -+ }, -+ "pkt_on_wrong_thread": { -+ "type": "integer" -+ }, -+ "pseudo": { -+ "type": "integer" -+ }, -+ "pseudo_failed": { -+ "type": "integer" -+ }, -+ "reassembly_gap": { -+ "type": "integer" -+ }, -+ "reassembly_memuse": { -+ "type": "integer" -+ }, -+ "rst": { -+ "type": "integer" -+ }, -+ "segment_memcap_drop": { -+ "type": "integer" -+ }, -+ "sessions": { -+ "type": "integer" -+ }, -+ "ssn_memcap_drop": { -+ "type": "integer" -+ }, -+ "stream_depth_reached": { -+ "type": "integer" -+ }, -+ "syn": { -+ "type": "integer" -+ }, -+ "synack": { -+ "type": "integer" -+ } -+ }, -+ "additionalProperties": false -+ } -+ }, -+ "additionalProperties": false -+ }, -+ "tcp": { -+ "type": "object", -+ "optional": true, -+ "properties": { -+ "ack": { -+ "type": "boolean" -+ }, -+ "cwr": { -+ "type": "boolean" -+ }, -+ "ecn": { -+ "type": "boolean" -+ }, -+ "fin": { -+ "type": "boolean" -+ }, -+ "psh": { -+ "type": "boolean" -+ }, -+ "rst": { -+ "type": "boolean" -+ }, -+ "state": { -+ "type": "string" -+ }, -+ "syn": { -+ "type": "boolean" -+ }, -+ "tcp_flags": { -+ "type": "string" -+ }, -+ "tcp_flags_tc": { -+ "type": "string" -+ }, -+ "tcp_flags_ts": { -+ "type": "string" -+ }, -+ "urg": { -+ "type": "boolean" -+ } -+ }, -+ "additionalProperties": false -+ }, -+ "template": { -+ "type": "object", -+ "optional": true, -+ "properties": { -+ "request": { -+ "type": "string" -+ }, -+ "response": { -+ "type": "string" -+ } -+ }, -+ "additionalProperties": false -+ }, -+ "tftp": { -+ "type": "object", -+ "optional": true, -+ "properties": { -+ "file": { -+ "type": "string" -+ }, -+ "mode": { -+ "type": "string" -+ }, -+ "packet": { -+ "type": "string" -+ } -+ }, -+ "additionalProperties": false -+ }, -+ "tls": { -+ "type": "object", -+ "optional": true, -+ "properties": { -+ "fingerprint": { -+ "type": "string" -+ }, -+ "from_proto": { -+ "type": "string" -+ }, -+ "issuerdn": { -+ "type": "string" -+ }, -+ "notafter": { -+ "type": "string" -+ }, -+ "notbefore": { -+ "type": "string" -+ }, -+ "serial": { -+ "type": "string" -+ }, -+ "session_resumed": { -+ "type": "boolean" -+ }, -+ "sni": { -+ "type": "string" -+ }, -+ "subject": { -+ "type": "string" -+ }, -+ "version": { -+ "type": "string" -+ }, -+ "ja3": { -+ "type": "object", -+ "optional": true, -+ "properties": { -+ "hash": { -+ "type": "string" -+ }, -+ "string": { -+ "type": "string" -+ } -+ }, -+ "additionalProperties": false -+ }, -+ "ja3s": { -+ "type": "object", -+ "optional": true, -+ "properties": { -+ "hash": { -+ "type": "string" -+ }, -+ "string": { -+ "type": "string" -+ } -+ }, -+ "additionalProperties": false -+ } -+ }, -+ "additionalProperties": false -+ }, -+ "traffic": { -+ "type": "object", -+ "optional": true, -+ "properties": { -+ "id": { -+ "type": "array", -+ "items": { -+ "type": "string" -+ } -+ }, -+ "label": { -+ "type": "array", -+ "items": { -+ "type": "string" -+ } -+ } -+ }, -+ "additionalProperties": false -+ }, -+ "tunnel": { -+ "type": "object", -+ "optional": true, -+ "properties": { -+ "depth": { -+ "type": "integer" -+ }, -+ "dest_ip": { -+ "type": "string" -+ }, -+ "dest_port": { -+ "type": "integer" -+ }, -+ "pcap_cnt": { -+ "type": "integer" -+ }, -+ "pkt_src": { -+ "type": "string" -+ }, -+ "proto": { -+ "type": "string" -+ }, -+ "src_ip": { -+ "type": "string" -+ }, -+ "src_port": { -+ "type": "integer" -+ } -+ }, -+ "additionalProperties": false -+ } -+ }, -+ "additionalProperties": false, -+ "$defs": { -+ "stats_applayer_error": { -+ "type": "object", -+ "properties": { -+ "gap": { -+ "type": "integer" -+ }, -+ "alloc": { -+ "type": "integer" -+ }, -+ "parser": { -+ "type": "integer" -+ }, -+ "internal": { -+ "type": "integer" -+ } -+ }, -+ "additionalProperties": false -+ } -+ } -+} --- -2.50.1 - diff --git a/recipes-ids/suricata/files/CVE-2024-55628-003.patch b/recipes-ids/suricata/files/CVE-2024-55628-003.patch deleted file mode 100644 index c498a6b..0000000 --- a/recipes-ids/suricata/files/CVE-2024-55628-003.patch +++ /dev/null @@ -1,114 +0,0 @@ -From 5edb84fe234f47a0fedfbf9b10b49699152fe8cb Mon Sep 17 00:00:00 2001 -From: Jason Ish -Date: Thu, 31 Oct 2024 15:46:35 -0600 -Subject: [PATCH] eve/dns: add truncation flags for fields that are truncated - -If rrname, rdata or mname are truncated, set a flag field like -'rrname_truncated: true' to indicate that the name is truncated. - -Ticket: #7280 - -(cherry picked from commit 37f4c52b22fcdde4adf9b479cb5700f89d00768d) - -CVE: CVE-2024-55628 -Upstream-Status: Backport [https://github.com/OISF/suricata/commit/5edb84fe234f47a0fedfbf9b10b49699152fe8cb] -Signed-off-by: Hitendra Prajapati ---- - etc/schema.json | 7 +++++++ - rust/src/dns/log.rs | 19 +++++++++++++++++++ - 2 files changed, 26 insertions(+) - -diff --git a/etc/schema.json b/etc/schema.json -index 99f419f..422d77c 100644 ---- a/etc/schema.json -+++ b/etc/schema.json -@@ -790,6 +790,9 @@ - "rrname": { - "type": "string" - }, -+ "rrname_truncated": { -+ "type": "boolean" -+ }, - "rrtype": { - "type": "string" - }, -@@ -2365,6 +2368,10 @@ - "type": "array", - "items": { - "type": "integer" -+ }, -+ "rrname_truncated": { -+ "description": "Set to true if the rrname was too long and truncated by Suricata", -+ "type": "boolean" - } - } - }, -diff --git a/rust/src/dns/log.rs b/rust/src/dns/log.rs -index 6bf9589..d0e468d 100644 ---- a/rust/src/dns/log.rs -+++ b/rust/src/dns/log.rs -@@ -399,7 +399,13 @@ fn dns_log_soa(soa: &DNSRDataSOA) -> Result { - let mut js = JsonBuilder::try_new_object()?; - - js.set_string_from_bytes("mname", &soa.mname.value)?; -+ if soa.mname.flags.contains(DNSNameFlags::TRUNCATED) { -+ js.set_bool("mname_truncated", true)?; -+ } - js.set_string_from_bytes("rname", &soa.rname.value)?; -+ if soa.rname.flags.contains(DNSNameFlags::TRUNCATED) { -+ js.set_bool("rname_truncated", true)?; -+ } - js.set_uint("serial", soa.serial as u64)?; - js.set_uint("refresh", soa.refresh as u64)?; - js.set_uint("retry", soa.retry as u64)?; -@@ -444,6 +450,9 @@ fn dns_log_json_answer_detail(answer: &DNSAnswerEntry) -> Result Result { - jsa.set_string_from_bytes("rdata", &name.value)?; -+ if name.flags.contains(DNSNameFlags::TRUNCATED) { -+ jsa.set_bool("rdata_truncated", true)?; -+ } - } - DNSRData::TXT(bytes) | DNSRData::NULL(bytes) => { - jsa.set_string_from_bytes("rdata", bytes)?; -@@ -506,6 +518,9 @@ fn dns_log_json_answer( - - if let Some(query) = response.queries.first() { - js.set_string_from_bytes("rrname", &query.name.value)?; -+ if query.name.flags.contains(DNSNameFlags::TRUNCATED) { -+ js.set_bool("rrname_truncated", true)?; -+ } - js.set_string("rrtype", &dns_rrtype_string(query.rrtype))?; - } - js.set_string("rcode", &dns_rcode_string(header.flags))?; -@@ -532,6 +547,7 @@ fn dns_log_json_answer( - | DNSRData::MX(name) - | DNSRData::NS(name) - | DNSRData::PTR(name) => { -+ // Flags like truncated not logged here as it would break the schema. - if !answer_types.contains_key(&type_string) { - answer_types - .insert(type_string.to_string(), JsonBuilder::try_new_array()?); -@@ -620,6 +636,9 @@ fn dns_log_query( - jb.set_string("type", "query")?; - jb.set_uint("id", request.header.tx_id as u64)?; - jb.set_string_from_bytes("rrname", &query.name.value)?; -+ if query.name.flags.contains(DNSNameFlags::TRUNCATED) { -+ jb.set_bool("rrname_truncated", true)?; -+ } - jb.set_string("rrtype", &dns_rrtype_string(query.rrtype))?; - jb.set_uint("tx_id", tx.id - 1)?; - if request.header.flags & 0x0040 != 0 { --- -2.50.1 - diff --git a/recipes-ids/suricata/files/CVE-2024-55628-004.patch b/recipes-ids/suricata/files/CVE-2024-55628-004.patch deleted file mode 100644 index 5a2bcf6..0000000 --- a/recipes-ids/suricata/files/CVE-2024-55628-004.patch +++ /dev/null @@ -1,510 +0,0 @@ -From 71212b78bd1b7b841c9d9a907d0b3eea71a54060 Mon Sep 17 00:00:00 2001 -From: Jason Ish -Date: Fri, 1 Nov 2024 11:39:23 -0600 -Subject: [PATCH] dns: provide events for recoverable parse errors - -Add events for the following resource name parsing issues: - -- name truncated as its too long -- maximum number of labels reached -- infinite loop - -Currently these events are only registered when encountered, but -recoverable. That is where we are able to return some of the name, -usually in a truncated state. - -As name parsing has many code paths, we pass in a pointer to a flag -field that can be updated by the name parser, this is done in -addition to the flags being set on a specific name as when logging we -want to designate which fields are truncated, etc. But for alerts, we -just care that something happened during the parse. It also reduces -errors as it won't be forgotten to check for the flags and set the -event if some new parser is written that also parses names. - -Ticket: #7280 - -(cherry picked from commit 19cf0f81335d9f787d587450f7105ad95a648951) - -CVE: CVE-2024-55628 -Upstream-Status: Backport [https://github.com/OISF/suricata/commit/71212b78bd1b7b841c9d9a907d0b3eea71a54060] -Signed-off-by: Hitendra Prajapati ---- - rules/dns-events.rules | 9 +++ - rust/src/dns/dns.rs | 36 ++++++++++- - rust/src/dns/parser.rs | 136 +++++++++++++++++++++++++---------------- - 3 files changed, 124 insertions(+), 57 deletions(-) - -diff --git a/rules/dns-events.rules b/rules/dns-events.rules -index d4c02b5..cc43629 100644 ---- a/rules/dns-events.rules -+++ b/rules/dns-events.rules -@@ -8,3 +8,12 @@ alert dns any any -> any any (msg:"SURICATA DNS Not a response"; flow:to_client; - # Z flag (reserved) not 0 - alert dns any any -> any any (msg:"SURICATA DNS Z flag set"; app-layer-event:dns.z_flag_set; classtype:protocol-command-decode; sid:2240006; rev:2;) - alert dns any any -> any any (msg:"SURICATA DNS Invalid opcode"; app-layer-event:dns.invalid_opcode; classtype:protocol-command-decode; sid:2240007; rev:1;) -+ -+# A resource name was too long (over 1025 chars) -+alert dns any any -> any any (msg:"SURICATA DNS Name too long"; app-layer-event:dns.name_too_long; classtype:protocol-command-decode; sid:224008; rev:1;) -+ -+# An infinite loop was found while decoding a DNS resource name. -+alert dns any any -> any any (msg:"SURICATA DNS Infinite loop"; app-layer-event:dns.infinite_loop; classtype:protocol-command-decode; sid:224009; rev:1;) -+ -+# Suricata's maximum number of DNS name labels was reached while parsing a resource name. -+alert dns any any -> any any (msg:"SURICATA DNS Too many labels"; app-layer-event:dns.too_many_labels; classtype:protocol-command-decode; sid:224010; rev:1;) -diff --git a/rust/src/dns/dns.rs b/rust/src/dns/dns.rs -index 680bf7e..34406dc 100644 ---- a/rust/src/dns/dns.rs -+++ b/rust/src/dns/dns.rs -@@ -129,6 +129,12 @@ pub enum DNSEvent { - NotResponse, - ZFlagSet, - InvalidOpcode, -+ /// A DNS resource name was exessively long and was truncated. -+ NameTooLong, -+ /// An infinite loop was found while parsing a name. -+ InfiniteLoop, -+ /// Too many labels were found. -+ TooManyLabels, - } - - #[derive(Debug, PartialEq, Eq)] -@@ -418,7 +424,7 @@ impl DNSState { - }; - - match parser::dns_parse_request_body(body, input, header) { -- Ok((_, request)) => { -+ Ok((_, (request, parse_flags))) => { - if request.header.flags & 0x8000 != 0 { - SCLogDebug!("DNS message is not a request"); - self.set_event(DNSEvent::NotRequest); -@@ -441,6 +447,18 @@ impl DNSState { - self.set_event(DNSEvent::InvalidOpcode); - } - -+ if parse_flags.contains(DNSNameFlags::TRUNCATED) { -+ self.set_event(DNSEvent::NameTooLong); -+ } -+ -+ if parse_flags.contains(DNSNameFlags::INFINITE_LOOP) { -+ self.set_event(DNSEvent::InfiniteLoop); -+ } -+ -+ if parse_flags.contains(DNSNameFlags::LABEL_LIMIT) { -+ self.set_event(DNSEvent::TooManyLabels); -+ } -+ - return true; - } - Err(Err::Incomplete(_)) => { -@@ -490,7 +508,7 @@ impl DNSState { - }; - - match parser::dns_parse_response_body(body, input, header) { -- Ok((_, response)) => { -+ Ok((_, (response, parse_flags))) => { - SCLogDebug!("Response header flags: {}", response.header.flags); - - if response.header.flags & 0x8000 == 0 { -@@ -519,6 +537,18 @@ impl DNSState { - self.set_event(DNSEvent::InvalidOpcode); - } - -+ if parse_flags.contains(DNSNameFlags::TRUNCATED) { -+ self.set_event(DNSEvent::NameTooLong); -+ } -+ -+ if parse_flags.contains(DNSNameFlags::INFINITE_LOOP) { -+ self.set_event(DNSEvent::InfiniteLoop); -+ } -+ -+ if parse_flags.contains(DNSNameFlags::LABEL_LIMIT) { -+ self.set_event(DNSEvent::TooManyLabels); -+ } -+ - return true; - } - Err(Err::Incomplete(_)) => { -@@ -718,7 +748,7 @@ fn probe(input: &[u8], dlen: usize) -> (bool, bool, bool) { - } - - match parser::dns_parse_request(input) { -- Ok((_, request)) => { -+ Ok((_, (request, _))) => { - return probe_header_validity(&request.header, dlen); - } - Err(Err::Incomplete(_)) => match parser::dns_parse_header(input) { -diff --git a/rust/src/dns/parser.rs b/rust/src/dns/parser.rs -index 12929bc..c98ba05 100644 ---- a/rust/src/dns/parser.rs -+++ b/rust/src/dns/parser.rs -@@ -81,7 +81,7 @@ static MAX_NAME_LEN: usize = 1025; - /// Parameters: - /// start: the start of the name - /// message: the complete message that start is a part of with the DNS header --pub fn dns_parse_name<'b>(start: &'b [u8], message: &'b [u8]) -> IResult<&'b [u8], DNSName> { -+pub fn dns_parse_name<'b>(start: &'b [u8], message: &'b [u8], parse_flags: &mut DNSNameFlags) -> IResult<&'b [u8], DNSName> { - let mut pos = start; - let mut pivot = start; - let mut name: Vec = Vec::with_capacity(32); -@@ -166,6 +166,8 @@ pub fn dns_parse_name<'b>(start: &'b [u8], message: &'b [u8]) -> IResult<&'b [u8 - } - } - -+ parse_flags.insert(flags); -+ - // If we followed a pointer we return the position after the first - // pointer followed. Is there a better way to see if these slices - // diverged from each other? A straight up comparison would -@@ -188,7 +190,7 @@ pub fn dns_parse_name<'b>(start: &'b [u8], message: &'b [u8]) -> IResult<&'b [u8 - /// multi-string TXT entry as a single quote string, similar to the - /// output of dig. Something to consider for a future version. - fn dns_parse_answer<'a>( -- slice: &'a [u8], message: &'a [u8], count: usize, -+ slice: &'a [u8], message: &'a [u8], count: usize, flags: &mut DNSNameFlags, - ) -> IResult<&'a [u8], Vec> { - let mut answers = Vec::new(); - let mut input = slice; -@@ -201,8 +203,10 @@ fn dns_parse_answer<'a>( - data: &'a [u8], - } - -- fn subparser<'a>(i: &'a [u8], message: &'a [u8]) -> IResult<&'a [u8], Answer<'a>> { -- let (i, name) = dns_parse_name(i, message)?; -+ fn subparser<'a>( -+ i: &'a [u8], message: &'a [u8], flags: &mut DNSNameFlags, -+ ) -> IResult<&'a [u8], Answer<'a>> { -+ let (i, name) = dns_parse_name(i, message, flags)?; - let (i, rrtype) = be_u16(i)?; - let (i, rrclass) = be_u16(i)?; - let (i, ttl) = be_u32(i)?; -@@ -218,7 +222,7 @@ fn dns_parse_answer<'a>( - } - - for _ in 0..count { -- match subparser(input, message) { -+ match subparser(input, message, flags) { - Ok((rem, val)) => { - let n = match val.rrtype { - DNS_RECORD_TYPE_TXT => { -@@ -236,7 +240,7 @@ fn dns_parse_answer<'a>( - } - }; - let result: IResult<&'a [u8], Vec> = -- many_m_n(1, n, complete(|b| dns_parse_rdata(b, message, val.rrtype)))(val.data); -+ many_m_n(1, n, complete(|b| dns_parse_rdata(b, message, val.rrtype, flags)))(val.data); - match result { - Ok((_, rdatas)) => { - for rdata in rdatas { -@@ -266,18 +270,19 @@ fn dns_parse_answer<'a>( - - pub fn dns_parse_response_body<'a>( - i: &'a [u8], message: &'a [u8], header: DNSHeader, --) -> IResult<&'a [u8], DNSResponse> { -- let (i, queries) = count(|b| dns_parse_query(b, message), header.questions as usize)(i)?; -- let (i, answers) = dns_parse_answer(i, message, header.answer_rr as usize)?; -- let (i, authorities) = dns_parse_answer(i, message, header.authority_rr as usize)?; -+) -> IResult<&'a [u8], (DNSResponse, DNSNameFlags)> { -+ let mut flags = DNSNameFlags::default(); -+ let (i, queries) = count(|b| dns_parse_query(b, message, &mut flags), header.questions as usize)(i)?; -+ let (i, answers) = dns_parse_answer(i, message, header.answer_rr as usize, &mut flags)?; -+ let (i, authorities) = dns_parse_answer(i, message, header.authority_rr as usize, &mut flags)?; - Ok(( - i, -- DNSResponse { -+ (DNSResponse { - header, - queries, - answers, - authorities, -- }, -+ }, flags), - )) - } - -@@ -286,9 +291,9 @@ pub fn dns_parse_response_body<'a>( - /// Arguments are suitable for using with call!: - /// - /// call!(complete_dns_message_buffer) --pub fn dns_parse_query<'a>(input: &'a [u8], message: &'a [u8]) -> IResult<&'a [u8], DNSQueryEntry> { -+pub fn dns_parse_query<'a>(input: &'a [u8], message: &'a [u8], flags: &mut DNSNameFlags) -> IResult<&'a [u8], DNSQueryEntry> { - let i = input; -- let (i, name) = dns_parse_name(i, message)?; -+ let (i, name) = dns_parse_name(i, message, flags)?; - let (i, rrtype) = be_u16(i)?; - let (i, rrclass) = be_u16(i)?; - Ok(( -@@ -309,22 +314,30 @@ fn dns_parse_rdata_aaaa(input: &[u8]) -> IResult<&[u8], DNSRData> { - rest(input).map(|(input, data)| (input, DNSRData::AAAA(data.to_vec()))) - } - --fn dns_parse_rdata_cname<'a>(input: &'a [u8], message: &'a [u8]) -> IResult<&'a [u8], DNSRData> { -- dns_parse_name(input, message).map(|(input, name)| (input, DNSRData::CNAME(name))) -+fn dns_parse_rdata_cname<'a>( -+ input: &'a [u8], message: &'a [u8], flags: &mut DNSNameFlags, -+) -> IResult<&'a [u8], DNSRData> { -+ dns_parse_name(input, message, flags).map(|(input, name)| (input, DNSRData::CNAME(name))) - } - --fn dns_parse_rdata_ns<'a>(input: &'a [u8], message: &'a [u8]) -> IResult<&'a [u8], DNSRData> { -- dns_parse_name(input, message).map(|(input, name)| (input, DNSRData::NS(name))) -+fn dns_parse_rdata_ns<'a>( -+ input: &'a [u8], message: &'a [u8], flags: &mut DNSNameFlags, -+) -> IResult<&'a [u8], DNSRData> { -+ dns_parse_name(input, message, flags).map(|(input, name)| (input, DNSRData::NS(name))) - } - --fn dns_parse_rdata_ptr<'a>(input: &'a [u8], message: &'a [u8]) -> IResult<&'a [u8], DNSRData> { -- dns_parse_name(input, message).map(|(input, name)| (input, DNSRData::PTR(name))) -+fn dns_parse_rdata_ptr<'a>( -+ input: &'a [u8], message: &'a [u8], flags: &mut DNSNameFlags, -+) -> IResult<&'a [u8], DNSRData> { -+ dns_parse_name(input, message, flags).map(|(input, name)| (input, DNSRData::PTR(name))) - } - --fn dns_parse_rdata_soa<'a>(input: &'a [u8], message: &'a [u8]) -> IResult<&'a [u8], DNSRData> { -+fn dns_parse_rdata_soa<'a>( -+ input: &'a [u8], message: &'a [u8], flags: &mut DNSNameFlags, -+) -> IResult<&'a [u8], DNSRData> { - let i = input; -- let (i, mname) = dns_parse_name(i, message)?; -- let (i, rname) = dns_parse_name(i, message)?; -+ let (i, mname) = dns_parse_name(i, message, flags)?; -+ let (i, rname) = dns_parse_name(i, message, flags)?; - let (i, serial) = be_u32(i)?; - let (i, refresh) = be_u32(i)?; - let (i, retry) = be_u32(i)?; -@@ -344,20 +357,24 @@ fn dns_parse_rdata_soa<'a>(input: &'a [u8], message: &'a [u8]) -> IResult<&'a [u - )) - } - --fn dns_parse_rdata_mx<'a>(input: &'a [u8], message: &'a [u8]) -> IResult<&'a [u8], DNSRData> { -+fn dns_parse_rdata_mx<'a>( -+ input: &'a [u8], message: &'a [u8], flags: &mut DNSNameFlags, -+) -> IResult<&'a [u8], DNSRData> { - // For MX we skip over the preference field before - // parsing out the name. - let (i, _) = be_u16(input)?; -- let (i, name) = dns_parse_name(i, message)?; -+ let (i, name) = dns_parse_name(i, message, flags)?; - Ok((i, DNSRData::MX(name))) - } - --fn dns_parse_rdata_srv<'a>(input: &'a [u8], message: &'a [u8]) -> IResult<&'a [u8], DNSRData> { -+fn dns_parse_rdata_srv<'a>( -+ input: &'a [u8], message: &'a [u8], flags: &mut DNSNameFlags, -+) -> IResult<&'a [u8], DNSRData> { - let i = input; - let (i, priority) = be_u16(i)?; - let (i, weight) = be_u16(i)?; - let (i, port) = be_u16(i)?; -- let (i, target) = dns_parse_name(i, message)?; -+ let (i, target) = dns_parse_name(i, message, flags)?; - Ok(( - i, - DNSRData::SRV(DNSRDataSRV { -@@ -398,26 +415,26 @@ fn dns_parse_rdata_unknown(input: &[u8]) -> IResult<&[u8], DNSRData> { - } - - pub fn dns_parse_rdata<'a>( -- input: &'a [u8], message: &'a [u8], rrtype: u16, -+ input: &'a [u8], message: &'a [u8], rrtype: u16, flags: &mut DNSNameFlags - ) -> IResult<&'a [u8], DNSRData> { - match rrtype { - DNS_RECORD_TYPE_A => dns_parse_rdata_a(input), - DNS_RECORD_TYPE_AAAA => dns_parse_rdata_aaaa(input), -- DNS_RECORD_TYPE_CNAME => dns_parse_rdata_cname(input, message), -- DNS_RECORD_TYPE_PTR => dns_parse_rdata_ptr(input, message), -- DNS_RECORD_TYPE_SOA => dns_parse_rdata_soa(input, message), -- DNS_RECORD_TYPE_MX => dns_parse_rdata_mx(input, message), -- DNS_RECORD_TYPE_NS => dns_parse_rdata_ns(input, message), -+ DNS_RECORD_TYPE_CNAME => dns_parse_rdata_cname(input, message, flags), -+ DNS_RECORD_TYPE_PTR => dns_parse_rdata_ptr(input, message, flags), -+ DNS_RECORD_TYPE_SOA => dns_parse_rdata_soa(input, message, flags), -+ DNS_RECORD_TYPE_MX => dns_parse_rdata_mx(input, message, flags), -+ DNS_RECORD_TYPE_NS => dns_parse_rdata_ns(input, message, flags), - DNS_RECORD_TYPE_TXT => dns_parse_rdata_txt(input), - DNS_RECORD_TYPE_NULL => dns_parse_rdata_null(input), - DNS_RECORD_TYPE_SSHFP => dns_parse_rdata_sshfp(input), -- DNS_RECORD_TYPE_SRV => dns_parse_rdata_srv(input, message), -+ DNS_RECORD_TYPE_SRV => dns_parse_rdata_srv(input, message, flags), - _ => dns_parse_rdata_unknown(input), - } - } - - /// Parse a DNS request. --pub fn dns_parse_request(input: &[u8]) -> IResult<&[u8], DNSRequest> { -+pub fn dns_parse_request(input: &[u8]) -> IResult<&[u8], (DNSRequest, DNSNameFlags)> { - let i = input; - let (i, header) = dns_parse_header(i)?; - dns_parse_request_body(i, input, header) -@@ -425,10 +442,11 @@ pub fn dns_parse_request(input: &[u8]) -> IResult<&[u8], DNSRequest> { - - pub fn dns_parse_request_body<'a>( - input: &'a [u8], message: &'a [u8], header: DNSHeader, --) -> IResult<&'a [u8], DNSRequest> { -+) -> IResult<&'a [u8], (DNSRequest, DNSNameFlags)> { -+ let mut flags = DNSNameFlags::default(); - let i = input; -- let (i, queries) = count(|b| dns_parse_query(b, message), header.questions as usize)(i)?; -- Ok((i, DNSRequest { header, queries })) -+ let (i, queries) = count(|b| dns_parse_query(b, message, &mut flags), header.questions as usize)(i)?; -+ Ok((i, (DNSRequest { header, queries }, flags))) - } - - #[cfg(test)] -@@ -447,7 +465,8 @@ mod tests { - 0x03, 0x63, 0x6f, 0x6d, 0x00, 0x00, 0x01, 0x00, /* .com.... */ - ]; - let expected_remainder: &[u8] = &[0x00, 0x01, 0x00]; -- let (remainder, name) = dns_parse_name(buf, buf).unwrap(); -+ let mut flags = DNSNameFlags::default(); -+ let (remainder, name) = dns_parse_name(buf, buf, &mut flags).unwrap(); - assert_eq!("client-cf.dropbox.com".as_bytes(), &name.value[..]); - assert_eq!(remainder, expected_remainder); - } -@@ -481,7 +500,8 @@ mod tests { - - // The name at offset 54 is the complete name. - let start1 = &buf[54..]; -- let res1 = dns_parse_name(start1, message); -+ let mut flags = DNSNameFlags::default(); -+ let res1 = dns_parse_name(start1, message, &mut flags); - assert_eq!( - res1, - Ok(( -@@ -496,7 +516,8 @@ mod tests { - // The second name starts at offset 80, but is just a pointer - // to the first. - let start2 = &buf[80..]; -- let res2 = dns_parse_name(start2, message); -+ let mut flags = DNSNameFlags::default(); -+ let res2 = dns_parse_name(start2, message, &mut flags); - assert_eq!( - res2, - Ok(( -@@ -511,7 +532,8 @@ mod tests { - // The third name starts at offset 94, but is a pointer to a - // portion of the first. - let start3 = &buf[94..]; -- let res3 = dns_parse_name(start3, message); -+ let mut flags = DNSNameFlags::default(); -+ let res3 = dns_parse_name(start3, message, &mut flags); - assert_eq!( - res3, - Ok(( -@@ -526,7 +548,8 @@ mod tests { - // The fourth name starts at offset 110, but is a pointer to a - // portion of the first. - let start4 = &buf[110..]; -- let res4 = dns_parse_name(start4, message); -+ let mut flags = DNSNameFlags::default(); -+ let res4 = dns_parse_name(start4, message, &mut flags); - assert_eq!( - res4, - Ok(( -@@ -567,7 +590,8 @@ mod tests { - // packet). - let start: &[u8] = &buf[100..]; - -- let res = dns_parse_name(start, message); -+ let mut flags = DNSNameFlags::default(); -+ let res = dns_parse_name(start, message, &mut flags); - assert_eq!( - res, - Ok(( -@@ -595,7 +619,7 @@ mod tests { - - let res = dns_parse_request(pkt); - match res { -- Ok((rem, request)) => { -+ Ok((rem, (request, _flags))) => { - // For now we have some remainder data as there is an - // additional record type we don't parse yet. - assert!(!rem.is_empty()); -@@ -626,7 +650,7 @@ mod tests { - } - - /// Parse a DNS response. -- fn dns_parse_response(message: &[u8]) -> IResult<&[u8], DNSResponse> { -+ fn dns_parse_response(message: &[u8]) -> IResult<&[u8], (DNSResponse, DNSNameFlags)> { - let i = message; - let (i, header) = dns_parse_header(i)?; - dns_parse_response_body(i, message, header) -@@ -653,7 +677,7 @@ mod tests { - - let res = dns_parse_response(pkt); - match res { -- Ok((rem, response)) => { -+ Ok((rem, (response, _flags))) => { - // The response should be full parsed. - assert_eq!(rem.len(), 0); - -@@ -745,7 +769,7 @@ mod tests { - - let res = dns_parse_response(pkt); - match res { -- Ok((rem, response)) => { -+ Ok((rem, (response, _flags))) => { - // For now we have some remainder data as there is an - // additional record type we don't parse yet. - assert!(!rem.is_empty()); -@@ -812,7 +836,7 @@ mod tests { - - let res = dns_parse_response(pkt); - match res { -- Ok((rem, response)) => { -+ Ok((rem, (response, _flags))) => { - // The response should be fully parsed. - assert_eq!(rem.len(), 0); - -@@ -924,7 +948,7 @@ mod tests { - - let res = dns_parse_response(pkt); - match res { -- Ok((rem, response)) => { -+ Ok((rem, (response, _flags))) => { - // The data should be fully parsed. - assert_eq!(rem.len(), 0); - -@@ -978,7 +1002,8 @@ mod tests { - } - } - -- let (rem, name) = dns_parse_name(&buf, &buf).unwrap(); -+ let mut flags = DNSNameFlags::default(); -+ let (rem, name) = dns_parse_name(&buf, &buf, &mut flags).unwrap(); - assert_eq!(name.value.len(), MAX_NAME_LEN); - assert!(name.flags.contains(DNSNameFlags::TRUNCATED)); - assert!(rem.is_empty()); -@@ -995,7 +1020,8 @@ mod tests { - // This should fail as we've hit the segment limit without a - // pointer, we'd need to keep parsing more segments to figure - // out where the next data point lies. -- assert!(dns_parse_name(&buf, &buf).is_err()); -+ let mut flags = DNSNameFlags::default(); -+ assert!(dns_parse_name(&buf, &buf, &mut flags).is_err()); - } - - #[test] -@@ -1015,7 +1041,8 @@ mod tests { - buf.push(0b1100_0000); - buf.push(0b000_0000); - -- let (_rem, name) = dns_parse_name(&buf[4..], &buf).unwrap(); -+ let mut flags = DNSNameFlags::default(); -+ let (_rem, name) = dns_parse_name(&buf[4..], &buf, &mut flags).unwrap(); - assert_eq!(name.value.len(), 255); - assert!(name.flags.contains(DNSNameFlags::TRUNCATED)); - } -@@ -1025,6 +1052,7 @@ mod tests { - let mut buf = vec![]; - buf.push(0b1100_0000); - buf.push(0b0000_0000); -- assert!(dns_parse_name(&buf, &buf).is_err()); -+ let mut flags = DNSNameFlags::default(); -+ assert!(dns_parse_name(&buf, &buf, &mut flags).is_err()); - } - } --- -2.50.1 - diff --git a/recipes-ids/suricata/files/CVE-2025-29916-01.patch b/recipes-ids/suricata/files/CVE-2025-29916-01.patch deleted file mode 100644 index ae020e2..0000000 --- a/recipes-ids/suricata/files/CVE-2025-29916-01.patch +++ /dev/null @@ -1,124 +0,0 @@ -From 2f432c99a9734ea3a75c9218f35060e11a7a39ad Mon Sep 17 00:00:00 2001 -From: Victor Julien -Date: Tue, 18 Mar 2025 10:55:39 +0100 -Subject: [PATCH] datasets: improve default hashsize handling - -Make hashsize default local to dataset code, instead of relying on the -thash code. - -Use the same default value as before. - -(cherry picked from commit d32a39ca4b53d7f659f4f0a2a5c162ef97dc4797) - -Upstream-Status: Backport [https://github.com/OISF/suricata/commit/2f432c99a9734ea3a75c9218f35060e11a7a39ad] -CVE: CVE-2025-29916 -Signed-off-by: Hitendra Prajapati ---- - src/datasets.c | 37 +++++++++++++++++++++++-------------- - 1 file changed, 23 insertions(+), 14 deletions(-) - -diff --git a/src/datasets.c b/src/datasets.c -index 32bcf6e..89e7899 100644 ---- a/src/datasets.c -+++ b/src/datasets.c -@@ -677,6 +677,11 @@ Dataset *DatasetGet(const char *name, enum DatasetTypes type, const char *save, - } - } - -+ GetDefaultMemcap(&default_memcap, &default_hashsize); -+ if (hashsize == 0) { -+ hashsize = default_hashsize; -+ } -+ - set = DatasetAlloc(name); - if (set == NULL) { - goto out_err; -@@ -696,12 +701,11 @@ Dataset *DatasetGet(const char *name, enum DatasetTypes type, const char *save, - char cnf_name[128]; - snprintf(cnf_name, sizeof(cnf_name), "datasets.%s.hash", name); - -- GetDefaultMemcap(&default_memcap, &default_hashsize); - switch (type) { - case DATASET_TYPE_MD5: - set->hash = THashInit(cnf_name, sizeof(Md5Type), Md5StrSet, Md5StrFree, Md5StrHash, - Md5StrCompare, load != NULL ? 1 : 0, memcap > 0 ? memcap : default_memcap, -- hashsize > 0 ? hashsize : default_hashsize); -+ hashsize); - if (set->hash == NULL) - goto out_err; - if (DatasetLoadMd5(set) < 0) -@@ -710,7 +714,7 @@ Dataset *DatasetGet(const char *name, enum DatasetTypes type, const char *save, - case DATASET_TYPE_STRING: - set->hash = THashInit(cnf_name, sizeof(StringType), StringSet, StringFree, StringHash, - StringCompare, load != NULL ? 1 : 0, memcap > 0 ? memcap : default_memcap, -- hashsize > 0 ? hashsize : default_hashsize); -+ hashsize); - if (set->hash == NULL) - goto out_err; - if (DatasetLoadString(set) < 0) -@@ -719,26 +723,25 @@ Dataset *DatasetGet(const char *name, enum DatasetTypes type, const char *save, - case DATASET_TYPE_SHA256: - set->hash = THashInit(cnf_name, sizeof(Sha256Type), Sha256StrSet, Sha256StrFree, - Sha256StrHash, Sha256StrCompare, load != NULL ? 1 : 0, -- memcap > 0 ? memcap : default_memcap, -- hashsize > 0 ? hashsize : default_hashsize); -+ memcap > 0 ? memcap : default_memcap, hashsize); - if (set->hash == NULL) - goto out_err; - if (DatasetLoadSha256(set) < 0) - goto out_err; - break; - case DATASET_TYPE_IPV4: -- set->hash = THashInit(cnf_name, sizeof(IPv4Type), IPv4Set, IPv4Free, IPv4Hash, -- IPv4Compare, load != NULL ? 1 : 0, memcap > 0 ? memcap : default_memcap, -- hashsize > 0 ? hashsize : default_hashsize); -+ set->hash = -+ THashInit(cnf_name, sizeof(IPv4Type), IPv4Set, IPv4Free, IPv4Hash, IPv4Compare, -+ load != NULL ? 1 : 0, memcap > 0 ? memcap : default_memcap, hashsize); - if (set->hash == NULL) - goto out_err; - if (DatasetLoadIPv4(set) < 0) - goto out_err; - break; - case DATASET_TYPE_IPV6: -- set->hash = THashInit(cnf_name, sizeof(IPv6Type), IPv6Set, IPv6Free, IPv6Hash, -- IPv6Compare, load != NULL ? 1 : 0, memcap > 0 ? memcap : default_memcap, -- hashsize > 0 ? hashsize : default_hashsize); -+ set->hash = -+ THashInit(cnf_name, sizeof(IPv6Type), IPv6Set, IPv6Free, IPv6Hash, IPv6Compare, -+ load != NULL ? 1 : 0, memcap > 0 ? memcap : default_memcap, hashsize); - if (set->hash == NULL) - goto out_err; - if (DatasetLoadIPv6(set) < 0) -@@ -825,6 +828,10 @@ void DatasetPostReloadCleanup(void) - SCMutexUnlock(&sets_lock); - } - -+/* Value reflects THASH_DEFAULT_HASHSIZE which is what the default was earlier, -+ * despite 2048 commented out in the default yaml. */ -+#define DATASETS_HASHSIZE_DEFAULT 4096 -+ - static void GetDefaultMemcap(uint64_t *memcap, uint32_t *hashsize) - { - const char *str = NULL; -@@ -836,12 +843,14 @@ static void GetDefaultMemcap(uint64_t *memcap, uint32_t *hashsize) - *memcap = 0; - } - } -+ -+ *hashsize = (uint32_t)DATASETS_HASHSIZE_DEFAULT; - if (ConfGet("datasets.defaults.hashsize", &str) == 1) { - if (ParseSizeStringU32(str, hashsize) < 0) { -+ *hashsize = (uint32_t)DATASETS_HASHSIZE_DEFAULT; - SCLogWarning("hashsize value cannot be deduced: %s," -- " resetting to default", -- str); -- *hashsize = 0; -+ " resetting to default: %u", -+ str, *hashsize); - } - } - } --- -2.49.0 - diff --git a/recipes-ids/suricata/files/CVE-2025-29916-02.patch b/recipes-ids/suricata/files/CVE-2025-29916-02.patch deleted file mode 100644 index fbaaabc..0000000 --- a/recipes-ids/suricata/files/CVE-2025-29916-02.patch +++ /dev/null @@ -1,197 +0,0 @@ -From e28c8c655a324a18932655a2c2b8f0d5aa1c55d7 Mon Sep 17 00:00:00 2001 -From: Philippe Antoine -Date: Tue, 18 Mar 2025 10:55:39 +0100 -Subject: [PATCH] detect: add configurable limits for datasets - -Ticket: 7615 - -Avoids signatures setting extreme hash sizes, which would lead to very -high memory use. - -Default to allowing: -- 65536 per dataset -- 16777216 total - -To override these built-in defaults: - -```yaml -datasets: - # Limits for per rule dataset instances to avoid rules using too many - # resources. - limits: - # Max value for per dataset `hashsize` setting - #single-hashsize: 65536 - # Max combined hashsize values for all datasets. - #total-hashsizes: 16777216 -``` - -(cherry picked from commit a7713db709b8a0be5fc5e5809ab58e9b14a16e85) - -Upstream-Status: Backport [https://github.com/OISF/suricata/commit/e28c8c655a324a18932655a2c2b8f0d5aa1c55d7] -CVE: CVE-2025-29916 -Signed-off-by: Hitendra Prajapati ---- - src/datasets.c | 65 ++++++++++++++++++++++++++++++++++++++++++++++++ - src/util-thash.c | 5 ---- - suricata.yaml.in | 8 ++++++ - 3 files changed, 73 insertions(+), 5 deletions(-) - -diff --git a/src/datasets.c b/src/datasets.c -index 89e7899..0729894 100644 ---- a/src/datasets.c -+++ b/src/datasets.c -@@ -39,11 +39,16 @@ - #include "util-misc.h" - #include "util-path.h" - #include "util-debug.h" -+#include "util-validate.h" - - SCMutex sets_lock = SCMUTEX_INITIALIZER; - static Dataset *sets = NULL; - static uint32_t set_ids = 0; - -+uint32_t dataset_max_one_hashsize = 65536; -+uint32_t dataset_max_total_hashsize = 16777216; -+uint32_t dataset_used_hashsize = 0; -+ - static int DatasetAddwRep(Dataset *set, const uint8_t *data, const uint32_t data_len, - DataRepType *rep); - -@@ -629,6 +634,34 @@ Dataset *DatasetFind(const char *name, enum DatasetTypes type) - return set; - } - -+static bool DatasetCheckHashsize(const char *name, uint32_t hash_size) -+{ -+ if (dataset_max_one_hashsize > 0 && hash_size > dataset_max_one_hashsize) { -+ SCLogError("hashsize %u in dataset '%s' exceeds configured 'single-hashsize' limit (%u)", -+ hash_size, name, dataset_max_one_hashsize); -+ return false; -+ } -+ // we cannot underflow as we know from conf loading that -+ // dataset_max_total_hashsize >= dataset_max_one_hashsize if dataset_max_total_hashsize > 0 -+ if (dataset_max_total_hashsize > 0 && -+ dataset_max_total_hashsize - hash_size < dataset_used_hashsize) { -+ SCLogError("hashsize %u in dataset '%s' exceeds configured 'total-hashsizes' limit (%u, in " -+ "use %u)", -+ hash_size, name, dataset_max_total_hashsize, dataset_used_hashsize); -+ return false; -+ } -+ -+ return true; -+} -+ -+static void DatasetUpdateHashsize(const char *name, uint32_t hash_size) -+{ -+ if (dataset_max_total_hashsize > 0) { -+ dataset_used_hashsize += hash_size; -+ SCLogDebug("set %s adding with hash_size %u", name, hash_size); -+ } -+} -+ - Dataset *DatasetGet(const char *name, enum DatasetTypes type, const char *save, const char *load, - uint64_t memcap, uint32_t hashsize) - { -@@ -682,6 +715,10 @@ Dataset *DatasetGet(const char *name, enum DatasetTypes type, const char *save, - hashsize = default_hashsize; - } - -+ if (!DatasetCheckHashsize(name, hashsize)) { -+ goto out_err; -+ } -+ - set = DatasetAlloc(name); - if (set == NULL) { - goto out_err; -@@ -755,6 +792,10 @@ Dataset *DatasetGet(const char *name, enum DatasetTypes type, const char *save, - set->next = sets; - sets = set; - -+ /* hash size accounting */ -+ DEBUG_VALIDATE_BUG_ON(set->hash->config.hash_size != hashsize); -+ DatasetUpdateHashsize(set->name, set->hash->config.hash_size); -+ - SCMutexUnlock(&sets_lock); - return set; - out_err: -@@ -796,6 +837,9 @@ void DatasetReload(void) - continue; - } - set->hidden = true; -+ if (dataset_max_total_hashsize > 0) { -+ dataset_used_hashsize -= set->hash->config.hash_size; -+ } - SCLogDebug("Set %s at %p hidden successfully", set->name, set); - set = set->next; - } -@@ -863,6 +907,27 @@ int DatasetsInit(void) - uint32_t default_hashsize = 0; - GetDefaultMemcap(&default_memcap, &default_hashsize); - if (datasets != NULL) { -+ const char *str = NULL; -+ if (ConfGet("datasets.limits.total-hashsizes", &str) == 1) { -+ if (ParseSizeStringU32(str, &dataset_max_total_hashsize) < 0) { -+ FatalError("failed to parse datasets.limits.total-hashsizes value: %s", str); -+ } -+ } -+ if (ConfGet("datasets.limits.single-hashsize", &str) == 1) { -+ if (ParseSizeStringU32(str, &dataset_max_one_hashsize) < 0) { -+ FatalError("failed to parse datasets.limits.single-hashsize value: %s", str); -+ } -+ } -+ if (dataset_max_total_hashsize > 0 && -+ dataset_max_total_hashsize < dataset_max_one_hashsize) { -+ FatalError("total-hashsizes (%u) cannot be smaller than single-hashsize (%u)", -+ dataset_max_total_hashsize, dataset_max_one_hashsize); -+ } -+ if (dataset_max_total_hashsize > 0 && dataset_max_one_hashsize == 0) { -+ // the total limit also applies for single limit -+ dataset_max_one_hashsize = dataset_max_total_hashsize; -+ } -+ - int list_pos = 0; - ConfNode *iter = NULL; - TAILQ_FOREACH(iter, &datasets->head, next) { -diff --git a/src/util-thash.c b/src/util-thash.c -index 6443990..3fba3ef 100644 ---- a/src/util-thash.c -+++ b/src/util-thash.c -@@ -310,16 +310,11 @@ THashTableContext *THashInit(const char *cnf_prefix, size_t data_size, - ctx->config.hash_size = hashsize > 0 ? hashsize : THASH_DEFAULT_HASHSIZE; - /* Reset memcap in case of loading from file to the highest possible value - unless defined by the rule keyword */ --#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -- // limit memcap size to default when fuzzing -- ctx->config.memcap = THASH_DEFAULT_MEMCAP; --#else - if (memcap > 0) { - ctx->config.memcap = memcap; - } else { - ctx->config.memcap = reset_memcap ? UINT64_MAX : THASH_DEFAULT_MEMCAP; - } --#endif - ctx->config.prealloc = THASH_DEFAULT_PREALLOC; - - SC_ATOMIC_INIT(ctx->counter); -diff --git a/suricata.yaml.in b/suricata.yaml.in -index 6303991..b218515 100644 ---- a/suricata.yaml.in -+++ b/suricata.yaml.in -@@ -1167,6 +1167,14 @@ datasets: - #memcap: 100mb - #hashsize: 2048 - -+ # Limits for per rule dataset instances to avoid rules using too many -+ # resources. -+ limits: -+ # Max value for per dataset `hashsize` setting -+ #single-hashsize: 65536 -+ # Max combined hashsize values for all datasets. -+ #total-hashsizes: 16777216 -+ - rules: - # Set to true to allow absolute filenames and filenames that use - # ".." components to reference parent directories in rules that specify --- -2.49.0 - diff --git a/recipes-ids/suricata/files/CVE-2025-29916-03.patch b/recipes-ids/suricata/files/CVE-2025-29916-03.patch deleted file mode 100644 index 73e66a2..0000000 --- a/recipes-ids/suricata/files/CVE-2025-29916-03.patch +++ /dev/null @@ -1,55 +0,0 @@ -From d86c5f9f0c75736d4fce93e27c0773fcb27e1047 Mon Sep 17 00:00:00 2001 -From: Victor Julien -Date: Mon, 17 Mar 2025 21:19:13 +0100 -Subject: [PATCH] datasets: set higher hashsize limits - -To avoid possible upgrade issues, allow higher defaults than in the -master branch. Add some upgrade guidance and a note that defaults will -probably be further reduced. - -Upstream-Status: Backport [https://github.com/OISF/suricata/commit/d86c5f9f0c75736d4fce93e27c0773fcb27e1047] -CVE: CVE-2025-29916 -Signed-off-by: Hitendra Prajapati ---- - src/datasets.c | 5 +++-- - suricata.yaml.in | 5 +++-- - 2 files changed, 6 insertions(+), 4 deletions(-) - -diff --git a/src/datasets.c b/src/datasets.c -index 0729894..f99f63c 100644 ---- a/src/datasets.c -+++ b/src/datasets.c -@@ -45,8 +45,9 @@ SCMutex sets_lock = SCMUTEX_INITIALIZER; - static Dataset *sets = NULL; - static uint32_t set_ids = 0; - --uint32_t dataset_max_one_hashsize = 65536; --uint32_t dataset_max_total_hashsize = 16777216; -+/* 4x what we set in master to allow a smoother upgrade path */ -+uint32_t dataset_max_one_hashsize = 262144; -+uint32_t dataset_max_total_hashsize = 67108864; - uint32_t dataset_used_hashsize = 0; - - static int DatasetAddwRep(Dataset *set, const uint8_t *data, const uint32_t data_len, -diff --git a/suricata.yaml.in b/suricata.yaml.in -index b218515..59db9ef 100644 ---- a/suricata.yaml.in -+++ b/suricata.yaml.in -@@ -1169,11 +1169,12 @@ datasets: - - # Limits for per rule dataset instances to avoid rules using too many - # resources. -+ # Note: in Suricata 8 the built-in default will be set to lower values. - limits: - # Max value for per dataset `hashsize` setting -- #single-hashsize: 65536 -+ #single-hashsize: 262144 - # Max combined hashsize values for all datasets. -- #total-hashsizes: 16777216 -+ #total-hashsizes: 67108864 - - rules: - # Set to true to allow absolute filenames and filenames that use --- -2.49.0 - diff --git a/recipes-ids/suricata/files/CVE-2025-29917.patch b/recipes-ids/suricata/files/CVE-2025-29917.patch deleted file mode 100644 index 8b30dbf..0000000 --- a/recipes-ids/suricata/files/CVE-2025-29917.patch +++ /dev/null @@ -1,115 +0,0 @@ -From bab716776ba3561cfbfd1a57fc18ff1f6859f019 Mon Sep 17 00:00:00 2001 -From: Philippe Antoine -Date: Tue, 17 Dec 2024 15:06:25 +0100 -Subject: [PATCH] detect: limit base64_decode `bytes` to 64KiB - -Ticket: 7613 - -Avoids potential large per-thread memory allocation. A buffer with the -size of the largest decode_base64 buffer size setting would be allocated -per thread. As this was a u32, it could mean a per-thread 4GiB memory -allocation. - -64KiB was already the built-in default for cases where bytes size wasn't -specified. - -(cherry picked from commit 32d0bd2bbb4d486623dec85a94952fde2515f2f0) - -Upstream-Status: Backport [https://github.com/OISF/suricata/commit/bab716776ba3561cfbfd1a57fc18ff1f6859f019] -CVE: CVE-2025-29917 -Signed-off-by: Hitendra Prajapati ---- - doc/userguide/rules/base64-keywords.rst | 1 + - src/detect-base64-decode.c | 15 ++++++--------- - src/detect.h | 2 +- - 3 files changed, 8 insertions(+), 10 deletions(-) - -diff --git a/doc/userguide/rules/base64-keywords.rst b/doc/userguide/rules/base64-keywords.rst -index 7daf0c2..cf4e679 100644 ---- a/doc/userguide/rules/base64-keywords.rst -+++ b/doc/userguide/rules/base64-keywords.rst -@@ -15,6 +15,7 @@ Syntax:: - base64_decode:bytes , offset , relative; - - The ``bytes`` option specifies how many bytes Suricata should decode and make available for base64_data. -+This number is limited to 64KiB. - The decoding will stop at the end of the buffer. - - The ``offset`` option specifies how many bytes Suricata should skip before decoding. -diff --git a/src/detect-base64-decode.c b/src/detect-base64-decode.c -index 25fdf10..5ae38c5 100644 ---- a/src/detect-base64-decode.c -+++ b/src/detect-base64-decode.c -@@ -28,7 +28,7 @@ - #define BASE64_DECODE_MAX 65535 - - typedef struct DetectBase64Decode_ { -- uint32_t bytes; -+ uint16_t bytes; - uint32_t offset; - uint8_t relative; - } DetectBase64Decode; -@@ -111,8 +111,8 @@ int DetectBase64DecodeDoMatch(DetectEngineThreadCtx *det_ctx, const Signature *s - return det_ctx->base64_decoded_len > 0; - } - --static int DetectBase64DecodeParse(const char *str, uint32_t *bytes, -- uint32_t *offset, uint8_t *relative) -+static int DetectBase64DecodeParse( -+ const char *str, uint16_t *bytes, uint32_t *offset, uint8_t *relative) - { - const char *bytes_str = NULL; - const char *offset_str = NULL; -@@ -132,7 +132,7 @@ static int DetectBase64DecodeParse(const char *str, uint32_t *bytes, - - if (pcre_rc >= 3) { - if (pcre2_substring_get_bynumber(match, 2, (PCRE2_UCHAR8 **)&bytes_str, &pcre2_len) == 0) { -- if (StringParseUint32(bytes, 10, 0, bytes_str) <= 0) { -+ if (StringParseUint16(bytes, 10, 0, bytes_str) <= 0) { - SCLogError("Bad value for bytes: \"%s\"", bytes_str); - goto error; - } -@@ -186,7 +186,7 @@ error: - static int DetectBase64DecodeSetup(DetectEngineCtx *de_ctx, Signature *s, - const char *str) - { -- uint32_t bytes = 0; -+ uint16_t bytes = 0; - uint32_t offset = 0; - uint8_t relative = 0; - DetectBase64Decode *data = NULL; -@@ -238,9 +238,6 @@ static int DetectBase64DecodeSetup(DetectEngineCtx *de_ctx, Signature *s, - data->bytes = BASE64_DECODE_MAX; - } - if (data->bytes > de_ctx->base64_decode_max_len) { --#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -- data->bytes = BASE64_DECODE_MAX; --#endif - de_ctx->base64_decode_max_len = data->bytes; - } - -@@ -272,7 +269,7 @@ static int g_http_header_buffer_id = 0; - static int DetectBase64TestDecodeParse(void) - { - int retval = 0; -- uint32_t bytes = 0; -+ uint16_t bytes = 0; - uint32_t offset = 0; - uint8_t relative = 0; - -diff --git a/src/detect.h b/src/detect.h -index 2760dda..fd938a1 100644 ---- a/src/detect.h -+++ b/src/detect.h -@@ -910,7 +910,7 @@ typedef struct DetectEngineCtx_ { - struct SigGroupHead_ *decoder_event_sgh; - - /* Maximum size of the buffer for decoded base64 data. */ -- uint32_t base64_decode_max_len; -+ uint16_t base64_decode_max_len; - - /** Store rule file and line so that parsers can use them in errors. */ - int rule_line; --- -2.49.0 - diff --git a/recipes-ids/suricata/files/CVE-2025-29918.patch b/recipes-ids/suricata/files/CVE-2025-29918.patch deleted file mode 100644 index da9d680..0000000 --- a/recipes-ids/suricata/files/CVE-2025-29918.patch +++ /dev/null @@ -1,49 +0,0 @@ -From f6c9490e1f7b0b375c286d5313ebf3bc81a95eb6 Mon Sep 17 00:00:00 2001 -From: Philippe Antoine -Date: Tue, 28 Jan 2025 15:02:45 +0100 -Subject: [PATCH] detect/pcre: avoid infinite loop after negated pcre - -Ticket: 7526 - -The usage of negated pcre, followed by other relative payload -content keywords could lead to an infinite loop. - -This is because regular (not negated) pcre can test multiple -occurences, but negated pcre should be tried only once. - -(cherry picked from commit b14c67cbdf25fa6c7ffe0d04ddf3ebe67b12b50b) - -Upstream-Status: Backport [https://github.com/OISF/suricata/commit/f6c9490e1f7b0b375c286d5313ebf3bc81a95eb6] -CVE: CVE-2025-29918 -Signed-off-by: Hitendra Prajapati ---- - src/detect-engine-content-inspection.c | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/src/detect-engine-content-inspection.c b/src/detect-engine-content-inspection.c -index 77ebb3f..2a789c9 100644 ---- a/src/detect-engine-content-inspection.c -+++ b/src/detect-engine-content-inspection.c -@@ -450,7 +450,6 @@ uint8_t DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThrea - if (r == 0) { - goto no_match; - } -- - if (!(pe->flags & DETECT_PCRE_RELATIVE_NEXT)) { - SCLogDebug("no relative match coming up, so this is a match"); - goto match; -@@ -473,6 +472,11 @@ uint8_t DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThrea - if (det_ctx->discontinue_matching) - goto no_match; - -+ if (prev_offset == 0) { -+ // This happens for negated PCRE -+ // We do not search for another occurrence of this pcre -+ SCReturnInt(0); -+ } - det_ctx->buffer_offset = prev_buffer_offset; - det_ctx->pcre_match_start_offset = prev_offset; - } while (1); --- -2.49.0 - diff --git a/recipes-ids/suricata/files/CVE-2025-53537-001.patch b/recipes-ids/suricata/files/CVE-2025-53537-001.patch deleted file mode 100644 index e16a59a..0000000 --- a/recipes-ids/suricata/files/CVE-2025-53537-001.patch +++ /dev/null @@ -1,79 +0,0 @@ -From 226580d502ae98c148aaecc4846f78694b5e253c Mon Sep 17 00:00:00 2001 -From: Philippe Antoine -Date: Tue, 11 Mar 2025 16:45:35 +0100 -Subject: [PATCH] decompressors: do not take data after end - - -CVE: CVE-2025-53537 -Upstream-Status: Backport [https://github.com/OISF/libhtp/commit/226580d502ae98c148aaecc4846f78694b5e253c] -Signed-off-by: Hitendra Prajapati ---- - htp/htp_core.h | 5 ++++- - htp/htp_decompressors.c | 21 ++++++++++++--------- - 2 files changed, 16 insertions(+), 10 deletions(-) - -diff --git a/htp/htp_core.h b/htp/htp_core.h -index 7c23212..fb142c9 100644 ---- a/htp/htp_core.h -+++ b/htp/htp_core.h -@@ -161,7 +161,10 @@ enum htp_content_encoding_t { - HTP_COMPRESSION_DEFLATE = 3, - - /** LZMA compression. */ -- HTP_COMPRESSION_LZMA = 4 -+ HTP_COMPRESSION_LZMA = 4, -+ -+ /** No more data. */ -+ HTP_COMPRESSION_OVER = 5 - }; - - /** -diff --git a/htp/htp_decompressors.c b/htp/htp_decompressors.c -index 19950df..0d94c30 100644 ---- a/htp/htp_decompressors.c -+++ b/htp/htp_decompressors.c -@@ -203,6 +203,8 @@ htp_status_t htp_gzip_decompressor_decompress(htp_decompressor_t *drec1, htp_tx_ - } - - return HTP_OK; -+ } else if (drec->zlib_initialized == HTP_COMPRESSION_OVER) { -+ return HTP_ERROR; - } - - if (d->data == NULL) { -@@ -316,15 +318,9 @@ restart: - // no initialization means previous error on stream - return HTP_ERROR; - } -- if (GZIP_BUF_SIZE > drec->stream.avail_out) { -- if (rc == Z_DATA_ERROR) { -- // There is data even if there is an error -- // So use this data and log a warning -- htp_log(d->tx->connp, HTP_LOG_MARK, HTP_LOG_WARNING, 0, "GZip decompressor: inflate failed with %d", rc); -- rc = Z_STREAM_END; -- } -- } -- if (rc == Z_STREAM_END) { -+ -+ int error_after_data = (rc == Z_DATA_ERROR && drec->restart == 0 && GZIP_BUF_SIZE > drec->stream.avail_out); -+ if (rc == Z_STREAM_END || error_after_data) { - // How many bytes do we have? - size_t len = GZIP_BUF_SIZE - drec->stream.avail_out; - -@@ -351,6 +347,13 @@ restart: - drec->stream.next_out = drec->buffer; - // TODO Handle trailer. - -+ if (error_after_data) { -+ // There is data even if there is an error -+ // So use this data and log a warning -+ htp_log(d->tx->connp, HTP_LOG_MARK, HTP_LOG_WARNING, 0, "GZip decompressor: inflate failed with %d", rc); -+ drec->zlib_initialized = HTP_COMPRESSION_OVER; -+ return HTP_ERROR; -+ } - return HTP_OK; - } - else if (rc != Z_OK) { --- -2.50.1 - diff --git a/recipes-ids/suricata/files/CVE-2025-53537-002.patch b/recipes-ids/suricata/files/CVE-2025-53537-002.patch deleted file mode 100644 index ff4f1a0..0000000 --- a/recipes-ids/suricata/files/CVE-2025-53537-002.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 9037ea35110a0d97be5cedf8d31fb4cd9a38c7a7 Mon Sep 17 00:00:00 2001 -From: Philippe Antoine -Date: Tue, 17 Jun 2025 10:12:47 +0200 -Subject: [PATCH] decompressors: fix leak in lzma error case - -Ticket: 7766 - -CVE: CVE-2025-53537 -Upstream-Status: Backport [https://github.com/OISF/libhtp/commit/9037ea35110a0d97be5cedf8d31fb4cd9a38c7a7] -Signed-off-by: Hitendra Prajapati ---- - htp/htp_decompressors.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/htp/htp_decompressors.c b/htp/htp_decompressors.c -index 0d94c30..ce6cfe1 100644 ---- a/htp/htp_decompressors.c -+++ b/htp/htp_decompressors.c -@@ -351,6 +351,9 @@ restart: - // There is data even if there is an error - // So use this data and log a warning - htp_log(d->tx->connp, HTP_LOG_MARK, HTP_LOG_WARNING, 0, "GZip decompressor: inflate failed with %d", rc); -+ if (drec->zlib_initialized == HTP_COMPRESSION_LZMA) { -+ LzmaDec_Free(&drec->state, &lzma_Alloc); -+ } - drec->zlib_initialized = HTP_COMPRESSION_OVER; - return HTP_ERROR; - } --- -2.50.1 - diff --git a/recipes-ids/suricata/files/fixup.patch b/recipes-ids/suricata/files/fixup.patch deleted file mode 100644 index 0b2ae7c..0000000 --- a/recipes-ids/suricata/files/fixup.patch +++ /dev/null @@ -1,32 +0,0 @@ -Skip pkg Makefile from using its own rust steps - -Upstream-Status: Inappropriate [OE Specific] - -Signed-off-by: Armin Kuster - -Index: suricata-7.0.0/Makefile.in -=================================================================== ---- suricata-7.0.0.orig/Makefile.in -+++ suricata-7.0.0/Makefile.in -@@ -424,7 +424,7 @@ EXTRA_DIST = ChangeLog COPYING LICENSE s - acsite.m4 \ - scripts/generate-images.sh - --SUBDIRS = $(HTP_DIR) rust src qa rules doc contrib etc python ebpf \ -+SUBDIRS = $(HTP_DIR) src qa rules doc contrib etc python ebpf \ - $(SURICATA_UPDATE_DIR) - - CLEANFILES = stamp-h[0-9]* -Index: suricata-7.0.0/Makefile.am -=================================================================== ---- suricata-7.0.0.orig/Makefile.am -+++ suricata-7.0.0/Makefile.am -@@ -8,7 +8,7 @@ EXTRA_DIST = ChangeLog COPYING LICENSE s - lua \ - acsite.m4 \ - scripts/generate-images.sh --SUBDIRS = $(HTP_DIR) rust src qa rules doc contrib etc python ebpf \ -+SUBDIRS = $(HTP_DIR) src qa rules doc contrib etc python ebpf \ - $(SURICATA_UPDATE_DIR) - - CLEANFILES = stamp-h[0-9]* diff --git a/recipes-ids/suricata/libhtp_0.5.45.bb b/recipes-ids/suricata/libhtp_0.5.52.bb similarity index 72% rename from recipes-ids/suricata/libhtp_0.5.45.bb rename to recipes-ids/suricata/libhtp_0.5.52.bb index b87db35..d849e8f 100644 --- a/recipes-ids/suricata/libhtp_0.5.45.bb +++ b/recipes-ids/suricata/libhtp_0.5.52.bb @@ -4,12 +4,8 @@ require suricata.inc LIC_FILES_CHKSUM = "file://LICENSE;beginline=1;endline=2;md5=596ab7963a1a0e5198e5a1c4aa621843" -SRC_URI = "git://github.com/OISF/libhtp.git;protocol=https;branch=0.5.x \ - file://CVE-2024-45797.patch \ - file://CVE-2025-53537-001.patch \ - file://CVE-2025-53537-002.patch \ - " -SRCREV = "8bdfe7b9d04e5e948c8fbaa7472e14d884cc00af" +SRC_URI = "git://github.com/OISF/libhtp.git;protocol=https;branch=0.5.x" +SRCREV = "314ca7360e141a1e40be58707b3abeefe32258c9" DEPENDS = "zlib" diff --git a/recipes-ids/suricata/suricata-crates.inc b/recipes-ids/suricata/suricata-crates.inc index 386d8d1..0755302 100644 --- a/recipes-ids/suricata/suricata-crates.inc +++ b/recipes-ids/suricata/suricata-crates.inc @@ -1,128 +1,547 @@ # Autogenerated with 'bitbake -c update_crates suricata' # from rust/Cargo.lock -SRC_URI += " \ - crate://crates.io/adler/1.0.2 \ - crate://crates.io/aead/0.4.3 \ - crate://crates.io/aes/0.7.5 \ - crate://crates.io/aes-gcm/0.9.4 \ - crate://crates.io/aho-corasick/0.7.20 \ - crate://crates.io/alloc-no-stdlib/2.0.4 \ - crate://crates.io/alloc-stdlib/0.2.2 \ - crate://crates.io/asn1-rs/0.5.2 \ - crate://crates.io/asn1-rs-derive/0.4.0 \ - crate://crates.io/asn1-rs-impl/0.1.0 \ - crate://crates.io/autocfg/1.1.0 \ - crate://crates.io/base64/0.13.1 \ - crate://crates.io/bendy/0.3.3 \ - crate://crates.io/bitflags/1.2.1 \ - crate://crates.io/block-buffer/0.10.4 \ - crate://crates.io/brotli/3.3.4 \ - crate://crates.io/brotli-decompressor/2.3.4 \ - crate://crates.io/build_const/0.2.2 \ - crate://crates.io/byteorder/1.4.3 \ - crate://crates.io/cfg-if/1.0.0 \ - crate://crates.io/cipher/0.3.0 \ - crate://crates.io/cpufeatures/0.2.9 \ - crate://crates.io/crc/1.8.1 \ - crate://crates.io/crc32fast/1.3.2 \ - crate://crates.io/crypto-common/0.1.6 \ - crate://crates.io/ctr/0.8.0 \ - crate://crates.io/data-encoding/2.4.0 \ - crate://crates.io/der-oid-macro/0.5.0 \ - crate://crates.io/der-parser/6.0.1 \ - crate://crates.io/der-parser/8.2.0 \ - crate://crates.io/digest/0.10.7 \ - crate://crates.io/displaydoc/0.2.4 \ - crate://crates.io/enum_primitive/0.1.1 \ - crate://crates.io/failure/0.1.8 \ - crate://crates.io/failure_derive/0.1.8 \ - crate://crates.io/flate2/1.0.26 \ - crate://crates.io/generic-array/0.14.7 \ - crate://crates.io/getrandom/0.2.10 \ - crate://crates.io/ghash/0.4.4 \ - crate://crates.io/hex/0.4.3 \ - crate://crates.io/hkdf/0.12.3 \ - crate://crates.io/hmac/0.12.1 \ - crate://crates.io/ipsec-parser/0.7.0 \ - crate://crates.io/itoa/1.0.8 \ - crate://crates.io/kerberos-parser/0.7.1 \ - crate://crates.io/lazy_static/1.4.0 \ - crate://crates.io/libc/0.2.147 \ - crate://crates.io/lzma-rs/0.2.0 \ - crate://crates.io/md-5/0.10.5 \ - crate://crates.io/memchr/2.4.1 \ - crate://crates.io/minimal-lexical/0.2.1 \ - crate://crates.io/miniz_oxide/0.7.1 \ - crate://crates.io/nom/7.1.3 \ - crate://crates.io/nom-derive/0.10.1 \ - crate://crates.io/nom-derive-impl/0.10.1 \ - crate://crates.io/ntp-parser/0.6.0 \ - crate://crates.io/num/0.2.1 \ - crate://crates.io/num-bigint/0.2.6 \ - crate://crates.io/num-bigint/0.4.3 \ - crate://crates.io/num-complex/0.2.4 \ - crate://crates.io/num-derive/0.2.5 \ - crate://crates.io/num-integer/0.1.45 \ - crate://crates.io/num-iter/0.1.43 \ - crate://crates.io/num-rational/0.2.4 \ - crate://crates.io/num-traits/0.1.43 \ - crate://crates.io/num-traits/0.2.15 \ - crate://crates.io/num_enum/0.5.11 \ - crate://crates.io/num_enum_derive/0.5.11 \ - crate://crates.io/num_threads/0.1.6 \ - crate://crates.io/oid-registry/0.6.1 \ - crate://crates.io/opaque-debug/0.3.0 \ - crate://crates.io/phf/0.10.1 \ - crate://crates.io/phf_codegen/0.10.0 \ - crate://crates.io/phf_generator/0.10.0 \ - crate://crates.io/phf_shared/0.10.0 \ - crate://crates.io/polyval/0.5.3 \ - crate://crates.io/ppv-lite86/0.2.17 \ - crate://crates.io/proc-macro-crate/1.1.0 \ - crate://crates.io/proc-macro2/0.4.30 \ - crate://crates.io/proc-macro2/1.0.64 \ - crate://crates.io/quote/0.6.13 \ - crate://crates.io/quote/1.0.29 \ - crate://crates.io/rand/0.8.5 \ - crate://crates.io/rand_chacha/0.3.1 \ - crate://crates.io/rand_core/0.6.4 \ - crate://crates.io/regex/1.5.6 \ - crate://crates.io/regex-syntax/0.6.29 \ - crate://crates.io/rusticata-macros/4.1.0 \ - crate://crates.io/rustversion/1.0.13 \ - crate://crates.io/sawp/0.12.1 \ - crate://crates.io/sawp-flags/0.12.1 \ - crate://crates.io/sawp-flags-derive/0.12.1 \ - crate://crates.io/sawp-modbus/0.12.1 \ - crate://crates.io/serde/1.0.171 \ - crate://crates.io/sha1/0.10.5 \ - crate://crates.io/sha2/0.10.7 \ - crate://crates.io/siphasher/0.3.10 \ - crate://crates.io/snmp-parser/0.9.0 \ - crate://crates.io/subtle/2.4.1 \ - crate://crates.io/syn/0.15.44 \ - crate://crates.io/syn/1.0.109 \ - crate://crates.io/syn/2.0.25 \ - crate://crates.io/synstructure/0.12.6 \ - crate://crates.io/test-case/1.1.0 \ - crate://crates.io/thiserror/1.0.43 \ - crate://crates.io/thiserror-impl/1.0.43 \ - crate://crates.io/time/0.3.13 \ - crate://crates.io/time-macros/0.2.4 \ - crate://crates.io/tls-parser/0.11.0 \ - crate://crates.io/toml/0.5.11 \ - crate://crates.io/typenum/1.16.0 \ - crate://crates.io/unicode-ident/1.0.10 \ - crate://crates.io/unicode-xid/0.1.0 \ - crate://crates.io/unicode-xid/0.2.4 \ - crate://crates.io/universal-hash/0.4.1 \ - crate://crates.io/uuid/0.8.2 \ - crate://crates.io/version_check/0.9.4 \ - crate://crates.io/wasi/0.11.0+wasi-snapshot-preview1 \ - crate://crates.io/widestring/0.4.3 \ - crate://crates.io/x509-parser/0.15.0 \ -" +SRC_URI += "crate://crates.io/adler/1.0.2 \ + crate://crates.io/aead/0.4.3 \ + crate://crates.io/aes/0.7.5 \ + crate://crates.io/aes-gcm/0.9.4 \ + crate://crates.io/aho-corasick/0.7.20 \ + crate://crates.io/alloc-no-stdlib/2.0.4 \ + crate://crates.io/alloc-stdlib/0.2.2 \ + crate://crates.io/asn1-rs/0.5.2 \ + crate://crates.io/asn1-rs-derive/0.4.0 \ + crate://crates.io/asn1-rs-impl/0.1.0 \ + crate://crates.io/autocfg/1.1.0 \ + crate://crates.io/base64/0.13.1 \ + crate://crates.io/bendy/0.3.3 \ + crate://crates.io/bitflags/1.2.1 \ + crate://crates.io/block-buffer/0.10.4 \ + crate://crates.io/brotli/8.0.1 \ + crate://crates.io/brotli-decompressor/5.0.0 \ + crate://crates.io/build_const/0.2.2 \ + crate://crates.io/byteorder/1.4.3 \ + crate://crates.io/cfg-if/1.0.0 \ + crate://crates.io/cipher/0.3.0 \ + crate://crates.io/cpufeatures/0.2.11 \ + crate://crates.io/crc/1.8.1 \ + crate://crates.io/crc32fast/1.3.2 \ + crate://crates.io/crypto-common/0.1.6 \ + crate://crates.io/ctr/0.8.0 \ + crate://crates.io/data-encoding/2.4.0 \ + crate://crates.io/der-oid-macro/0.5.0 \ + crate://crates.io/der-parser/6.0.1 \ + crate://crates.io/der-parser/8.2.0 \ + crate://crates.io/digest/0.10.7 \ + crate://crates.io/displaydoc/0.2.4 \ + crate://crates.io/enum_primitive/0.1.1 \ + crate://crates.io/failure/0.1.8 \ + crate://crates.io/failure_derive/0.1.8 \ + crate://crates.io/flate2/1.0.28 \ + crate://crates.io/generic-array/0.14.7 \ + crate://crates.io/getrandom/0.2.11 \ + crate://crates.io/ghash/0.4.4 \ + crate://crates.io/hex/0.4.3 \ + crate://crates.io/hkdf/0.12.3 \ + crate://crates.io/hmac/0.12.1 \ + crate://crates.io/ipsec-parser/0.7.0 \ + crate://crates.io/itoa/1.0.9 \ + crate://crates.io/kerberos-parser/0.7.1 \ + crate://crates.io/lazy_static/1.4.0 \ + crate://crates.io/libc/0.2.150 \ + crate://crates.io/lzma-rs/0.2.0 \ + crate://crates.io/md-5/0.10.6 \ + crate://crates.io/memchr/2.4.1 \ + crate://crates.io/minimal-lexical/0.2.1 \ + crate://crates.io/miniz_oxide/0.7.1 \ + crate://crates.io/nom/7.1.3 \ + crate://crates.io/nom-derive/0.10.1 \ + crate://crates.io/nom-derive-impl/0.10.1 \ + crate://crates.io/ntp-parser/0.6.0 \ + crate://crates.io/num/0.2.1 \ + crate://crates.io/num-bigint/0.2.6 \ + crate://crates.io/num-bigint/0.4.4 \ + crate://crates.io/num-complex/0.2.4 \ + crate://crates.io/num-derive/0.4.2 \ + crate://crates.io/num-integer/0.1.45 \ + crate://crates.io/num-iter/0.1.43 \ + crate://crates.io/num-rational/0.2.4 \ + crate://crates.io/num-traits/0.1.43 \ + crate://crates.io/num-traits/0.2.17 \ + crate://crates.io/num_enum/0.5.11 \ + crate://crates.io/num_enum_derive/0.5.11 \ + crate://crates.io/num_threads/0.1.6 \ + crate://crates.io/oid-registry/0.6.1 \ + crate://crates.io/opaque-debug/0.3.0 \ + crate://crates.io/phf/0.10.1 \ + crate://crates.io/phf_codegen/0.10.0 \ + crate://crates.io/phf_generator/0.10.0 \ + crate://crates.io/phf_shared/0.10.0 \ + crate://crates.io/polyval/0.5.3 \ + crate://crates.io/ppv-lite86/0.2.17 \ + crate://crates.io/proc-macro-crate/1.1.0 \ + crate://crates.io/proc-macro2/1.0.69 \ + crate://crates.io/quote/1.0.33 \ + crate://crates.io/rand/0.8.5 \ + crate://crates.io/rand_chacha/0.3.1 \ + crate://crates.io/rand_core/0.6.4 \ + crate://crates.io/regex/1.5.6 \ + crate://crates.io/regex-syntax/0.6.29 \ + crate://crates.io/rusticata-macros/4.1.0 \ + crate://crates.io/rustversion/1.0.14 \ + crate://crates.io/sawp/0.12.1 \ + crate://crates.io/sawp-flags/0.12.1 \ + crate://crates.io/sawp-flags-derive/0.12.1 \ + crate://crates.io/sawp-modbus/0.12.1 \ + crate://crates.io/serde/1.0.192 \ + crate://crates.io/serde_derive/1.0.192 \ + crate://crates.io/sha1/0.10.6 \ + crate://crates.io/sha2/0.10.8 \ + crate://crates.io/siphasher/0.3.11 \ + crate://crates.io/snmp-parser/0.9.0 \ + crate://crates.io/subtle/2.4.1 \ + crate://crates.io/syn/1.0.109 \ + crate://crates.io/syn/2.0.39 \ + crate://crates.io/synstructure/0.12.6 \ + crate://crates.io/test-case/1.1.0 \ + crate://crates.io/thiserror/1.0.50 \ + crate://crates.io/thiserror-impl/1.0.50 \ + crate://crates.io/time/0.3.13 \ + crate://crates.io/time-macros/0.2.4 \ + crate://crates.io/tls-parser/0.11.0 \ + crate://crates.io/toml/0.5.11 \ + crate://crates.io/typenum/1.17.0 \ + crate://crates.io/unicode-ident/1.0.12 \ + crate://crates.io/unicode-xid/0.2.4 \ + crate://crates.io/universal-hash/0.4.1 \ + crate://crates.io/uuid/0.8.2 \ + crate://crates.io/version_check/0.9.4 \ + crate://crates.io/wasi/0.11.0+wasi-snapshot-preview1 \ + crate://crates.io/widestring/0.4.3 \ + crate://crates.io/x509-parser/0.15.1 \ + crate://crates.io/ansi_term/0.12.1 \ + crate://crates.io/atty/0.2.14 \ + crate://crates.io/autocfg/0.1.8 \ + crate://crates.io/autocfg/1.1.0 \ + crate://crates.io/bitflags/1.3.2 \ + crate://crates.io/bstr/0.2.17 \ + crate://crates.io/bumpalo/3.11.1 \ + crate://crates.io/cast/0.2.7 \ + crate://crates.io/cast/0.3.0 \ + crate://crates.io/cfg-if/1.0.0 \ + crate://crates.io/clap/2.34.0 \ + crate://crates.io/cloudabi/0.0.3 \ + crate://crates.io/criterion/0.3.2 \ + crate://crates.io/criterion-plot/0.4.5 \ + crate://crates.io/crossbeam-channel/0.5.6 \ + crate://crates.io/crossbeam-deque/0.8.2 \ + crate://crates.io/crossbeam-epoch/0.9.11 \ + crate://crates.io/crossbeam-utils/0.8.12 \ + crate://crates.io/csv/1.1.6 \ + crate://crates.io/csv-core/0.1.10 \ + crate://crates.io/either/1.8.0 \ + crate://crates.io/fuchsia-cprng/0.1.1 \ + crate://crates.io/heck/0.3.3 \ + crate://crates.io/hermit-abi/0.1.19 \ + crate://crates.io/itertools/0.9.0 \ + crate://crates.io/itertools/0.10.5 \ + crate://crates.io/itoa/0.4.8 \ + crate://crates.io/itoa/1.0.4 \ + crate://crates.io/js-sys/0.3.60 \ + crate://crates.io/lazy_static/1.4.0 \ + crate://crates.io/libc/0.2.135 \ + crate://crates.io/log/0.4.17 \ + crate://crates.io/memchr/2.5.0 \ + crate://crates.io/memoffset/0.6.5 \ + crate://crates.io/num-traits/0.2.15 \ + crate://crates.io/num_cpus/1.13.1 \ + crate://crates.io/once_cell/1.15.0 \ + crate://crates.io/oorandom/11.1.3 \ + crate://crates.io/plotters/0.2.15 \ + crate://crates.io/proc-macro-error/1.0.4 \ + crate://crates.io/proc-macro-error-attr/1.0.4 \ + crate://crates.io/proc-macro2/1.0.47 \ + crate://crates.io/quote/1.0.21 \ + crate://crates.io/rand/0.6.5 \ + crate://crates.io/rand_chacha/0.1.1 \ + crate://crates.io/rand_core/0.3.1 \ + crate://crates.io/rand_core/0.4.2 \ + crate://crates.io/rand_hc/0.1.0 \ + crate://crates.io/rand_isaac/0.1.1 \ + crate://crates.io/rand_jitter/0.1.4 \ + crate://crates.io/rand_os/0.1.3 \ + crate://crates.io/rand_pcg/0.1.2 \ + crate://crates.io/rand_xorshift/0.1.1 \ + crate://crates.io/rayon/1.5.3 \ + crate://crates.io/rayon-core/1.9.3 \ + crate://crates.io/rdrand/0.4.0 \ + crate://crates.io/regex/1.6.0 \ + crate://crates.io/regex-automata/0.1.10 \ + crate://crates.io/regex-syntax/0.6.27 \ + crate://crates.io/rustc_version/0.4.0 \ + crate://crates.io/ryu/1.0.11 \ + crate://crates.io/same-file/1.0.6 \ + crate://crates.io/scopeguard/1.1.0 \ + crate://crates.io/semver/1.0.14 \ + crate://crates.io/serde/1.0.146 \ + crate://crates.io/serde_derive/1.0.146 \ + crate://crates.io/serde_json/1.0.87 \ + crate://crates.io/strsim/0.8.0 \ + crate://crates.io/structopt/0.3.26 \ + crate://crates.io/structopt-derive/0.4.18 \ + crate://crates.io/syn/1.0.103 \ + crate://crates.io/textwrap/0.11.0 \ + crate://crates.io/tinytemplate/1.2.1 \ + crate://crates.io/unicode-ident/1.0.5 \ + crate://crates.io/unicode-segmentation/1.10.0 \ + crate://crates.io/unicode-width/0.1.10 \ + crate://crates.io/vec_map/0.8.2 \ + crate://crates.io/version_check/0.9.4 \ + crate://crates.io/walkdir/2.3.2 \ + crate://crates.io/wasm-bindgen/0.2.83 \ + crate://crates.io/wasm-bindgen-backend/0.2.83 \ + crate://crates.io/wasm-bindgen-macro/0.2.83 \ + crate://crates.io/wasm-bindgen-macro-support/0.2.83 \ + crate://crates.io/wasm-bindgen-shared/0.2.83 \ + crate://crates.io/web-sys/0.3.60 \ + crate://crates.io/winapi/0.3.9 \ + crate://crates.io/winapi-i686-pc-windows-gnu/0.4.0 \ + crate://crates.io/winapi-util/0.1.5 \ + crate://crates.io/winapi-x86_64-pc-windows-gnu/0.4.0 \ + crate://crates.io/backtrace/0.3.46 \ + crate://crates.io/backtrace-sys/0.1.37 \ + crate://crates.io/cc/1.0.52 \ + crate://crates.io/cfg-if/0.1.10 \ + crate://crates.io/failure_derive/0.1.7 \ + crate://crates.io/libc/0.2.69 \ + crate://crates.io/proc-macro2/1.0.12 \ + crate://crates.io/quote/1.0.4 \ + crate://crates.io/rustc-demangle/0.1.16 \ + crate://crates.io/syn/1.0.18 \ + crate://crates.io/synstructure/0.12.3 \ + crate://crates.io/unicode-xid/0.2.0 \ + crate://crates.io/autocfg/1.1.0 \ + crate://crates.io/hashbrown/0.12.3 \ + crate://crates.io/indexmap/1.9.2 \ + crate://crates.io/itoa/1.0.5 \ + crate://crates.io/proc-macro2/1.0.50 \ + crate://crates.io/quote/1.0.23 \ + crate://crates.io/ryu/1.0.12 \ + crate://crates.io/serde/1.0.152 \ + crate://crates.io/serde_derive/1.0.152 \ + crate://crates.io/serde_json/1.0.91 \ + crate://crates.io/syn/1.0.107 \ + crate://crates.io/unicode-ident/1.0.6 \ + crate://crates.io/autocfg/1.0.1 \ + crate://crates.io/bit-set/0.5.2 \ + crate://crates.io/bit-vec/0.6.3 \ + crate://crates.io/bitflags/1.3.2 \ + crate://crates.io/byteorder/1.4.3 \ + crate://crates.io/cfg-if/1.0.0 \ + crate://crates.io/doc-comment/0.3.3 \ + crate://crates.io/fnv/1.0.7 \ + crate://crates.io/getrandom/0.2.3 \ + crate://crates.io/lazy_static/1.4.0 \ + crate://crates.io/libc/0.2.106 \ + crate://crates.io/memchr/2.4.1 \ + crate://crates.io/minimal-lexical/0.2.1 \ + crate://crates.io/num-traits/0.2.14 \ + crate://crates.io/ppv-lite86/0.2.15 \ + crate://crates.io/proptest/1.0.0 \ + crate://crates.io/quick-error/1.2.3 \ + crate://crates.io/quick-error/2.0.1 \ + crate://crates.io/rand/0.8.4 \ + crate://crates.io/rand_chacha/0.3.1 \ + crate://crates.io/rand_core/0.6.3 \ + crate://crates.io/rand_hc/0.3.1 \ + crate://crates.io/rand_xorshift/0.3.0 \ + crate://crates.io/redox_syscall/0.2.10 \ + crate://crates.io/regex-syntax/0.6.25 \ + crate://crates.io/remove_dir_all/0.5.3 \ + crate://crates.io/rusty-fork/0.3.0 \ + crate://crates.io/tempfile/3.2.0 \ + crate://crates.io/wait-timeout/0.2.0 \ + crate://crates.io/wasi/0.10.2+wasi-snapshot-preview1 \ + crate://crates.io/winapi/0.3.9 \ + crate://crates.io/winapi-i686-pc-windows-gnu/0.4.0 \ + crate://crates.io/winapi-x86_64-pc-windows-gnu/0.4.0 \ + crate://crates.io/alloc-no-stdlib/2.0.4 \ + crate://crates.io/alloc-stdlib/0.2.2 \ + crate://crates.io/ansi_term/0.11.0 \ + crate://crates.io/basic-toml/0.1.2 \ + crate://crates.io/ctor/0.1.26 \ + crate://crates.io/difference/2.0.0 \ + crate://crates.io/glob/0.3.1 \ + crate://crates.io/itoa/1.0.6 \ + crate://crates.io/libc/0.2.142 \ + crate://crates.io/once_cell/1.17.1 \ + crate://crates.io/output_vt100/0.1.3 \ + crate://crates.io/pretty_assertions/0.6.1 \ + crate://crates.io/proc-macro2/1.0.56 \ + crate://crates.io/quote/1.0.26 \ + crate://crates.io/rustversion/1.0.12 \ + crate://crates.io/ryu/1.0.13 \ + crate://crates.io/serde/1.0.160 \ + crate://crates.io/serde_derive/1.0.160 \ + crate://crates.io/serde_json/1.0.96 \ + crate://crates.io/static_assertions/1.1.0 \ + crate://crates.io/syn/1.0.109 \ + crate://crates.io/syn/2.0.15 \ + crate://crates.io/termcolor/1.2.0 \ + crate://crates.io/thiserror/1.0.40 \ + crate://crates.io/thiserror-impl/1.0.40 \ + crate://crates.io/trybuild/1.0.80 \ + crate://crates.io/unicode-ident/1.0.8 \ + crate://crates.io/winapi/0.3.9 \ + crate://crates.io/winapi-i686-pc-windows-gnu/0.4.0 \ + crate://crates.io/winapi-util/0.1.5 \ + crate://crates.io/winapi-x86_64-pc-windows-gnu/0.4.0 \ + crate://crates.io/asn1-rs/0.5.1 \ + crate://crates.io/asn1-rs-derive/0.4.0 \ + crate://crates.io/asn1-rs-impl/0.1.0 \ + crate://crates.io/atty/0.2.14 \ + crate://crates.io/autocfg/1.1.0 \ + crate://crates.io/base64/0.13.1 \ + crate://crates.io/basic-toml/0.1.2 \ + crate://crates.io/bitvec/1.0.1 \ + crate://crates.io/colored/2.0.0 \ + crate://crates.io/cookie-factory/0.3.2 \ + crate://crates.io/displaydoc/0.2.3 \ + crate://crates.io/funty/2.0.0 \ + crate://crates.io/glob/0.3.1 \ + crate://crates.io/hermit-abi/0.1.19 \ + crate://crates.io/hex-literal/0.3.4 \ + crate://crates.io/itoa/1.0.6 \ + crate://crates.io/lazy_static/1.4.0 \ + crate://crates.io/libc/0.2.139 \ + crate://crates.io/memchr/2.5.0 \ + crate://crates.io/minimal-lexical/0.2.1 \ + crate://crates.io/nom/7.1.3 \ + crate://crates.io/num-bigint/0.4.3 \ + crate://crates.io/num-integer/0.1.45 \ + crate://crates.io/num-traits/0.2.15 \ + crate://crates.io/oid-registry/0.6.1 \ + crate://crates.io/once_cell/1.17.1 \ + crate://crates.io/pem/1.1.1 \ + crate://crates.io/proc-macro2/1.0.51 \ + crate://crates.io/quote/1.0.23 \ + crate://crates.io/radium/0.7.0 \ + crate://crates.io/rusticata-macros/4.1.0 \ + crate://crates.io/ryu/1.0.13 \ + crate://crates.io/serde/1.0.152 \ + crate://crates.io/serde_derive/1.0.152 \ + crate://crates.io/serde_json/1.0.94 \ + crate://crates.io/syn/1.0.109 \ + crate://crates.io/synstructure/0.12.6 \ + crate://crates.io/tap/1.0.1 \ + crate://crates.io/termcolor/1.2.0 \ + crate://crates.io/thiserror/1.0.39 \ + crate://crates.io/thiserror-impl/1.0.39 \ + crate://crates.io/time/0.3.20 \ + crate://crates.io/time-core/0.1.0 \ + crate://crates.io/time-macros/0.2.8 \ + crate://crates.io/trybuild/1.0.79 \ + crate://crates.io/unicode-ident/1.0.8 \ + crate://crates.io/unicode-xid/0.2.4 \ + crate://crates.io/winapi/0.3.9 \ + crate://crates.io/winapi-i686-pc-windows-gnu/0.4.0 \ + crate://crates.io/winapi-util/0.1.5 \ + crate://crates.io/winapi-x86_64-pc-windows-gnu/0.4.0 \ + crate://crates.io/wyz/0.5.1 \ + crate://crates.io/alloc-no-stdlib/2.0.4 \ + crate://crates.io/alloc-stdlib/0.2.2 \ + crate://crates.io/block-buffer/0.10.4 \ + crate://crates.io/brotli-decompressor/5.0.0 \ + crate://crates.io/cfg-if/1.0.0 \ + crate://crates.io/cpufeatures/0.2.17 \ + crate://crates.io/crypto-common/0.1.6 \ + crate://crates.io/digest/0.10.7 \ + crate://crates.io/generic-array/0.14.7 \ + crate://crates.io/libc/0.2.172 \ + crate://crates.io/sha2/0.10.9 \ + crate://crates.io/typenum/1.18.0 \ + crate://crates.io/version_check/0.9.5 \ + crate://crates.io/atty/0.2.14 \ + crate://crates.io/autocfg/1.0.1 \ + crate://crates.io/bitflags/1.2.1 \ + crate://crates.io/bstr/0.2.16 \ + crate://crates.io/bumpalo/3.7.0 \ + crate://crates.io/cast/0.2.7 \ + crate://crates.io/cfg-if/1.0.0 \ + crate://crates.io/clap/2.33.3 \ + crate://crates.io/criterion/0.3.4 \ + crate://crates.io/criterion-plot/0.4.4 \ + crate://crates.io/crossbeam-channel/0.5.1 \ + crate://crates.io/crossbeam-deque/0.8.1 \ + crate://crates.io/crossbeam-epoch/0.9.5 \ + crate://crates.io/crossbeam-utils/0.8.5 \ + crate://crates.io/csv/1.1.6 \ + crate://crates.io/csv-core/0.1.10 \ + crate://crates.io/either/1.6.1 \ + crate://crates.io/getrandom/0.2.3 \ + crate://crates.io/half/1.7.1 \ + crate://crates.io/hermit-abi/0.1.19 \ + crate://crates.io/itertools/0.10.1 \ + crate://crates.io/itoa/0.4.7 \ + crate://crates.io/js-sys/0.3.52 \ + crate://crates.io/lazy_static/1.4.0 \ + crate://crates.io/libc/0.2.99 \ + crate://crates.io/log/0.4.14 \ + crate://crates.io/memchr/2.4.0 \ + crate://crates.io/memoffset/0.6.4 \ + crate://crates.io/num-traits/0.2.14 \ + crate://crates.io/num_cpus/1.13.0 \ + crate://crates.io/oorandom/11.1.3 \ + crate://crates.io/phf_shared/0.10.0 \ + crate://crates.io/plotters/0.3.1 \ + crate://crates.io/plotters-backend/0.3.2 \ + crate://crates.io/plotters-svg/0.3.1 \ + crate://crates.io/ppv-lite86/0.2.10 \ + crate://crates.io/proc-macro2/1.0.28 \ + crate://crates.io/quote/1.0.9 \ + crate://crates.io/rand/0.8.4 \ + crate://crates.io/rand_chacha/0.3.1 \ + crate://crates.io/rand_core/0.6.3 \ + crate://crates.io/rand_hc/0.3.1 \ + crate://crates.io/rayon/1.5.1 \ + crate://crates.io/rayon-core/1.9.1 \ + crate://crates.io/regex/1.5.4 \ + crate://crates.io/regex-automata/0.1.10 \ + crate://crates.io/regex-syntax/0.6.25 \ + crate://crates.io/rustc_version/0.4.0 \ + crate://crates.io/ryu/1.0.5 \ + crate://crates.io/same-file/1.0.6 \ + crate://crates.io/scopeguard/1.1.0 \ + crate://crates.io/semver/1.0.4 \ + crate://crates.io/serde/1.0.127 \ + crate://crates.io/serde_cbor/0.11.1 \ + crate://crates.io/serde_derive/1.0.127 \ + crate://crates.io/serde_json/1.0.66 \ + crate://crates.io/siphasher/0.3.6 \ + crate://crates.io/syn/1.0.74 \ + crate://crates.io/textwrap/0.11.0 \ + crate://crates.io/tinytemplate/1.2.1 \ + crate://crates.io/unicode-width/0.1.8 \ + crate://crates.io/unicode-xid/0.2.2 \ + crate://crates.io/walkdir/2.3.2 \ + crate://crates.io/wasi/0.10.2+wasi-snapshot-preview1 \ + crate://crates.io/wasm-bindgen/0.2.75 \ + crate://crates.io/wasm-bindgen-backend/0.2.75 \ + crate://crates.io/wasm-bindgen-macro/0.2.75 \ + crate://crates.io/wasm-bindgen-macro-support/0.2.75 \ + crate://crates.io/wasm-bindgen-shared/0.2.75 \ + crate://crates.io/web-sys/0.3.52 \ + crate://crates.io/winapi/0.3.9 \ + crate://crates.io/winapi-i686-pc-windows-gnu/0.4.0 \ + crate://crates.io/winapi-util/0.1.5 \ + crate://crates.io/winapi-x86_64-pc-windows-gnu/0.4.0 \ + crate://crates.io/alloc-no-stdlib/2.0.4 \ + crate://crates.io/asn1-rs/0.5.2 \ + crate://crates.io/asn1-rs-derive/0.4.0 \ + crate://crates.io/asn1-rs-impl/0.1.0 \ + crate://crates.io/autocfg/1.1.0 \ + crate://crates.io/bumpalo/3.13.0 \ + crate://crates.io/cc/1.0.81 \ + crate://crates.io/cfg-if/1.0.0 \ + crate://crates.io/data-encoding/2.4.0 \ + crate://crates.io/der-parser/8.2.0 \ + crate://crates.io/deranged/0.3.7 \ + crate://crates.io/displaydoc/0.2.4 \ + crate://crates.io/itoa/1.0.9 \ + crate://crates.io/js-sys/0.3.64 \ + crate://crates.io/lazy_static/1.4.0 \ + crate://crates.io/libc/0.2.147 \ + crate://crates.io/log/0.4.19 \ + crate://crates.io/memchr/2.5.0 \ + crate://crates.io/minimal-lexical/0.2.1 \ + crate://crates.io/nom/7.1.3 \ + crate://crates.io/num-bigint/0.4.3 \ + crate://crates.io/num-integer/0.1.45 \ + crate://crates.io/num-traits/0.2.16 \ + crate://crates.io/oid-registry/0.6.1 \ + crate://crates.io/once_cell/1.18.0 \ + crate://crates.io/proc-macro2/1.0.66 \ + crate://crates.io/quote/1.0.32 \ + crate://crates.io/ring/0.16.20 \ + crate://crates.io/rusticata-macros/4.1.0 \ + crate://crates.io/serde/1.0.180 \ + crate://crates.io/spin/0.5.2 \ + crate://crates.io/syn/1.0.109 \ + crate://crates.io/syn/2.0.28 \ + crate://crates.io/synstructure/0.12.6 \ + crate://crates.io/thiserror/1.0.44 \ + crate://crates.io/thiserror-impl/1.0.44 \ + crate://crates.io/time/0.3.25 \ + crate://crates.io/time-core/0.1.1 \ + crate://crates.io/time-macros/0.2.11 \ + crate://crates.io/unicode-ident/1.0.11 \ + crate://crates.io/unicode-xid/0.2.4 \ + crate://crates.io/untrusted/0.7.1 \ + crate://crates.io/wasm-bindgen/0.2.87 \ + crate://crates.io/wasm-bindgen-backend/0.2.87 \ + crate://crates.io/wasm-bindgen-macro/0.2.87 \ + crate://crates.io/wasm-bindgen-macro-support/0.2.87 \ + crate://crates.io/wasm-bindgen-shared/0.2.87 \ + crate://crates.io/web-sys/0.3.64 \ + crate://crates.io/winapi/0.3.9 \ + crate://crates.io/winapi-i686-pc-windows-gnu/0.4.0 \ + crate://crates.io/winapi-x86_64-pc-windows-gnu/0.4.0 \ + crate://crates.io/aho-corasick/0.7.18 \ + crate://crates.io/cfg-if/1.0.0 \ + crate://crates.io/getrandom/0.2.6 \ + crate://crates.io/lazy_static/1.4.0 \ + crate://crates.io/libc/0.2.125 \ + crate://crates.io/memchr/2.5.0 \ + crate://crates.io/quickcheck/1.0.3 \ + crate://crates.io/rand/0.8.5 \ + crate://crates.io/rand_core/0.6.3 \ + crate://crates.io/regex-syntax/0.6.26 \ + crate://crates.io/wasi/0.10.2+wasi-snapshot-preview1 \ + crate://crates.io/addr2line/0.14.0 \ + crate://crates.io/adler/0.2.3 \ + crate://crates.io/aho-corasick/0.7.15 \ + crate://crates.io/autocfg/1.0.1 \ + crate://crates.io/backtrace/0.3.54 \ + crate://crates.io/cfg-if/1.0.0 \ + crate://crates.io/failure/0.1.8 \ + crate://crates.io/failure_derive/0.1.8 \ + crate://crates.io/gimli/0.23.0 \ + crate://crates.io/lazy_static/1.4.0 \ + crate://crates.io/libc/0.2.80 \ + crate://crates.io/memchr/2.3.4 \ + crate://crates.io/miniz_oxide/0.4.3 \ + crate://crates.io/object/0.22.0 \ + crate://crates.io/proc-macro2/1.0.24 \ + crate://crates.io/quote/1.0.7 \ + crate://crates.io/regex/1.4.2 \ + crate://crates.io/regex-syntax/0.6.21 \ + crate://crates.io/rustc-demangle/0.1.18 \ + crate://crates.io/serde/1.0.117 \ + crate://crates.io/serde_bytes/0.11.5 \ + crate://crates.io/serde_derive/1.0.117 \ + crate://crates.io/syn/1.0.48 \ + crate://crates.io/synstructure/0.12.4 \ + crate://crates.io/thread_local/1.0.1 \ + crate://crates.io/unicode-xid/0.2.1 \ + crate://crates.io/adler/1.0.2 \ + crate://crates.io/cc/1.0.79 \ + crate://crates.io/cfg-if/1.0.0 \ + crate://crates.io/cloudflare-zlib-sys/0.3.0 \ + crate://crates.io/cmake/0.1.50 \ + crate://crates.io/crc32fast/1.3.2 \ + crate://crates.io/getrandom/0.2.9 \ + crate://crates.io/libc/0.2.144 \ + crate://crates.io/libz-ng-sys/1.1.10 \ + crate://crates.io/libz-sys/1.1.10 \ + crate://crates.io/miniz_oxide/0.7.1 \ + crate://crates.io/pkg-config/0.3.27 \ + crate://crates.io/ppv-lite86/0.2.17 \ + crate://crates.io/quickcheck/1.0.3 \ + crate://crates.io/rand/0.8.5 \ + crate://crates.io/rand_chacha/0.3.1 \ + crate://crates.io/rand_core/0.6.4 \ + crate://crates.io/vcpkg/0.2.15 \ + crate://crates.io/wasi/0.11.0+wasi-snapshot-preview1 \ + " SRC_URI[adler-1.0.2.sha256sum] = "f26201604c87b1e01bd3d98f8d5d9a8fcbb815e8cedb41ffccbeb4bf593a35fe" SRC_URI[aead-0.4.3.sha256sum] = "0b613b8e1e3cf911a086f53f03bf286f52fd7a7258e4fa606f0ef220d39d8877" @@ -139,13 +558,13 @@ SRC_URI[base64-0.13.1.sha256sum] = "9e1b586273c5702936fe7b7d6896644d8be71e6314cf SRC_URI[bendy-0.3.3.sha256sum] = "8133e404c8bec821e531f347dab1247bf64f60882826e7228f8ffeb33a35a658" SRC_URI[bitflags-1.2.1.sha256sum] = "cf1de2fe8c75bc145a2f577add951f8134889b4795d47466a54a5c846d691693" SRC_URI[block-buffer-0.10.4.sha256sum] = "3078c7629b62d3f0439517fa394996acacc5cbc91c5a20d8c658e77abd503a71" -SRC_URI[brotli-3.3.4.sha256sum] = "a1a0b1dbcc8ae29329621f8d4f0d835787c1c38bb1401979b49d13b0b305ff68" -SRC_URI[brotli-decompressor-2.3.4.sha256sum] = "4b6561fd3f895a11e8f72af2cb7d22e08366bebc2b6b57f7744c4bda27034744" +SRC_URI[brotli-8.0.1.sha256sum] = "9991eea70ea4f293524138648e41ee89b0b2b12ddef3b255effa43c8056e0e0d" +SRC_URI[brotli-decompressor-5.0.0.sha256sum] = "874bb8112abecc98cbd6d81ea4fa7e94fb9449648c93cc89aa40c81c24d7de03" SRC_URI[build_const-0.2.2.sha256sum] = "b4ae4235e6dac0694637c763029ecea1a2ec9e4e06ec2729bd21ba4d9c863eb7" SRC_URI[byteorder-1.4.3.sha256sum] = "14c189c53d098945499cdfa7ecc63567cf3886b3332b312a5b4585d8d3a6a610" SRC_URI[cfg-if-1.0.0.sha256sum] = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd" SRC_URI[cipher-0.3.0.sha256sum] = "7ee52072ec15386f770805afd189a01c8841be8696bed250fa2f13c4c0d6dfb7" -SRC_URI[cpufeatures-0.2.9.sha256sum] = "a17b76ff3a4162b0b27f354a0c87015ddad39d35f9c0c36607a3bdd175dde1f1" +SRC_URI[cpufeatures-0.2.11.sha256sum] = "ce420fe07aecd3e67c5f910618fe65e94158f6dcc0adf44e00d69ce2bdfe0fd0" SRC_URI[crc-1.8.1.sha256sum] = "d663548de7f5cca343f1e0a48d14dcfb0e9eb4e079ec58883b7251539fa10aeb" SRC_URI[crc32fast-1.3.2.sha256sum] = "b540bd8bc810d3885c6ea91e2018302f68baba2129ab3e88f32389ee9370880d" SRC_URI[crypto-common-0.1.6.sha256sum] = "1bfb12502f3fc46cca1bb51ac28df9d618d813cdc3d2f25b9fe775a34af26bb3" @@ -159,20 +578,20 @@ SRC_URI[displaydoc-0.2.4.sha256sum] = "487585f4d0c6655fe74905e2504d8ad6908e4db67 SRC_URI[enum_primitive-0.1.1.sha256sum] = "be4551092f4d519593039259a9ed8daedf0da12e5109c5280338073eaeb81180" SRC_URI[failure-0.1.8.sha256sum] = "d32e9bd16cc02eae7db7ef620b392808b89f6a5e16bb3497d159c6b92a0f4f86" SRC_URI[failure_derive-0.1.8.sha256sum] = "aa4da3c766cd7a0db8242e326e9e4e081edd567072893ed320008189715366a4" -SRC_URI[flate2-1.0.26.sha256sum] = "3b9429470923de8e8cbd4d2dc513535400b4b3fef0319fb5c4e1f520a7bef743" +SRC_URI[flate2-1.0.28.sha256sum] = "46303f565772937ffe1d394a4fac6f411c6013172fadde9dcdb1e147a086940e" SRC_URI[generic-array-0.14.7.sha256sum] = "85649ca51fd72272d7821adaf274ad91c288277713d9c18820d8499a7ff69e9a" -SRC_URI[getrandom-0.2.10.sha256sum] = "be4136b2a15dd319360be1c07d9933517ccf0be8f16bf62a3bee4f0d618df427" +SRC_URI[getrandom-0.2.11.sha256sum] = "fe9006bed769170c11f845cf00c7c1e9092aeb3f268e007c3e760ac68008070f" SRC_URI[ghash-0.4.4.sha256sum] = "1583cc1656d7839fd3732b80cf4f38850336cdb9b8ded1cd399ca62958de3c99" SRC_URI[hex-0.4.3.sha256sum] = "7f24254aa9a54b5c858eaee2f5bccdb46aaf0e486a595ed5fd8f86ba55232a70" SRC_URI[hkdf-0.12.3.sha256sum] = "791a029f6b9fc27657f6f188ec6e5e43f6911f6f878e0dc5501396e09809d437" SRC_URI[hmac-0.12.1.sha256sum] = "6c49c37c09c17a53d937dfbb742eb3a961d65a994e6bcdcf37e7399d0cc8ab5e" SRC_URI[ipsec-parser-0.7.0.sha256sum] = "2cf8413e5de78bcbc51880ff71f4b64105719abe6efb8b4b877d3c7dc494ddd1" -SRC_URI[itoa-1.0.8.sha256sum] = "62b02a5381cc465bd3041d84623d0fa3b66738b52b8e2fc3bab8ad63ab032f4a" +SRC_URI[itoa-1.0.9.sha256sum] = "af150ab688ff2122fcef229be89cb50dd66af9e01a4ff320cc137eecc9bacc38" SRC_URI[kerberos-parser-0.7.1.sha256sum] = "c10e7cfd4759cbce37ea65e2f48caebd695c246196a38e97ba4f731da48996da" SRC_URI[lazy_static-1.4.0.sha256sum] = "e2abad23fbc42b3700f2f279844dc832adb2b2eb069b2df918f455c4e18cc646" -SRC_URI[libc-0.2.147.sha256sum] = "b4668fb0ea861c1df094127ac5f1da3409a82116a4ba74fca2e58ef927159bb3" +SRC_URI[libc-0.2.150.sha256sum] = "89d92a4743f9a61002fae18374ed11e7973f530cb3a3255fb354818118b2203c" SRC_URI[lzma-rs-0.2.0.sha256sum] = "aba8ecb0450dfabce4ad72085eed0a75dffe8f21f7ada05638564ea9db2d7fb1" -SRC_URI[md-5-0.10.5.sha256sum] = "6365506850d44bff6e2fbcb5176cf63650e48bd45ef2fe2665ae1570e0f4b9ca" +SRC_URI[md-5-0.10.6.sha256sum] = "d89e7ee0cfbedfc4da3340218492196241d89eefb6dab27de5df917a6d2e78cf" SRC_URI[memchr-2.4.1.sha256sum] = "308cc39be01b73d0d18f82a0e7b2a3df85245f84af96fdddc5d202d27e47b86a" SRC_URI[minimal-lexical-0.2.1.sha256sum] = "68354c5c6bd36d73ff3feceb05efa59b6acb7626617f4962be322a825e61f79a" SRC_URI[miniz_oxide-0.7.1.sha256sum] = "e7810e0be55b428ada41041c41f32c9f1a42817901b4ccf45fa3d4b6561e74c7" @@ -182,14 +601,14 @@ SRC_URI[nom-derive-impl-0.10.1.sha256sum] = "cd0b9a93a84b0d3ec3e70e02d332dc33ac6 SRC_URI[ntp-parser-0.6.0.sha256sum] = "76084be9bf432d487336dd4e39b31ad93f94aecb14b81f08724f4a37b9abb7a5" SRC_URI[num-0.2.1.sha256sum] = "b8536030f9fea7127f841b45bb6243b27255787fb4eb83958aa1ef9d2fdc0c36" SRC_URI[num-bigint-0.2.6.sha256sum] = "090c7f9998ee0ff65aa5b723e4009f7b217707f1fb5ea551329cc4d6231fb304" -SRC_URI[num-bigint-0.4.3.sha256sum] = "f93ab6289c7b344a8a9f60f88d80aa20032336fe78da341afc91c8a2341fc75f" +SRC_URI[num-bigint-0.4.4.sha256sum] = "608e7659b5c3d7cba262d894801b9ec9d00de989e8a82bd4bef91d08da45cdc0" SRC_URI[num-complex-0.2.4.sha256sum] = "b6b19411a9719e753aff12e5187b74d60d3dc449ec3f4dc21e3989c3f554bc95" -SRC_URI[num-derive-0.2.5.sha256sum] = "eafd0b45c5537c3ba526f79d3e75120036502bebacbb3f3220914067ce39dbf2" +SRC_URI[num-derive-0.4.2.sha256sum] = "ed3955f1a9c7c0c15e092f9c887db08b1fc683305fdf6eb6684f22555355e202" SRC_URI[num-integer-0.1.45.sha256sum] = "225d3389fb3509a24c93f5c29eb6bde2586b98d9f016636dff58d7c6f7569cd9" SRC_URI[num-iter-0.1.43.sha256sum] = "7d03e6c028c5dc5cac6e2dec0efda81fc887605bb3d884578bb6d6bf7514e252" SRC_URI[num-rational-0.2.4.sha256sum] = "5c000134b5dbf44adc5cb772486d335293351644b801551abe8f75c84cfa4aef" SRC_URI[num-traits-0.1.43.sha256sum] = "92e5113e9fd4cc14ded8e499429f396a20f98c772a47cc8622a736e1ec843c31" -SRC_URI[num-traits-0.2.15.sha256sum] = "578ede34cf02f8924ab9447f50c28075b4d3e5b269972345e7e0372b38c6cdcd" +SRC_URI[num-traits-0.2.17.sha256sum] = "39e3200413f237f41ab11ad6d161bc7239c84dcb631773ccd7de3dfe4b5c267c" SRC_URI[num_enum-0.5.11.sha256sum] = "1f646caf906c20226733ed5b1374287eb97e3c2a5c227ce668c1f2ce20ae57c9" SRC_URI[num_enum_derive-0.5.11.sha256sum] = "dcbff9bc912032c62bf65ef1d5aea88983b420f4f839db1e9b0c281a25c9c799" SRC_URI[num_threads-0.1.6.sha256sum] = "2819ce041d2ee131036f4fc9d6ae7ae125a3a40e97ba64d04fe799ad9dabbb44" @@ -202,140 +621,46 @@ SRC_URI[phf_shared-0.10.0.sha256sum] = "b6796ad771acdc0123d2a88dc428b5e38ef24456 SRC_URI[polyval-0.5.3.sha256sum] = "8419d2b623c7c0896ff2d5d96e2cb4ede590fed28fcc34934f4c33c036e620a1" SRC_URI[ppv-lite86-0.2.17.sha256sum] = "5b40af805b3121feab8a3c29f04d8ad262fa8e0561883e7653e024ae4479e6de" SRC_URI[proc-macro-crate-1.1.0.sha256sum] = "1ebace6889caf889b4d3f76becee12e90353f2b8c7d875534a71e5742f8f6f83" -SRC_URI[proc-macro2-0.4.30.sha256sum] = "cf3d2011ab5c909338f7887f4fc896d35932e29146c12c8d01da6b22a80ba759" -SRC_URI[proc-macro2-1.0.64.sha256sum] = "78803b62cbf1f46fde80d7c0e803111524b9877184cfe7c3033659490ac7a7da" -SRC_URI[quote-0.6.13.sha256sum] = "6ce23b6b870e8f94f81fb0a363d65d86675884b34a09043c81e5562f11c1f8e1" -SRC_URI[quote-1.0.29.sha256sum] = "573015e8ab27661678357f27dc26460738fd2b6c86e46f386fde94cb5d913105" +SRC_URI[proc-macro2-1.0.69.sha256sum] = "134c189feb4956b20f6f547d2cf727d4c0fe06722b20a0eec87ed445a97f92da" +SRC_URI[quote-1.0.33.sha256sum] = "5267fca4496028628a95160fc423a33e8b2e6af8a5302579e322e4b520293cae" SRC_URI[rand-0.8.5.sha256sum] = "34af8d1a0e25924bc5b7c43c079c942339d8f0a8b57c39049bef581b46327404" SRC_URI[rand_chacha-0.3.1.sha256sum] = "e6c10a63a0fa32252be49d21e7709d4d4baf8d231c2dbce1eaa8141b9b127d88" SRC_URI[rand_core-0.6.4.sha256sum] = "ec0be4795e2f6a28069bec0b5ff3e2ac9bafc99e6a9a7dc3547996c5c816922c" SRC_URI[regex-1.5.6.sha256sum] = "d83f127d94bdbcda4c8cc2e50f6f84f4b611f69c902699ca385a39c3a75f9ff1" SRC_URI[regex-syntax-0.6.29.sha256sum] = "f162c6dd7b008981e4d40210aca20b4bd0f9b60ca9271061b07f78537722f2e1" SRC_URI[rusticata-macros-4.1.0.sha256sum] = "faf0c4a6ece9950b9abdb62b1cfcf2a68b3b67a10ba445b3bb85be2a293d0632" -SRC_URI[rustversion-1.0.13.sha256sum] = "dc31bd9b61a32c31f9650d18add92aa83a49ba979c143eefd27fe7177b05bd5f" +SRC_URI[rustversion-1.0.14.sha256sum] = "7ffc183a10b4478d04cbbbfc96d0873219d962dd5accaff2ffbd4ceb7df837f4" SRC_URI[sawp-0.12.1.sha256sum] = "7e74f84d736420afcba72f689a494d275c97cf4775c3fe248f937e9d3bf83e30" SRC_URI[sawp-flags-0.12.1.sha256sum] = "1f2b22023d224b5314d51e53bfb2dbca53dc2cf90a4435aa4feb78172799dad0" SRC_URI[sawp-flags-derive-0.12.1.sha256sum] = "49a585d3c22887d23bb06dd602b8ce96c2a716e1fa89beec8bfb49e466f2d643" SRC_URI[sawp-modbus-0.12.1.sha256sum] = "2cbad9b003999a0f3016fb3603da113ff86f06279ccf6aacb577058168c0568d" -SRC_URI[serde-1.0.171.sha256sum] = "30e27d1e4fd7659406c492fd6cfaf2066ba8773de45ca75e855590f856dc34a9" -SRC_URI[sha1-0.10.5.sha256sum] = "f04293dc80c3993519f2d7f6f511707ee7094fe0c6d3406feb330cdb3540eba3" -SRC_URI[sha2-0.10.7.sha256sum] = "479fb9d862239e610720565ca91403019f2f00410f1864c5aa7479b950a76ed8" -SRC_URI[siphasher-0.3.10.sha256sum] = "7bd3e3206899af3f8b12af284fafc038cc1dc2b41d1b89dd17297221c5d225de" +SRC_URI[serde-1.0.192.sha256sum] = "bca2a08484b285dcb282d0f67b26cadc0df8b19f8c12502c13d966bf9482f001" +SRC_URI[serde_derive-1.0.192.sha256sum] = "d6c7207fbec9faa48073f3e3074cbe553af6ea512d7c21ba46e434e70ea9fbc1" +SRC_URI[sha1-0.10.6.sha256sum] = "e3bf829a2d51ab4a5ddf1352d8470c140cadc8301b2ae1789db023f01cedd6ba" +SRC_URI[sha2-0.10.8.sha256sum] = "793db75ad2bcafc3ffa7c68b215fee268f537982cd901d132f89c6343f3a3dc8" +SRC_URI[siphasher-0.3.11.sha256sum] = "38b58827f4464d87d377d175e90bf58eb00fd8716ff0a62f80356b5e61555d0d" SRC_URI[snmp-parser-0.9.0.sha256sum] = "773a26ad6742636f4259e7cc32262efb31feabd56bc34f0b2f28de9801aa24b3" SRC_URI[subtle-2.4.1.sha256sum] = "6bdef32e8150c2a081110b42772ffe7d7c9032b606bc226c8260fd97e0976601" -SRC_URI[syn-0.15.44.sha256sum] = "9ca4b3b69a77cbe1ffc9e198781b7acb0c7365a883670e8f1c1bc66fba79a5c5" SRC_URI[syn-1.0.109.sha256sum] = "72b64191b275b66ffe2469e8af2c1cfe3bafa67b529ead792a6d0160888b4237" -SRC_URI[syn-2.0.25.sha256sum] = "15e3fc8c0c74267e2df136e5e5fb656a464158aa57624053375eb9c8c6e25ae2" +SRC_URI[syn-2.0.39.sha256sum] = "23e78b90f2fcf45d3e842032ce32e3f2d1545ba6636271dcbf24fa306d87be7a" SRC_URI[synstructure-0.12.6.sha256sum] = "f36bdaa60a83aca3921b5259d5400cbf5e90fc51931376a9bd4a0eb79aa7210f" SRC_URI[test-case-1.1.0.sha256sum] = "956044ef122917dde830c19dec5f76d0670329fde4104836d62ebcb14f4865f1" -SRC_URI[thiserror-1.0.43.sha256sum] = "a35fc5b8971143ca348fa6df4f024d4d55264f3468c71ad1c2f365b0a4d58c42" -SRC_URI[thiserror-impl-1.0.43.sha256sum] = "463fe12d7993d3b327787537ce8dd4dfa058de32fc2b195ef3cde03dc4771e8f" +SRC_URI[thiserror-1.0.50.sha256sum] = "f9a7210f5c9a7156bb50aa36aed4c95afb51df0df00713949448cf9e97d382d2" +SRC_URI[thiserror-impl-1.0.50.sha256sum] = "266b2e40bc00e5a6c09c3584011e08b06f123c00362c92b975ba9843aaaa14b8" SRC_URI[time-0.3.13.sha256sum] = "db76ff9fa4b1458b3c7f077f3ff9887394058460d21e634355b273aaf11eea45" SRC_URI[time-macros-0.2.4.sha256sum] = "42657b1a6f4d817cda8e7a0ace261fe0cc946cf3a80314390b22cc61ae080792" SRC_URI[tls-parser-0.11.0.sha256sum] = "409206e2de64edbf7ea99a44ac31680daf9ef1a57895fb3c5bd738a903691be0" SRC_URI[toml-0.5.11.sha256sum] = "f4f7f0dd8d50a853a531c426359045b1998f04219d88799810762cd4ad314234" -SRC_URI[typenum-1.16.0.sha256sum] = "497961ef93d974e23eb6f433eb5fe1b7930b659f06d12dec6fc44a8f554c0bba" -SRC_URI[unicode-ident-1.0.10.sha256sum] = "22049a19f4a68748a168c0fc439f9516686aa045927ff767eca0a85101fb6e73" -SRC_URI[unicode-xid-0.1.0.sha256sum] = "fc72304796d0818e357ead4e000d19c9c174ab23dc11093ac919054d20a6a7fc" +SRC_URI[typenum-1.17.0.sha256sum] = "42ff0bf0c66b8238c6f3b578df37d0b7848e55df8577b3f74f92a69acceeb825" +SRC_URI[unicode-ident-1.0.12.sha256sum] = "3354b9ac3fae1ff6755cb6db53683adb661634f67557942dea4facebec0fee4b" SRC_URI[unicode-xid-0.2.4.sha256sum] = "f962df74c8c05a667b5ee8bcf162993134c104e96440b663c8daa176dc772d8c" SRC_URI[universal-hash-0.4.1.sha256sum] = "9f214e8f697e925001e66ec2c6e37a4ef93f0f78c2eed7814394e10c62025b05" SRC_URI[uuid-0.8.2.sha256sum] = "bc5cf98d8186244414c848017f0e2676b3fcb46807f6668a97dfe67359a3c4b7" SRC_URI[version_check-0.9.4.sha256sum] = "49874b5167b65d7193b8aba1567f5c7d93d001cafc34600cee003eda787e483f" SRC_URI[wasi-0.11.0+wasi-snapshot-preview1.sha256sum] = "9c8d87e72b64a3b4db28d11ce29237c246188f4f51057d65a7eab63b7987e423" SRC_URI[widestring-0.4.3.sha256sum] = "c168940144dd21fd8046987c16a46a33d5fc84eec29ef9dcddc2ac9e31526b7c" -SRC_URI[x509-parser-0.15.0.sha256sum] = "bab0c2f54ae1d92f4fcb99c0b7ccf0b1e3451cbd395e5f115ccbdbcb18d4f634" +SRC_URI[x509-parser-0.15.1.sha256sum] = "7069fba5b66b9193bd2c5d3d4ff12b839118f6bcbef5328efafafb5395cf63da" # from rust/vendor/base64/Cargo.lock -SRC_URI += " \ - crate://crates.io/ansi_term/0.12.1 \ - crate://crates.io/atty/0.2.14 \ - crate://crates.io/autocfg/0.1.8 \ - crate://crates.io/autocfg/1.1.0 \ - crate://crates.io/bitflags/1.3.2 \ - crate://crates.io/bstr/0.2.17 \ - crate://crates.io/bumpalo/3.11.1 \ - crate://crates.io/cast/0.2.7 \ - crate://crates.io/cast/0.3.0 \ - crate://crates.io/cfg-if/1.0.0 \ - crate://crates.io/clap/2.34.0 \ - crate://crates.io/cloudabi/0.0.3 \ - crate://crates.io/criterion/0.3.2 \ - crate://crates.io/criterion-plot/0.4.5 \ - crate://crates.io/crossbeam-channel/0.5.6 \ - crate://crates.io/crossbeam-deque/0.8.2 \ - crate://crates.io/crossbeam-epoch/0.9.11 \ - crate://crates.io/crossbeam-utils/0.8.12 \ - crate://crates.io/csv/1.1.6 \ - crate://crates.io/csv-core/0.1.10 \ - crate://crates.io/either/1.8.0 \ - crate://crates.io/fuchsia-cprng/0.1.1 \ - crate://crates.io/heck/0.3.3 \ - crate://crates.io/hermit-abi/0.1.19 \ - crate://crates.io/itertools/0.9.0 \ - crate://crates.io/itertools/0.10.5 \ - crate://crates.io/itoa/0.4.8 \ - crate://crates.io/itoa/1.0.4 \ - crate://crates.io/js-sys/0.3.60 \ - crate://crates.io/lazy_static/1.4.0 \ - crate://crates.io/libc/0.2.135 \ - crate://crates.io/log/0.4.17 \ - crate://crates.io/memchr/2.5.0 \ - crate://crates.io/memoffset/0.6.5 \ - crate://crates.io/num-traits/0.2.15 \ - crate://crates.io/num_cpus/1.13.1 \ - crate://crates.io/once_cell/1.15.0 \ - crate://crates.io/oorandom/11.1.3 \ - crate://crates.io/plotters/0.2.15 \ - crate://crates.io/proc-macro-error/1.0.4 \ - crate://crates.io/proc-macro-error-attr/1.0.4 \ - crate://crates.io/proc-macro2/1.0.47 \ - crate://crates.io/quote/1.0.21 \ - crate://crates.io/rand/0.6.5 \ - crate://crates.io/rand_chacha/0.1.1 \ - crate://crates.io/rand_core/0.3.1 \ - crate://crates.io/rand_core/0.4.2 \ - crate://crates.io/rand_hc/0.1.0 \ - crate://crates.io/rand_isaac/0.1.1 \ - crate://crates.io/rand_jitter/0.1.4 \ - crate://crates.io/rand_os/0.1.3 \ - crate://crates.io/rand_pcg/0.1.2 \ - crate://crates.io/rand_xorshift/0.1.1 \ - crate://crates.io/rayon/1.5.3 \ - crate://crates.io/rayon-core/1.9.3 \ - crate://crates.io/rdrand/0.4.0 \ - crate://crates.io/regex/1.6.0 \ - crate://crates.io/regex-automata/0.1.10 \ - crate://crates.io/regex-syntax/0.6.27 \ - crate://crates.io/rustc_version/0.4.0 \ - crate://crates.io/ryu/1.0.11 \ - crate://crates.io/same-file/1.0.6 \ - crate://crates.io/scopeguard/1.1.0 \ - crate://crates.io/semver/1.0.14 \ - crate://crates.io/serde/1.0.146 \ - crate://crates.io/serde_derive/1.0.146 \ - crate://crates.io/serde_json/1.0.87 \ - crate://crates.io/strsim/0.8.0 \ - crate://crates.io/structopt/0.3.26 \ - crate://crates.io/structopt-derive/0.4.18 \ - crate://crates.io/syn/1.0.103 \ - crate://crates.io/textwrap/0.11.0 \ - crate://crates.io/tinytemplate/1.2.1 \ - crate://crates.io/unicode-ident/1.0.5 \ - crate://crates.io/unicode-segmentation/1.10.0 \ - crate://crates.io/unicode-width/0.1.10 \ - crate://crates.io/vec_map/0.8.2 \ - crate://crates.io/version_check/0.9.4 \ - crate://crates.io/walkdir/2.3.2 \ - crate://crates.io/wasm-bindgen/0.2.83 \ - crate://crates.io/wasm-bindgen-backend/0.2.83 \ - crate://crates.io/wasm-bindgen-macro/0.2.83 \ - crate://crates.io/wasm-bindgen-macro-support/0.2.83 \ - crate://crates.io/wasm-bindgen-shared/0.2.83 \ - crate://crates.io/web-sys/0.3.60 \ - crate://crates.io/winapi/0.3.9 \ - crate://crates.io/winapi-i686-pc-windows-gnu/0.4.0 \ - crate://crates.io/winapi-util/0.1.5 \ - crate://crates.io/winapi-x86_64-pc-windows-gnu/0.4.0 \ -" SRC_URI[ansi_term-0.12.1.sha256sum] = "d52a9bb7ec0cf484c551830a7ce27bd20d67eac647e1befb56b0be4ee39a55d2" SRC_URI[atty-0.2.14.sha256sum] = "d9b39be18770d11421cdb1b9947a45dd3f37e93092cbf377614828a319d5fee8" @@ -426,38 +751,74 @@ SRC_URI[winapi-0.3.9.sha256sum] = "5c839a674fcd7a98952e593242ea400abe93992746761 SRC_URI[winapi-i686-pc-windows-gnu-0.4.0.sha256sum] = "ac3b87c63620426dd9b991e5ce0329eff545bccbbb34f3be09ff6fb6ab51b7b6" SRC_URI[winapi-util-0.1.5.sha256sum] = "70ec6ce85bb158151cae5e5c87f95a8e97d2c0c4b001223f33a334e3ce5de178" SRC_URI[winapi-x86_64-pc-windows-gnu-0.4.0.sha256sum] = "712e227841d057c1ee1cd2fb22fa7e5a5461ae8e48fa2ca79ec42cfc1931183f" +# from rust/vendor/failure/Cargo.lock + +SRC_URI[backtrace-0.3.46.sha256sum] = "b1e692897359247cc6bb902933361652380af0f1b7651ae5c5013407f30e109e" +SRC_URI[backtrace-sys-0.1.37.sha256sum] = "18fbebbe1c9d1f383a9cc7e8ccdb471b91c8d024ee9c2ca5b5346121fe8b4399" +SRC_URI[cc-1.0.52.sha256sum] = "c3d87b23d6a92cd03af510a5ade527033f6aa6fa92161e2d5863a907d4c5e31d" +SRC_URI[cfg-if-0.1.10.sha256sum] = "4785bdd1c96b2a846b2bd7cc02e86b6b3dbf14e7e53446c4f54c92a361040822" +SRC_URI[failure_derive-0.1.7.sha256sum] = "030a733c8287d6213886dd487564ff5c8f6aae10278b3588ed177f9d18f8d231" +SRC_URI[libc-0.2.69.sha256sum] = "99e85c08494b21a9054e7fe1374a732aeadaff3980b6990b94bfd3a70f690005" +SRC_URI[proc-macro2-1.0.12.sha256sum] = "8872cf6f48eee44265156c111456a700ab3483686b3f96df4cf5481c89157319" +SRC_URI[quote-1.0.4.sha256sum] = "4c1f4b0efa5fc5e8ceb705136bfee52cfdb6a4e3509f770b478cd6ed434232a7" +SRC_URI[rustc-demangle-0.1.16.sha256sum] = "4c691c0e608126e00913e33f0ccf3727d5fc84573623b8d65b2df340b5201783" +SRC_URI[syn-1.0.18.sha256sum] = "410a7488c0a728c7ceb4ad59b9567eb4053d02e8cc7f5c0e0eeeb39518369213" +SRC_URI[synstructure-0.12.3.sha256sum] = "67656ea1dc1b41b1451851562ea232ec2e5a80242139f7e679ceccfb5d61f545" +SRC_URI[unicode-xid-0.2.0.sha256sum] = "826e7639553986605ec5979c7dd957c7895e93eabed50ab2ffa7f6128a75097c" +# from rust/vendor/toml/Cargo.lock + +SRC_URI[autocfg-1.1.0.sha256sum] = "d468802bab17cbc0cc575e9b053f41e72aa36bfa6b7f55e3529ffa43161b97fa" +SRC_URI[hashbrown-0.12.3.sha256sum] = "8a9ee70c43aaf417c914396645a0fa852624801b24ebb7ae78fe8272889ac888" +SRC_URI[indexmap-1.9.2.sha256sum] = "1885e79c1fc4b10f0e172c475f458b7f7b93061064d98c3293e98c5ba0c8b399" +SRC_URI[itoa-1.0.5.sha256sum] = "fad582f4b9e86b6caa621cabeb0963332d92eea04729ab12892c2533951e6440" +SRC_URI[proc-macro2-1.0.50.sha256sum] = "6ef7d57beacfaf2d8aee5937dab7b7f28de3cb8b1828479bb5de2a7106f2bae2" +SRC_URI[quote-1.0.23.sha256sum] = "8856d8364d252a14d474036ea1358d63c9e6965c8e5c1885c18f73d70bff9c7b" +SRC_URI[ryu-1.0.12.sha256sum] = "7b4b9743ed687d4b4bcedf9ff5eaa7398495ae14e61cba0a295704edbc7decde" +SRC_URI[serde-1.0.152.sha256sum] = "bb7d1f0d3021d347a83e556fc4683dea2ea09d87bccdf88ff5c12545d89d5efb" +SRC_URI[serde_derive-1.0.152.sha256sum] = "af487d118eecd09402d70a5d72551860e788df87b464af30e5ea6a38c75c541e" +SRC_URI[serde_json-1.0.91.sha256sum] = "877c235533714907a8c2464236f5c4b2a17262ef1bd71f38f35ea592c8da6883" +SRC_URI[syn-1.0.107.sha256sum] = "1f4064b5b16e03ae50984a5a8ed5d4f8803e6bc1fd170a3cda91a1be4b18e3f5" +SRC_URI[unicode-ident-1.0.6.sha256sum] = "84a22b9f218b40614adcb3f4ff08b703773ad44fa9423e4e0d346d5db86e4ebc" +# from rust/vendor/nom/Cargo.lock + +SRC_URI[autocfg-1.0.1.sha256sum] = "cdb031dd78e28731d87d56cc8ffef4a8f36ca26c38fe2de700543e627f8a464a" +SRC_URI[bit-set-0.5.2.sha256sum] = "6e11e16035ea35e4e5997b393eacbf6f63983188f7a2ad25bfb13465f5ad59de" +SRC_URI[bit-vec-0.6.3.sha256sum] = "349f9b6a179ed607305526ca489b34ad0a41aed5f7980fa90eb03160b69598fb" +SRC_URI[bitflags-1.3.2.sha256sum] = "bef38d45163c2f1dde094a7dfd33ccf595c92905c8f8f4fdc18d06fb1037718a" +SRC_URI[byteorder-1.4.3.sha256sum] = "14c189c53d098945499cdfa7ecc63567cf3886b3332b312a5b4585d8d3a6a610" +SRC_URI[cfg-if-1.0.0.sha256sum] = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd" +SRC_URI[doc-comment-0.3.3.sha256sum] = "fea41bba32d969b513997752735605054bc0dfa92b4c56bf1189f2e174be7a10" +SRC_URI[fnv-1.0.7.sha256sum] = "3f9eec918d3f24069decb9af1554cad7c880e2da24a9afd88aca000531ab82c1" +SRC_URI[getrandom-0.2.3.sha256sum] = "7fcd999463524c52659517fe2cea98493cfe485d10565e7b0fb07dbba7ad2753" +SRC_URI[lazy_static-1.4.0.sha256sum] = "e2abad23fbc42b3700f2f279844dc832adb2b2eb069b2df918f455c4e18cc646" +SRC_URI[libc-0.2.106.sha256sum] = "a60553f9a9e039a333b4e9b20573b9e9b9c0bb3a11e201ccc48ef4283456d673" +SRC_URI[memchr-2.4.1.sha256sum] = "308cc39be01b73d0d18f82a0e7b2a3df85245f84af96fdddc5d202d27e47b86a" +SRC_URI[minimal-lexical-0.2.1.sha256sum] = "68354c5c6bd36d73ff3feceb05efa59b6acb7626617f4962be322a825e61f79a" +SRC_URI[num-traits-0.2.14.sha256sum] = "9a64b1ec5cda2586e284722486d802acf1f7dbdc623e2bfc57e65ca1cd099290" +SRC_URI[ppv-lite86-0.2.15.sha256sum] = "ed0cfbc8191465bed66e1718596ee0b0b35d5ee1f41c5df2189d0fe8bde535ba" +SRC_URI[proptest-1.0.0.sha256sum] = "1e0d9cc07f18492d879586c92b485def06bc850da3118075cd45d50e9c95b0e5" +SRC_URI[quick-error-1.2.3.sha256sum] = "a1d01941d82fa2ab50be1e79e6714289dd7cde78eba4c074bc5a4374f650dfe0" +SRC_URI[quick-error-2.0.1.sha256sum] = "a993555f31e5a609f617c12db6250dedcac1b0a85076912c436e6fc9b2c8e6a3" +SRC_URI[rand-0.8.4.sha256sum] = "2e7573632e6454cf6b99d7aac4ccca54be06da05aca2ef7423d22d27d4d4bcd8" +SRC_URI[rand_chacha-0.3.1.sha256sum] = "e6c10a63a0fa32252be49d21e7709d4d4baf8d231c2dbce1eaa8141b9b127d88" +SRC_URI[rand_core-0.6.3.sha256sum] = "d34f1408f55294453790c48b2f1ebbb1c5b4b7563eb1f418bcfcfdbb06ebb4e7" +SRC_URI[rand_hc-0.3.1.sha256sum] = "d51e9f596de227fda2ea6c84607f5558e196eeaf43c986b724ba4fb8fdf497e7" +SRC_URI[rand_xorshift-0.3.0.sha256sum] = "d25bf25ec5ae4a3f1b92f929810509a2f53d7dca2f50b794ff57e3face536c8f" +SRC_URI[redox_syscall-0.2.10.sha256sum] = "8383f39639269cde97d255a32bdb68c047337295414940c68bdd30c2e13203ff" +SRC_URI[regex-syntax-0.6.25.sha256sum] = "f497285884f3fcff424ffc933e56d7cbca511def0c9831a7f9b5f6153e3cc89b" +SRC_URI[remove_dir_all-0.5.3.sha256sum] = "3acd125665422973a33ac9d3dd2df85edad0f4ae9b00dafb1a05e43a9f5ef8e7" +SRC_URI[rusty-fork-0.3.0.sha256sum] = "cb3dcc6e454c328bb824492db107ab7c0ae8fcffe4ad210136ef014458c1bc4f" +SRC_URI[tempfile-3.2.0.sha256sum] = "dac1c663cfc93810f88aed9b8941d48cabf856a1b111c29a40439018d870eb22" +SRC_URI[wait-timeout-0.2.0.sha256sum] = "9f200f5b12eb75f8c1ed65abd4b2db8a6e1b138a20de009dacee265a2498f3f6" +SRC_URI[wasi-0.10.2+wasi-snapshot-preview1.sha256sum] = "fd6fbd9a79829dd1ad0cc20627bf1ed606756a7f77edff7b66b7064f9cb327c6" +SRC_URI[winapi-0.3.9.sha256sum] = "5c839a674fcd7a98952e593242ea400abe93992746761e38641405d28b00f419" +SRC_URI[winapi-i686-pc-windows-gnu-0.4.0.sha256sum] = "ac3b87c63620426dd9b991e5ce0329eff545bccbbb34f3be09ff6fb6ab51b7b6" +SRC_URI[winapi-x86_64-pc-windows-gnu-0.4.0.sha256sum] = "712e227841d057c1ee1cd2fb22fa7e5a5461ae8e48fa2ca79ec42cfc1931183f" +# from rust/vendor/brotli-decompressor/Cargo.lock + +SRC_URI[alloc-no-stdlib-2.0.4.sha256sum] = "cc7bb162ec39d46ab1ca8c77bf72e890535becd1751bb45f64c597edb4c8c6b3" +SRC_URI[alloc-stdlib-0.2.2.sha256sum] = "94fb8275041c72129eb51b7d0322c29b8387a0386127718b096429201a5d6ece" # from rust/vendor/displaydoc/Cargo.lock -SRC_URI += " \ - crate://crates.io/ansi_term/0.11.0 \ - crate://crates.io/basic-toml/0.1.2 \ - crate://crates.io/ctor/0.1.26 \ - crate://crates.io/difference/2.0.0 \ - crate://crates.io/glob/0.3.1 \ - crate://crates.io/itoa/1.0.6 \ - crate://crates.io/libc/0.2.142 \ - crate://crates.io/once_cell/1.17.1 \ - crate://crates.io/output_vt100/0.1.3 \ - crate://crates.io/pretty_assertions/0.6.1 \ - crate://crates.io/proc-macro2/1.0.56 \ - crate://crates.io/quote/1.0.26 \ - crate://crates.io/rustversion/1.0.12 \ - crate://crates.io/ryu/1.0.13 \ - crate://crates.io/serde/1.0.160 \ - crate://crates.io/serde_derive/1.0.160 \ - crate://crates.io/serde_json/1.0.96 \ - crate://crates.io/static_assertions/1.1.0 \ - crate://crates.io/syn/1.0.109 \ - crate://crates.io/syn/2.0.15 \ - crate://crates.io/termcolor/1.2.0 \ - crate://crates.io/thiserror/1.0.40 \ - crate://crates.io/thiserror-impl/1.0.40 \ - crate://crates.io/trybuild/1.0.80 \ - crate://crates.io/unicode-ident/1.0.8 \ - crate://crates.io/winapi/0.3.9 \ - crate://crates.io/winapi-i686-pc-windows-gnu/0.4.0 \ - crate://crates.io/winapi-util/0.1.5 \ - crate://crates.io/winapi-x86_64-pc-windows-gnu/0.4.0 \ -" SRC_URI[ansi_term-0.11.0.sha256sum] = "ee49baf6cb617b853aa8d93bf420db2383fab46d314482ca2803b40d5fde979b" SRC_URI[basic-toml-0.1.2.sha256sum] = "5c0de75129aa8d0cceaf750b89013f0e08804d6ec61416da787b35ad0d7cddf1" @@ -489,60 +850,6 @@ SRC_URI[winapi-i686-pc-windows-gnu-0.4.0.sha256sum] = "ac3b87c63620426dd9b991e5c SRC_URI[winapi-util-0.1.5.sha256sum] = "70ec6ce85bb158151cae5e5c87f95a8e97d2c0c4b001223f33a334e3ce5de178" SRC_URI[winapi-x86_64-pc-windows-gnu-0.4.0.sha256sum] = "712e227841d057c1ee1cd2fb22fa7e5a5461ae8e48fa2ca79ec42cfc1931183f" # from rust/vendor/asn1-rs/Cargo.lock -SRC_URI += " \ - crate://crates.io/asn1-rs/0.5.1 \ - crate://crates.io/asn1-rs-derive/0.4.0 \ - crate://crates.io/asn1-rs-impl/0.1.0 \ - crate://crates.io/atty/0.2.14 \ - crate://crates.io/autocfg/1.1.0 \ - crate://crates.io/base64/0.13.1 \ - crate://crates.io/basic-toml/0.1.2 \ - crate://crates.io/bitvec/1.0.1 \ - crate://crates.io/colored/2.0.0 \ - crate://crates.io/cookie-factory/0.3.2 \ - crate://crates.io/displaydoc/0.2.3 \ - crate://crates.io/funty/2.0.0 \ - crate://crates.io/glob/0.3.1 \ - crate://crates.io/hermit-abi/0.1.19 \ - crate://crates.io/hex-literal/0.3.4 \ - crate://crates.io/itoa/1.0.6 \ - crate://crates.io/lazy_static/1.4.0 \ - crate://crates.io/libc/0.2.139 \ - crate://crates.io/memchr/2.5.0 \ - crate://crates.io/minimal-lexical/0.2.1 \ - crate://crates.io/nom/7.1.3 \ - crate://crates.io/num-bigint/0.4.3 \ - crate://crates.io/num-integer/0.1.45 \ - crate://crates.io/num-traits/0.2.15 \ - crate://crates.io/oid-registry/0.6.1 \ - crate://crates.io/once_cell/1.17.1 \ - crate://crates.io/pem/1.1.1 \ - crate://crates.io/proc-macro2/1.0.51 \ - crate://crates.io/quote/1.0.23 \ - crate://crates.io/radium/0.7.0 \ - crate://crates.io/rusticata-macros/4.1.0 \ - crate://crates.io/ryu/1.0.13 \ - crate://crates.io/serde/1.0.152 \ - crate://crates.io/serde_derive/1.0.152 \ - crate://crates.io/serde_json/1.0.94 \ - crate://crates.io/syn/1.0.109 \ - crate://crates.io/synstructure/0.12.6 \ - crate://crates.io/tap/1.0.1 \ - crate://crates.io/termcolor/1.2.0 \ - crate://crates.io/thiserror/1.0.39 \ - crate://crates.io/thiserror-impl/1.0.39 \ - crate://crates.io/time/0.3.20 \ - crate://crates.io/time-core/0.1.0 \ - crate://crates.io/time-macros/0.2.8 \ - crate://crates.io/trybuild/1.0.79 \ - crate://crates.io/unicode-ident/1.0.8 \ - crate://crates.io/unicode-xid/0.2.4 \ - crate://crates.io/winapi/0.3.9 \ - crate://crates.io/winapi-i686-pc-windows-gnu/0.4.0 \ - crate://crates.io/winapi-util/0.1.5 \ - crate://crates.io/winapi-x86_64-pc-windows-gnu/0.4.0 \ - crate://crates.io/wyz/0.5.1 \ -" SRC_URI[asn1-rs-0.5.1.sha256sum] = "cf6690c370453db30743b373a60ba498fc0d6d83b11f4abfd87a84a075db5dd4" SRC_URI[asn1-rs-derive-0.4.0.sha256sum] = "726535892e8eae7e70657b4c8ea93d26b8553afb1ce617caee529ef96d7dee6c" @@ -596,383 +903,22 @@ SRC_URI[winapi-i686-pc-windows-gnu-0.4.0.sha256sum] = "ac3b87c63620426dd9b991e5c SRC_URI[winapi-util-0.1.5.sha256sum] = "70ec6ce85bb158151cae5e5c87f95a8e97d2c0c4b001223f33a334e3ce5de178" SRC_URI[winapi-x86_64-pc-windows-gnu-0.4.0.sha256sum] = "712e227841d057c1ee1cd2fb22fa7e5a5461ae8e48fa2ca79ec42cfc1931183f" SRC_URI[wyz-0.5.1.sha256sum] = "05f360fc0b24296329c78fda852a1e9ae82de9cf7b27dae4b7f62f118f77b9ed" -# from rust/vendor/flate2/Cargo.lock -SRC_URI += " \ - crate://crates.io/adler/1.0.2 \ - crate://crates.io/cc/1.0.73 \ - crate://crates.io/cfg-if/1.0.0 \ - crate://crates.io/cloudflare-zlib-sys/0.3.0 \ - crate://crates.io/cmake/0.1.48 \ - crate://crates.io/crc32fast/1.3.2 \ - crate://crates.io/getrandom/0.2.6 \ - crate://crates.io/libc/0.2.124 \ - crate://crates.io/libz-ng-sys/1.1.8 \ - crate://crates.io/libz-sys/1.1.8 \ - crate://crates.io/miniz_oxide/0.7.1 \ - crate://crates.io/pkg-config/0.3.25 \ - crate://crates.io/ppv-lite86/0.2.16 \ - crate://crates.io/quickcheck/1.0.3 \ - crate://crates.io/rand/0.8.5 \ - crate://crates.io/rand_chacha/0.3.1 \ - crate://crates.io/rand_core/0.6.3 \ - crate://crates.io/vcpkg/0.2.15 \ - crate://crates.io/wasi/0.10.2+wasi-snapshot-preview1 \ -" - -SRC_URI[adler-1.0.2.sha256sum] = "f26201604c87b1e01bd3d98f8d5d9a8fcbb815e8cedb41ffccbeb4bf593a35fe" -SRC_URI[cc-1.0.73.sha256sum] = "2fff2a6927b3bb87f9595d67196a70493f627687a71d87a0d692242c33f58c11" -SRC_URI[cfg-if-1.0.0.sha256sum] = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd" -SRC_URI[cloudflare-zlib-sys-0.3.0.sha256sum] = "2040b6d1edfee6d75f172d81e2d2a7807534f3f294ce18184c70e7bb0105cd6f" -SRC_URI[cmake-0.1.48.sha256sum] = "e8ad8cef104ac57b68b89df3208164d228503abbdce70f6880ffa3d970e7443a" -SRC_URI[crc32fast-1.3.2.sha256sum] = "b540bd8bc810d3885c6ea91e2018302f68baba2129ab3e88f32389ee9370880d" -SRC_URI[getrandom-0.2.6.sha256sum] = "9be70c98951c83b8d2f8f60d7065fa6d5146873094452a1008da8c2f1e4205ad" -SRC_URI[libc-0.2.124.sha256sum] = "21a41fed9d98f27ab1c6d161da622a4fa35e8a54a8adc24bbf3ddd0ef70b0e50" -SRC_URI[libz-ng-sys-1.1.8.sha256sum] = "4399ae96a9966bf581e726de86969f803a81b7ce795fcd5480e640589457e0f2" -SRC_URI[libz-sys-1.1.8.sha256sum] = "9702761c3935f8cc2f101793272e202c72b99da8f4224a19ddcf1279a6450bbf" -SRC_URI[miniz_oxide-0.7.1.sha256sum] = "e7810e0be55b428ada41041c41f32c9f1a42817901b4ccf45fa3d4b6561e74c7" -SRC_URI[pkg-config-0.3.25.sha256sum] = "1df8c4ec4b0627e53bdf214615ad287367e482558cf84b109250b37464dc03ae" -SRC_URI[ppv-lite86-0.2.16.sha256sum] = "eb9f9e6e233e5c4a35559a617bf40a4ec447db2e84c20b55a6f83167b7e57872" -SRC_URI[quickcheck-1.0.3.sha256sum] = "588f6378e4dd99458b60ec275b4477add41ce4fa9f64dcba6f15adccb19b50d6" -SRC_URI[rand-0.8.5.sha256sum] = "34af8d1a0e25924bc5b7c43c079c942339d8f0a8b57c39049bef581b46327404" -SRC_URI[rand_chacha-0.3.1.sha256sum] = "e6c10a63a0fa32252be49d21e7709d4d4baf8d231c2dbce1eaa8141b9b127d88" -SRC_URI[rand_core-0.6.3.sha256sum] = "d34f1408f55294453790c48b2f1ebbb1c5b4b7563eb1f418bcfcfdbb06ebb4e7" -SRC_URI[vcpkg-0.2.15.sha256sum] = "accd4ea62f7bb7a82fe23066fb0957d48ef677f6eeb8215f372f52e48bb32426" -SRC_URI[wasi-0.10.2+wasi-snapshot-preview1.sha256sum] = "fd6fbd9a79829dd1ad0cc20627bf1ed606756a7f77edff7b66b7064f9cb327c6" -# from rust/vendor/toml/Cargo.lock -SRC_URI += " \ - crate://crates.io/autocfg/1.1.0 \ - crate://crates.io/hashbrown/0.12.3 \ - crate://crates.io/indexmap/1.9.2 \ - crate://crates.io/itoa/1.0.5 \ - crate://crates.io/proc-macro2/1.0.50 \ - crate://crates.io/quote/1.0.23 \ - crate://crates.io/ryu/1.0.12 \ - crate://crates.io/serde/1.0.152 \ - crate://crates.io/serde_derive/1.0.152 \ - crate://crates.io/serde_json/1.0.91 \ - crate://crates.io/syn/1.0.107 \ - crate://crates.io/unicode-ident/1.0.6 \ -" - -SRC_URI[autocfg-1.1.0.sha256sum] = "d468802bab17cbc0cc575e9b053f41e72aa36bfa6b7f55e3529ffa43161b97fa" -SRC_URI[hashbrown-0.12.3.sha256sum] = "8a9ee70c43aaf417c914396645a0fa852624801b24ebb7ae78fe8272889ac888" -SRC_URI[indexmap-1.9.2.sha256sum] = "1885e79c1fc4b10f0e172c475f458b7f7b93061064d98c3293e98c5ba0c8b399" -SRC_URI[itoa-1.0.5.sha256sum] = "fad582f4b9e86b6caa621cabeb0963332d92eea04729ab12892c2533951e6440" -SRC_URI[proc-macro2-1.0.50.sha256sum] = "6ef7d57beacfaf2d8aee5937dab7b7f28de3cb8b1828479bb5de2a7106f2bae2" -SRC_URI[quote-1.0.23.sha256sum] = "8856d8364d252a14d474036ea1358d63c9e6965c8e5c1885c18f73d70bff9c7b" -SRC_URI[ryu-1.0.12.sha256sum] = "7b4b9743ed687d4b4bcedf9ff5eaa7398495ae14e61cba0a295704edbc7decde" -SRC_URI[serde-1.0.152.sha256sum] = "bb7d1f0d3021d347a83e556fc4683dea2ea09d87bccdf88ff5c12545d89d5efb" -SRC_URI[serde_derive-1.0.152.sha256sum] = "af487d118eecd09402d70a5d72551860e788df87b464af30e5ea6a38c75c541e" -SRC_URI[serde_json-1.0.91.sha256sum] = "877c235533714907a8c2464236f5c4b2a17262ef1bd71f38f35ea592c8da6883" -SRC_URI[syn-1.0.107.sha256sum] = "1f4064b5b16e03ae50984a5a8ed5d4f8803e6bc1fd170a3cda91a1be4b18e3f5" -SRC_URI[unicode-ident-1.0.6.sha256sum] = "84a22b9f218b40614adcb3f4ff08b703773ad44fa9423e4e0d346d5db86e4ebc" -# from rust/vendor/nom/Cargo.lock -SRC_URI += " \ - crate://crates.io/autocfg/1.0.1 \ - crate://crates.io/bit-set/0.5.2 \ - crate://crates.io/bit-vec/0.6.3 \ - crate://crates.io/bitflags/1.3.2 \ - crate://crates.io/byteorder/1.4.3 \ - crate://crates.io/cfg-if/1.0.0 \ - crate://crates.io/doc-comment/0.3.3 \ - crate://crates.io/fnv/1.0.7 \ - crate://crates.io/getrandom/0.2.3 \ - crate://crates.io/lazy_static/1.4.0 \ - crate://crates.io/libc/0.2.106 \ - crate://crates.io/memchr/2.4.1 \ - crate://crates.io/minimal-lexical/0.2.1 \ - crate://crates.io/num-traits/0.2.14 \ - crate://crates.io/ppv-lite86/0.2.15 \ - crate://crates.io/proptest/1.0.0 \ - crate://crates.io/quick-error/1.2.3 \ - crate://crates.io/quick-error/2.0.1 \ - crate://crates.io/rand/0.8.4 \ - crate://crates.io/rand_chacha/0.3.1 \ - crate://crates.io/rand_core/0.6.3 \ - crate://crates.io/rand_hc/0.3.1 \ - crate://crates.io/rand_xorshift/0.3.0 \ - crate://crates.io/redox_syscall/0.2.10 \ - crate://crates.io/regex-syntax/0.6.25 \ - crate://crates.io/remove_dir_all/0.5.3 \ - crate://crates.io/rusty-fork/0.3.0 \ - crate://crates.io/tempfile/3.2.0 \ - crate://crates.io/wait-timeout/0.2.0 \ - crate://crates.io/wasi/0.10.2+wasi-snapshot-preview1 \ - crate://crates.io/winapi/0.3.9 \ - crate://crates.io/winapi-i686-pc-windows-gnu/0.4.0 \ - crate://crates.io/winapi-x86_64-pc-windows-gnu/0.4.0 \ -" - -SRC_URI[autocfg-1.0.1.sha256sum] = "cdb031dd78e28731d87d56cc8ffef4a8f36ca26c38fe2de700543e627f8a464a" -SRC_URI[bit-set-0.5.2.sha256sum] = "6e11e16035ea35e4e5997b393eacbf6f63983188f7a2ad25bfb13465f5ad59de" -SRC_URI[bit-vec-0.6.3.sha256sum] = "349f9b6a179ed607305526ca489b34ad0a41aed5f7980fa90eb03160b69598fb" -SRC_URI[bitflags-1.3.2.sha256sum] = "bef38d45163c2f1dde094a7dfd33ccf595c92905c8f8f4fdc18d06fb1037718a" -SRC_URI[byteorder-1.4.3.sha256sum] = "14c189c53d098945499cdfa7ecc63567cf3886b3332b312a5b4585d8d3a6a610" -SRC_URI[cfg-if-1.0.0.sha256sum] = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd" -SRC_URI[doc-comment-0.3.3.sha256sum] = "fea41bba32d969b513997752735605054bc0dfa92b4c56bf1189f2e174be7a10" -SRC_URI[fnv-1.0.7.sha256sum] = "3f9eec918d3f24069decb9af1554cad7c880e2da24a9afd88aca000531ab82c1" -SRC_URI[getrandom-0.2.3.sha256sum] = "7fcd999463524c52659517fe2cea98493cfe485d10565e7b0fb07dbba7ad2753" -SRC_URI[lazy_static-1.4.0.sha256sum] = "e2abad23fbc42b3700f2f279844dc832adb2b2eb069b2df918f455c4e18cc646" -SRC_URI[libc-0.2.106.sha256sum] = "a60553f9a9e039a333b4e9b20573b9e9b9c0bb3a11e201ccc48ef4283456d673" -SRC_URI[memchr-2.4.1.sha256sum] = "308cc39be01b73d0d18f82a0e7b2a3df85245f84af96fdddc5d202d27e47b86a" -SRC_URI[minimal-lexical-0.2.1.sha256sum] = "68354c5c6bd36d73ff3feceb05efa59b6acb7626617f4962be322a825e61f79a" -SRC_URI[num-traits-0.2.14.sha256sum] = "9a64b1ec5cda2586e284722486d802acf1f7dbdc623e2bfc57e65ca1cd099290" -SRC_URI[ppv-lite86-0.2.15.sha256sum] = "ed0cfbc8191465bed66e1718596ee0b0b35d5ee1f41c5df2189d0fe8bde535ba" -SRC_URI[proptest-1.0.0.sha256sum] = "1e0d9cc07f18492d879586c92b485def06bc850da3118075cd45d50e9c95b0e5" -SRC_URI[quick-error-1.2.3.sha256sum] = "a1d01941d82fa2ab50be1e79e6714289dd7cde78eba4c074bc5a4374f650dfe0" -SRC_URI[quick-error-2.0.1.sha256sum] = "a993555f31e5a609f617c12db6250dedcac1b0a85076912c436e6fc9b2c8e6a3" -SRC_URI[rand-0.8.4.sha256sum] = "2e7573632e6454cf6b99d7aac4ccca54be06da05aca2ef7423d22d27d4d4bcd8" -SRC_URI[rand_chacha-0.3.1.sha256sum] = "e6c10a63a0fa32252be49d21e7709d4d4baf8d231c2dbce1eaa8141b9b127d88" -SRC_URI[rand_core-0.6.3.sha256sum] = "d34f1408f55294453790c48b2f1ebbb1c5b4b7563eb1f418bcfcfdbb06ebb4e7" -SRC_URI[rand_hc-0.3.1.sha256sum] = "d51e9f596de227fda2ea6c84607f5558e196eeaf43c986b724ba4fb8fdf497e7" -SRC_URI[rand_xorshift-0.3.0.sha256sum] = "d25bf25ec5ae4a3f1b92f929810509a2f53d7dca2f50b794ff57e3face536c8f" -SRC_URI[redox_syscall-0.2.10.sha256sum] = "8383f39639269cde97d255a32bdb68c047337295414940c68bdd30c2e13203ff" -SRC_URI[regex-syntax-0.6.25.sha256sum] = "f497285884f3fcff424ffc933e56d7cbca511def0c9831a7f9b5f6153e3cc89b" -SRC_URI[remove_dir_all-0.5.3.sha256sum] = "3acd125665422973a33ac9d3dd2df85edad0f4ae9b00dafb1a05e43a9f5ef8e7" -SRC_URI[rusty-fork-0.3.0.sha256sum] = "cb3dcc6e454c328bb824492db107ab7c0ae8fcffe4ad210136ef014458c1bc4f" -SRC_URI[tempfile-3.2.0.sha256sum] = "dac1c663cfc93810f88aed9b8941d48cabf856a1b111c29a40439018d870eb22" -SRC_URI[wait-timeout-0.2.0.sha256sum] = "9f200f5b12eb75f8c1ed65abd4b2db8a6e1b138a20de009dacee265a2498f3f6" -SRC_URI[wasi-0.10.2+wasi-snapshot-preview1.sha256sum] = "fd6fbd9a79829dd1ad0cc20627bf1ed606756a7f77edff7b66b7064f9cb327c6" -SRC_URI[winapi-0.3.9.sha256sum] = "5c839a674fcd7a98952e593242ea400abe93992746761e38641405d28b00f419" -SRC_URI[winapi-i686-pc-windows-gnu-0.4.0.sha256sum] = "ac3b87c63620426dd9b991e5ce0329eff545bccbbb34f3be09ff6fb6ab51b7b6" -SRC_URI[winapi-x86_64-pc-windows-gnu-0.4.0.sha256sum] = "712e227841d057c1ee1cd2fb22fa7e5a5461ae8e48fa2ca79ec42cfc1931183f" # from rust/vendor/brotli/Cargo.lock -SRC_URI += " \ - crate://crates.io/alloc-no-stdlib/2.0.3 \ - crate://crates.io/alloc-stdlib/0.2.1 \ - crate://crates.io/block-buffer/0.7.3 \ - crate://crates.io/block-padding/0.1.5 \ - crate://crates.io/brotli-decompressor/2.3.2 \ - crate://crates.io/byte-tools/0.3.1 \ - crate://crates.io/byteorder/1.4.3 \ - crate://crates.io/cfg-if/1.0.0 \ - crate://crates.io/digest/0.8.1 \ - crate://crates.io/fake-simd/0.1.2 \ - crate://crates.io/generic-array/0.12.4 \ - crate://crates.io/libm/0.1.4 \ - crate://crates.io/opaque-debug/0.2.3 \ - crate://crates.io/packed_simd_2/0.3.7 \ - crate://crates.io/sha2/0.8.2 \ - crate://crates.io/typenum/1.15.0 \ -" - -SRC_URI[alloc-no-stdlib-2.0.3.sha256sum] = "35ef4730490ad1c4eae5c4325b2a95f521d023e5c885853ff7aca0a6a1631db3" -SRC_URI[alloc-stdlib-0.2.1.sha256sum] = "697ed7edc0f1711de49ce108c541623a0af97c6c60b2f6e2b65229847ac843c2" -SRC_URI[block-buffer-0.7.3.sha256sum] = "c0940dc441f31689269e10ac70eb1002a3a1d3ad1390e030043662eb7fe4688b" -SRC_URI[block-padding-0.1.5.sha256sum] = "fa79dedbb091f449f1f39e53edf88d5dbe95f895dae6135a8d7b881fb5af73f5" -SRC_URI[brotli-decompressor-2.3.2.sha256sum] = "59ad2d4653bf5ca36ae797b1f4bb4dbddb60ce49ca4aed8a2ce4829f60425b80" -SRC_URI[byte-tools-0.3.1.sha256sum] = "e3b5ca7a04898ad4bcd41c90c5285445ff5b791899bb1b0abdd2a2aa791211d7" -SRC_URI[byteorder-1.4.3.sha256sum] = "14c189c53d098945499cdfa7ecc63567cf3886b3332b312a5b4585d8d3a6a610" -SRC_URI[cfg-if-1.0.0.sha256sum] = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd" -SRC_URI[digest-0.8.1.sha256sum] = "f3d0c8c8752312f9713efd397ff63acb9f85585afbf179282e720e7704954dd5" -SRC_URI[fake-simd-0.1.2.sha256sum] = "e88a8acf291dafb59c2d96e8f59828f3838bb1a70398823ade51a84de6a6deed" -SRC_URI[generic-array-0.12.4.sha256sum] = "ffdf9f34f1447443d37393cc6c2b8313aebddcd96906caf34e54c68d8e57d7bd" -SRC_URI[libm-0.1.4.sha256sum] = "7fc7aa29613bd6a620df431842069224d8bc9011086b1db4c0e0cd47fa03ec9a" -SRC_URI[opaque-debug-0.2.3.sha256sum] = "2839e79665f131bdb5782e51f2c6c9599c133c6098982a54c794358bf432529c" -SRC_URI[packed_simd_2-0.3.7.sha256sum] = "defdcfef86dcc44ad208f71d9ff4ce28df6537a4e0d6b0e8e845cb8ca10059a6" -SRC_URI[sha2-0.8.2.sha256sum] = "a256f46ea78a0c0d9ff00077504903ac881a1dafdc20da66545699e7776b3e69" -SRC_URI[typenum-1.15.0.sha256sum] = "dcf81ac59edc17cc8697ff311e8f5ef2d99fcbd9817b34cec66f90b6c3dfd987" -# from rust/vendor/failure/Cargo.lock -SRC_URI += " \ - crate://crates.io/backtrace/0.3.46 \ - crate://crates.io/backtrace-sys/0.1.37 \ - crate://crates.io/cc/1.0.52 \ - crate://crates.io/cfg-if/0.1.10 \ - crate://crates.io/failure_derive/0.1.7 \ - crate://crates.io/libc/0.2.69 \ - crate://crates.io/proc-macro2/1.0.12 \ - crate://crates.io/quote/1.0.4 \ - crate://crates.io/rustc-demangle/0.1.16 \ - crate://crates.io/syn/1.0.18 \ - crate://crates.io/synstructure/0.12.3 \ - crate://crates.io/unicode-xid/0.2.0 \ -" - -SRC_URI[backtrace-0.3.46.sha256sum] = "b1e692897359247cc6bb902933361652380af0f1b7651ae5c5013407f30e109e" -SRC_URI[backtrace-sys-0.1.37.sha256sum] = "18fbebbe1c9d1f383a9cc7e8ccdb471b91c8d024ee9c2ca5b5346121fe8b4399" -SRC_URI[cc-1.0.52.sha256sum] = "c3d87b23d6a92cd03af510a5ade527033f6aa6fa92161e2d5863a907d4c5e31d" -SRC_URI[cfg-if-0.1.10.sha256sum] = "4785bdd1c96b2a846b2bd7cc02e86b6b3dbf14e7e53446c4f54c92a361040822" -SRC_URI[failure_derive-0.1.7.sha256sum] = "030a733c8287d6213886dd487564ff5c8f6aae10278b3588ed177f9d18f8d231" -SRC_URI[libc-0.2.69.sha256sum] = "99e85c08494b21a9054e7fe1374a732aeadaff3980b6990b94bfd3a70f690005" -SRC_URI[proc-macro2-1.0.12.sha256sum] = "8872cf6f48eee44265156c111456a700ab3483686b3f96df4cf5481c89157319" -SRC_URI[quote-1.0.4.sha256sum] = "4c1f4b0efa5fc5e8ceb705136bfee52cfdb6a4e3509f770b478cd6ed434232a7" -SRC_URI[rustc-demangle-0.1.16.sha256sum] = "4c691c0e608126e00913e33f0ccf3727d5fc84573623b8d65b2df340b5201783" -SRC_URI[syn-1.0.18.sha256sum] = "410a7488c0a728c7ceb4ad59b9567eb4053d02e8cc7f5c0e0eeeb39518369213" -SRC_URI[synstructure-0.12.3.sha256sum] = "67656ea1dc1b41b1451851562ea232ec2e5a80242139f7e679ceccfb5d61f545" -SRC_URI[unicode-xid-0.2.0.sha256sum] = "826e7639553986605ec5979c7dd957c7895e93eabed50ab2ffa7f6128a75097c" -# from rust/vendor/alloc-stdlib/Cargo.lock -SRC_URI += " \ - crate://crates.io/alloc-no-stdlib/2.0.4 \ -" - -SRC_URI[alloc-no-stdlib-2.0.4.sha256sum] = "cc7bb162ec39d46ab1ca8c77bf72e890535becd1751bb45f64c597edb4c8c6b3" -# from rust/vendor/bendy/Cargo.lock -SRC_URI += " \ - crate://crates.io/addr2line/0.14.0 \ - crate://crates.io/adler/0.2.3 \ - crate://crates.io/aho-corasick/0.7.15 \ - crate://crates.io/autocfg/1.0.1 \ - crate://crates.io/backtrace/0.3.54 \ - crate://crates.io/cfg-if/1.0.0 \ - crate://crates.io/failure/0.1.8 \ - crate://crates.io/failure_derive/0.1.8 \ - crate://crates.io/gimli/0.23.0 \ - crate://crates.io/lazy_static/1.4.0 \ - crate://crates.io/libc/0.2.80 \ - crate://crates.io/memchr/2.3.4 \ - crate://crates.io/miniz_oxide/0.4.3 \ - crate://crates.io/object/0.22.0 \ - crate://crates.io/proc-macro2/1.0.24 \ - crate://crates.io/quote/1.0.7 \ - crate://crates.io/regex/1.4.2 \ - crate://crates.io/regex-syntax/0.6.21 \ - crate://crates.io/rustc-demangle/0.1.18 \ - crate://crates.io/serde/1.0.117 \ - crate://crates.io/serde_bytes/0.11.5 \ - crate://crates.io/serde_derive/1.0.117 \ - crate://crates.io/syn/1.0.48 \ - crate://crates.io/synstructure/0.12.4 \ - crate://crates.io/thread_local/1.0.1 \ - crate://crates.io/unicode-xid/0.2.1 \ -" - -SRC_URI[addr2line-0.14.0.sha256sum] = "7c0929d69e78dd9bf5408269919fcbcaeb2e35e5d43e5815517cdc6a8e11a423" -SRC_URI[adler-0.2.3.sha256sum] = "ee2a4ec343196209d6594e19543ae87a39f96d5534d7174822a3ad825dd6ed7e" -SRC_URI[aho-corasick-0.7.15.sha256sum] = "7404febffaa47dac81aa44dba71523c9d069b1bdc50a77db41195149e17f68e5" -SRC_URI[autocfg-1.0.1.sha256sum] = "cdb031dd78e28731d87d56cc8ffef4a8f36ca26c38fe2de700543e627f8a464a" -SRC_URI[backtrace-0.3.54.sha256sum] = "2baad346b2d4e94a24347adeee9c7a93f412ee94b9cc26e5b59dea23848e9f28" -SRC_URI[cfg-if-1.0.0.sha256sum] = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd" -SRC_URI[failure-0.1.8.sha256sum] = "d32e9bd16cc02eae7db7ef620b392808b89f6a5e16bb3497d159c6b92a0f4f86" -SRC_URI[failure_derive-0.1.8.sha256sum] = "aa4da3c766cd7a0db8242e326e9e4e081edd567072893ed320008189715366a4" -SRC_URI[gimli-0.23.0.sha256sum] = "f6503fe142514ca4799d4c26297c4248239fe8838d827db6bd6065c6ed29a6ce" -SRC_URI[lazy_static-1.4.0.sha256sum] = "e2abad23fbc42b3700f2f279844dc832adb2b2eb069b2df918f455c4e18cc646" -SRC_URI[libc-0.2.80.sha256sum] = "4d58d1b70b004888f764dfbf6a26a3b0342a1632d33968e4a179d8011c760614" -SRC_URI[memchr-2.3.4.sha256sum] = "0ee1c47aaa256ecabcaea351eae4a9b01ef39ed810004e298d2511ed284b1525" -SRC_URI[miniz_oxide-0.4.3.sha256sum] = "0f2d26ec3309788e423cfbf68ad1800f061638098d76a83681af979dc4eda19d" -SRC_URI[object-0.22.0.sha256sum] = "8d3b63360ec3cb337817c2dbd47ab4a0f170d285d8e5a2064600f3def1402397" -SRC_URI[proc-macro2-1.0.24.sha256sum] = "1e0704ee1a7e00d7bb417d0770ea303c1bccbabf0ef1667dae92b5967f5f8a71" -SRC_URI[quote-1.0.7.sha256sum] = "aa563d17ecb180e500da1cfd2b028310ac758de548efdd203e18f283af693f37" -SRC_URI[regex-1.4.2.sha256sum] = "38cf2c13ed4745de91a5eb834e11c00bcc3709e773173b2ce4c56c9fbde04b9c" -SRC_URI[regex-syntax-0.6.21.sha256sum] = "3b181ba2dcf07aaccad5448e8ead58db5b742cf85dfe035e2227f137a539a189" -SRC_URI[rustc-demangle-0.1.18.sha256sum] = "6e3bad0ee36814ca07d7968269dd4b7ec89ec2da10c4bb613928d3077083c232" -SRC_URI[serde-1.0.117.sha256sum] = "b88fa983de7720629c9387e9f517353ed404164b1e482c970a90c1a4aaf7dc1a" -SRC_URI[serde_bytes-0.11.5.sha256sum] = "16ae07dd2f88a366f15bd0632ba725227018c69a1c8550a927324f8eb8368bb9" -SRC_URI[serde_derive-1.0.117.sha256sum] = "cbd1ae72adb44aab48f325a02444a5fc079349a8d804c1fc922aed3f7454c74e" -SRC_URI[syn-1.0.48.sha256sum] = "cc371affeffc477f42a221a1e4297aedcea33d47d19b61455588bd9d8f6b19ac" -SRC_URI[synstructure-0.12.4.sha256sum] = "b834f2d66f734cb897113e34aaff2f1ab4719ca946f9a7358dba8f8064148701" -SRC_URI[thread_local-1.0.1.sha256sum] = "d40c6d1b69745a6ec6fb1ca717914848da4b44ae29d9b3080cbee91d72a69b14" -SRC_URI[unicode-xid-0.2.1.sha256sum] = "f7fe0bb3479651439c9112f72b6c505038574c9fbb575ed1bf3b797fa39dd564" -# from rust/vendor/regex/Cargo.lock -SRC_URI += " \ - crate://crates.io/aho-corasick/0.7.18 \ - crate://crates.io/cfg-if/1.0.0 \ - crate://crates.io/getrandom/0.2.6 \ - crate://crates.io/lazy_static/1.4.0 \ - crate://crates.io/libc/0.2.125 \ - crate://crates.io/memchr/2.5.0 \ - crate://crates.io/quickcheck/1.0.3 \ - crate://crates.io/rand/0.8.5 \ - crate://crates.io/rand_core/0.6.3 \ - crate://crates.io/regex-syntax/0.6.26 \ - crate://crates.io/wasi/0.10.2+wasi-snapshot-preview1 \ -" - -SRC_URI[aho-corasick-0.7.18.sha256sum] = "1e37cfd5e7657ada45f742d6e99ca5788580b5c529dc78faf11ece6dc702656f" -SRC_URI[cfg-if-1.0.0.sha256sum] = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd" -SRC_URI[getrandom-0.2.6.sha256sum] = "9be70c98951c83b8d2f8f60d7065fa6d5146873094452a1008da8c2f1e4205ad" -SRC_URI[lazy_static-1.4.0.sha256sum] = "e2abad23fbc42b3700f2f279844dc832adb2b2eb069b2df918f455c4e18cc646" -SRC_URI[libc-0.2.125.sha256sum] = "5916d2ae698f6de9bfb891ad7a8d65c09d232dc58cc4ac433c7da3b2fd84bc2b" -SRC_URI[memchr-2.5.0.sha256sum] = "2dffe52ecf27772e601905b7522cb4ef790d2cc203488bbd0e2fe85fcb74566d" -SRC_URI[quickcheck-1.0.3.sha256sum] = "588f6378e4dd99458b60ec275b4477add41ce4fa9f64dcba6f15adccb19b50d6" -SRC_URI[rand-0.8.5.sha256sum] = "34af8d1a0e25924bc5b7c43c079c942339d8f0a8b57c39049bef581b46327404" -SRC_URI[rand_core-0.6.3.sha256sum] = "d34f1408f55294453790c48b2f1ebbb1c5b4b7563eb1f418bcfcfdbb06ebb4e7" -SRC_URI[regex-syntax-0.6.26.sha256sum] = "49b3de9ec5dc0a3417da371aab17d729997c15010e7fd24ff707773a33bddb64" -SRC_URI[wasi-0.10.2+wasi-snapshot-preview1.sha256sum] = "fd6fbd9a79829dd1ad0cc20627bf1ed606756a7f77edff7b66b7064f9cb327c6" -# from rust/vendor/brotli-decompressor/Cargo.lock -SRC_URI += " \ - crate://crates.io/alloc-no-stdlib/2.0.4 \ - crate://crates.io/alloc-stdlib/0.2.2 \ -" SRC_URI[alloc-no-stdlib-2.0.4.sha256sum] = "cc7bb162ec39d46ab1ca8c77bf72e890535becd1751bb45f64c597edb4c8c6b3" SRC_URI[alloc-stdlib-0.2.2.sha256sum] = "94fb8275041c72129eb51b7d0322c29b8387a0386127718b096429201a5d6ece" +SRC_URI[block-buffer-0.10.4.sha256sum] = "3078c7629b62d3f0439517fa394996acacc5cbc91c5a20d8c658e77abd503a71" +SRC_URI[brotli-decompressor-5.0.0.sha256sum] = "874bb8112abecc98cbd6d81ea4fa7e94fb9449648c93cc89aa40c81c24d7de03" +SRC_URI[cfg-if-1.0.0.sha256sum] = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd" +SRC_URI[cpufeatures-0.2.17.sha256sum] = "59ed5838eebb26a2bb2e58f6d5b5316989ae9d08bab10e0e6d103e656d1b0280" +SRC_URI[crypto-common-0.1.6.sha256sum] = "1bfb12502f3fc46cca1bb51ac28df9d618d813cdc3d2f25b9fe775a34af26bb3" +SRC_URI[digest-0.10.7.sha256sum] = "9ed9a281f7bc9b7576e61468ba615a66a5c8cfdff42420a70aa82701a3b1e292" +SRC_URI[generic-array-0.14.7.sha256sum] = "85649ca51fd72272d7821adaf274ad91c288277713d9c18820d8499a7ff69e9a" +SRC_URI[libc-0.2.172.sha256sum] = "d750af042f7ef4f724306de029d18836c26c1765a54a6a3f094cbd23a7267ffa" +SRC_URI[sha2-0.10.9.sha256sum] = "a7507d819769d01a365ab707794a4084392c824f54a7a6a7862f8c3d0892b283" +SRC_URI[typenum-1.18.0.sha256sum] = "1dccffe3ce07af9386bfd29e80c0ab1a8205a2fc34e4bcd40364df902cfa8f3f" +SRC_URI[version_check-0.9.5.sha256sum] = "0b928f33d975fc6ad9f86c8f283853ad26bdd5b10b7f1542aa2fa15e2289105a" # from rust/vendor/phf_generator/Cargo.lock -SRC_URI += " \ - crate://crates.io/atty/0.2.14 \ - crate://crates.io/autocfg/1.0.1 \ - crate://crates.io/bitflags/1.2.1 \ - crate://crates.io/bstr/0.2.16 \ - crate://crates.io/bumpalo/3.7.0 \ - crate://crates.io/cast/0.2.7 \ - crate://crates.io/cfg-if/1.0.0 \ - crate://crates.io/clap/2.33.3 \ - crate://crates.io/criterion/0.3.4 \ - crate://crates.io/criterion-plot/0.4.4 \ - crate://crates.io/crossbeam-channel/0.5.1 \ - crate://crates.io/crossbeam-deque/0.8.1 \ - crate://crates.io/crossbeam-epoch/0.9.5 \ - crate://crates.io/crossbeam-utils/0.8.5 \ - crate://crates.io/csv/1.1.6 \ - crate://crates.io/csv-core/0.1.10 \ - crate://crates.io/either/1.6.1 \ - crate://crates.io/getrandom/0.2.3 \ - crate://crates.io/half/1.7.1 \ - crate://crates.io/hermit-abi/0.1.19 \ - crate://crates.io/itertools/0.10.1 \ - crate://crates.io/itoa/0.4.7 \ - crate://crates.io/js-sys/0.3.52 \ - crate://crates.io/lazy_static/1.4.0 \ - crate://crates.io/libc/0.2.99 \ - crate://crates.io/log/0.4.14 \ - crate://crates.io/memchr/2.4.0 \ - crate://crates.io/memoffset/0.6.4 \ - crate://crates.io/num-traits/0.2.14 \ - crate://crates.io/num_cpus/1.13.0 \ - crate://crates.io/oorandom/11.1.3 \ - crate://crates.io/phf_shared/0.10.0 \ - crate://crates.io/plotters/0.3.1 \ - crate://crates.io/plotters-backend/0.3.2 \ - crate://crates.io/plotters-svg/0.3.1 \ - crate://crates.io/ppv-lite86/0.2.10 \ - crate://crates.io/proc-macro2/1.0.28 \ - crate://crates.io/quote/1.0.9 \ - crate://crates.io/rand/0.8.4 \ - crate://crates.io/rand_chacha/0.3.1 \ - crate://crates.io/rand_core/0.6.3 \ - crate://crates.io/rand_hc/0.3.1 \ - crate://crates.io/rayon/1.5.1 \ - crate://crates.io/rayon-core/1.9.1 \ - crate://crates.io/regex/1.5.4 \ - crate://crates.io/regex-automata/0.1.10 \ - crate://crates.io/regex-syntax/0.6.25 \ - crate://crates.io/rustc_version/0.4.0 \ - crate://crates.io/ryu/1.0.5 \ - crate://crates.io/same-file/1.0.6 \ - crate://crates.io/scopeguard/1.1.0 \ - crate://crates.io/semver/1.0.4 \ - crate://crates.io/serde/1.0.127 \ - crate://crates.io/serde_cbor/0.11.1 \ - crate://crates.io/serde_derive/1.0.127 \ - crate://crates.io/serde_json/1.0.66 \ - crate://crates.io/siphasher/0.3.6 \ - crate://crates.io/syn/1.0.74 \ - crate://crates.io/textwrap/0.11.0 \ - crate://crates.io/tinytemplate/1.2.1 \ - crate://crates.io/unicode-width/0.1.8 \ - crate://crates.io/unicode-xid/0.2.2 \ - crate://crates.io/walkdir/2.3.2 \ - crate://crates.io/wasi/0.10.2+wasi-snapshot-preview1 \ - crate://crates.io/wasm-bindgen/0.2.75 \ - crate://crates.io/wasm-bindgen-backend/0.2.75 \ - crate://crates.io/wasm-bindgen-macro/0.2.75 \ - crate://crates.io/wasm-bindgen-macro-support/0.2.75 \ - crate://crates.io/wasm-bindgen-shared/0.2.75 \ - crate://crates.io/web-sys/0.3.52 \ - crate://crates.io/winapi/0.3.9 \ - crate://crates.io/winapi-i686-pc-windows-gnu/0.4.0 \ - crate://crates.io/winapi-util/0.1.5 \ - crate://crates.io/winapi-x86_64-pc-windows-gnu/0.4.0 \ -" SRC_URI[atty-0.2.14.sha256sum] = "d9b39be18770d11421cdb1b9947a45dd3f37e93092cbf377614828a319d5fee8" SRC_URI[autocfg-1.0.1.sha256sum] = "cdb031dd78e28731d87d56cc8ffef4a8f36ca26c38fe2de700543e627f8a464a" @@ -1048,103 +994,120 @@ SRC_URI[winapi-0.3.9.sha256sum] = "5c839a674fcd7a98952e593242ea400abe93992746761 SRC_URI[winapi-i686-pc-windows-gnu-0.4.0.sha256sum] = "ac3b87c63620426dd9b991e5ce0329eff545bccbbb34f3be09ff6fb6ab51b7b6" SRC_URI[winapi-util-0.1.5.sha256sum] = "70ec6ce85bb158151cae5e5c87f95a8e97d2c0c4b001223f33a334e3ce5de178" SRC_URI[winapi-x86_64-pc-windows-gnu-0.4.0.sha256sum] = "712e227841d057c1ee1cd2fb22fa7e5a5461ae8e48fa2ca79ec42cfc1931183f" +# from rust/vendor/alloc-stdlib/Cargo.lock + +SRC_URI[alloc-no-stdlib-2.0.4.sha256sum] = "cc7bb162ec39d46ab1ca8c77bf72e890535becd1751bb45f64c597edb4c8c6b3" # from rust/vendor/x509-parser/Cargo.lock -SRC_URI += " \ - crate://crates.io/asn1-rs/0.5.2 \ - crate://crates.io/asn1-rs-derive/0.4.0 \ - crate://crates.io/asn1-rs-impl/0.1.0 \ - crate://crates.io/autocfg/1.1.0 \ - crate://crates.io/bumpalo/3.12.0 \ - crate://crates.io/cc/1.0.79 \ - crate://crates.io/cfg-if/1.0.0 \ - crate://crates.io/data-encoding/2.3.3 \ - crate://crates.io/der-parser/8.2.0 \ - crate://crates.io/displaydoc/0.2.3 \ - crate://crates.io/itoa/1.0.6 \ - crate://crates.io/js-sys/0.3.61 \ - crate://crates.io/lazy_static/1.4.0 \ - crate://crates.io/libc/0.2.140 \ - crate://crates.io/log/0.4.17 \ - crate://crates.io/memchr/2.5.0 \ - crate://crates.io/minimal-lexical/0.2.1 \ - crate://crates.io/nom/7.1.3 \ - crate://crates.io/num-bigint/0.4.3 \ - crate://crates.io/num-integer/0.1.45 \ - crate://crates.io/num-traits/0.2.15 \ - crate://crates.io/oid-registry/0.6.1 \ - crate://crates.io/once_cell/1.17.1 \ - crate://crates.io/proc-macro2/1.0.52 \ - crate://crates.io/quote/1.0.26 \ - crate://crates.io/ring/0.16.20 \ - crate://crates.io/rusticata-macros/4.1.0 \ - crate://crates.io/serde/1.0.156 \ - crate://crates.io/spin/0.5.2 \ - crate://crates.io/syn/1.0.109 \ - crate://crates.io/synstructure/0.12.6 \ - crate://crates.io/thiserror/1.0.39 \ - crate://crates.io/thiserror-impl/1.0.39 \ - crate://crates.io/time/0.3.20 \ - crate://crates.io/time-core/0.1.0 \ - crate://crates.io/time-macros/0.2.8 \ - crate://crates.io/unicode-ident/1.0.8 \ - crate://crates.io/unicode-xid/0.2.4 \ - crate://crates.io/untrusted/0.7.1 \ - crate://crates.io/wasm-bindgen/0.2.84 \ - crate://crates.io/wasm-bindgen-backend/0.2.84 \ - crate://crates.io/wasm-bindgen-macro/0.2.84 \ - crate://crates.io/wasm-bindgen-macro-support/0.2.84 \ - crate://crates.io/wasm-bindgen-shared/0.2.84 \ - crate://crates.io/web-sys/0.3.61 \ - crate://crates.io/winapi/0.3.9 \ - crate://crates.io/winapi-i686-pc-windows-gnu/0.4.0 \ - crate://crates.io/winapi-x86_64-pc-windows-gnu/0.4.0 \ -" SRC_URI[asn1-rs-0.5.2.sha256sum] = "7f6fd5ddaf0351dff5b8da21b2fb4ff8e08ddd02857f0bf69c47639106c0fff0" SRC_URI[asn1-rs-derive-0.4.0.sha256sum] = "726535892e8eae7e70657b4c8ea93d26b8553afb1ce617caee529ef96d7dee6c" SRC_URI[asn1-rs-impl-0.1.0.sha256sum] = "2777730b2039ac0f95f093556e61b6d26cebed5393ca6f152717777cec3a42ed" SRC_URI[autocfg-1.1.0.sha256sum] = "d468802bab17cbc0cc575e9b053f41e72aa36bfa6b7f55e3529ffa43161b97fa" -SRC_URI[bumpalo-3.12.0.sha256sum] = "0d261e256854913907f67ed06efbc3338dfe6179796deefc1ff763fc1aee5535" -SRC_URI[cc-1.0.79.sha256sum] = "50d30906286121d95be3d479533b458f87493b30a4b5f79a607db8f5d11aa91f" +SRC_URI[bumpalo-3.13.0.sha256sum] = "a3e2c3daef883ecc1b5d58c15adae93470a91d425f3532ba1695849656af3fc1" +SRC_URI[cc-1.0.81.sha256sum] = "6c6b2562119bf28c3439f7f02db99faf0aa1a8cdfe5772a2ee155d32227239f0" SRC_URI[cfg-if-1.0.0.sha256sum] = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd" -SRC_URI[data-encoding-2.3.3.sha256sum] = "23d8666cb01533c39dde32bcbab8e227b4ed6679b2c925eba05feabea39508fb" +SRC_URI[data-encoding-2.4.0.sha256sum] = "c2e66c9d817f1720209181c316d28635c050fa304f9c79e47a520882661b7308" SRC_URI[der-parser-8.2.0.sha256sum] = "dbd676fbbab537128ef0278adb5576cf363cff6aa22a7b24effe97347cfab61e" -SRC_URI[displaydoc-0.2.3.sha256sum] = "3bf95dc3f046b9da4f2d51833c0d3547d8564ef6910f5c1ed130306a75b92886" -SRC_URI[itoa-1.0.6.sha256sum] = "453ad9f582a441959e5f0d088b02ce04cfe8d51a8eaf077f12ac6d3e94164ca6" -SRC_URI[js-sys-0.3.61.sha256sum] = "445dde2150c55e483f3d8416706b97ec8e8237c307e5b7b4b8dd15e6af2a0730" +SRC_URI[deranged-0.3.7.sha256sum] = "7684a49fb1af197853ef7b2ee694bc1f5b4179556f1e5710e1760c5db6f5e929" +SRC_URI[displaydoc-0.2.4.sha256sum] = "487585f4d0c6655fe74905e2504d8ad6908e4db67f744eb140876906c2f3175d" +SRC_URI[itoa-1.0.9.sha256sum] = "af150ab688ff2122fcef229be89cb50dd66af9e01a4ff320cc137eecc9bacc38" +SRC_URI[js-sys-0.3.64.sha256sum] = "c5f195fe497f702db0f318b07fdd68edb16955aed830df8363d837542f8f935a" SRC_URI[lazy_static-1.4.0.sha256sum] = "e2abad23fbc42b3700f2f279844dc832adb2b2eb069b2df918f455c4e18cc646" -SRC_URI[libc-0.2.140.sha256sum] = "99227334921fae1a979cf0bfdfcc6b3e5ce376ef57e16fb6fb3ea2ed6095f80c" -SRC_URI[log-0.4.17.sha256sum] = "abb12e687cfb44aa40f41fc3978ef76448f9b6038cad6aef4259d3c095a2382e" +SRC_URI[libc-0.2.147.sha256sum] = "b4668fb0ea861c1df094127ac5f1da3409a82116a4ba74fca2e58ef927159bb3" +SRC_URI[log-0.4.19.sha256sum] = "b06a4cde4c0f271a446782e3eff8de789548ce57dbc8eca9292c27f4a42004b4" SRC_URI[memchr-2.5.0.sha256sum] = "2dffe52ecf27772e601905b7522cb4ef790d2cc203488bbd0e2fe85fcb74566d" SRC_URI[minimal-lexical-0.2.1.sha256sum] = "68354c5c6bd36d73ff3feceb05efa59b6acb7626617f4962be322a825e61f79a" SRC_URI[nom-7.1.3.sha256sum] = "d273983c5a657a70a3e8f2a01329822f3b8c8172b73826411a55751e404a0a4a" SRC_URI[num-bigint-0.4.3.sha256sum] = "f93ab6289c7b344a8a9f60f88d80aa20032336fe78da341afc91c8a2341fc75f" SRC_URI[num-integer-0.1.45.sha256sum] = "225d3389fb3509a24c93f5c29eb6bde2586b98d9f016636dff58d7c6f7569cd9" -SRC_URI[num-traits-0.2.15.sha256sum] = "578ede34cf02f8924ab9447f50c28075b4d3e5b269972345e7e0372b38c6cdcd" +SRC_URI[num-traits-0.2.16.sha256sum] = "f30b0abd723be7e2ffca1272140fac1a2f084c77ec3e123c192b66af1ee9e6c2" SRC_URI[oid-registry-0.6.1.sha256sum] = "9bedf36ffb6ba96c2eb7144ef6270557b52e54b20c0a8e1eb2ff99a6c6959bff" -SRC_URI[once_cell-1.17.1.sha256sum] = "b7e5500299e16ebb147ae15a00a942af264cf3688f47923b8fc2cd5858f23ad3" -SRC_URI[proc-macro2-1.0.52.sha256sum] = "1d0e1ae9e836cc3beddd63db0df682593d7e2d3d891ae8c9083d2113e1744224" -SRC_URI[quote-1.0.26.sha256sum] = "4424af4bf778aae2051a77b60283332f386554255d722233d09fbfc7e30da2fc" +SRC_URI[once_cell-1.18.0.sha256sum] = "dd8b5dd2ae5ed71462c540258bedcb51965123ad7e7ccf4b9a8cafaa4a63576d" +SRC_URI[proc-macro2-1.0.66.sha256sum] = "18fb31db3f9bddb2ea821cde30a9f70117e3f119938b5ee630b7403aa6e2ead9" +SRC_URI[quote-1.0.32.sha256sum] = "50f3b39ccfb720540debaa0164757101c08ecb8d326b15358ce76a62c7e85965" SRC_URI[ring-0.16.20.sha256sum] = "3053cf52e236a3ed746dfc745aa9cacf1b791d846bdaf412f60a8d7d6e17c8fc" SRC_URI[rusticata-macros-4.1.0.sha256sum] = "faf0c4a6ece9950b9abdb62b1cfcf2a68b3b67a10ba445b3bb85be2a293d0632" -SRC_URI[serde-1.0.156.sha256sum] = "314b5b092c0ade17c00142951e50ced110ec27cea304b1037c6969246c2469a4" +SRC_URI[serde-1.0.180.sha256sum] = "0ea67f183f058fe88a4e3ec6e2788e003840893b91bac4559cabedd00863b3ed" SRC_URI[spin-0.5.2.sha256sum] = "6e63cff320ae2c57904679ba7cb63280a3dc4613885beafb148ee7bf9aa9042d" SRC_URI[syn-1.0.109.sha256sum] = "72b64191b275b66ffe2469e8af2c1cfe3bafa67b529ead792a6d0160888b4237" +SRC_URI[syn-2.0.28.sha256sum] = "04361975b3f5e348b2189d8dc55bc942f278b2d482a6a0365de5bdd62d351567" SRC_URI[synstructure-0.12.6.sha256sum] = "f36bdaa60a83aca3921b5259d5400cbf5e90fc51931376a9bd4a0eb79aa7210f" -SRC_URI[thiserror-1.0.39.sha256sum] = "a5ab016db510546d856297882807df8da66a16fb8c4101cb8b30054b0d5b2d9c" -SRC_URI[thiserror-impl-1.0.39.sha256sum] = "5420d42e90af0c38c3290abcca25b9b3bdf379fc9f55c528f53a269d9c9a267e" -SRC_URI[time-0.3.20.sha256sum] = "cd0cbfecb4d19b5ea75bb31ad904eb5b9fa13f21079c3b92017ebdf4999a5890" -SRC_URI[time-core-0.1.0.sha256sum] = "2e153e1f1acaef8acc537e68b44906d2db6436e2b35ac2c6b42640fff91f00fd" -SRC_URI[time-macros-0.2.8.sha256sum] = "fd80a657e71da814b8e5d60d3374fc6d35045062245d80224748ae522dd76f36" -SRC_URI[unicode-ident-1.0.8.sha256sum] = "e5464a87b239f13a63a501f2701565754bae92d243d4bb7eb12f6d57d2269bf4" +SRC_URI[thiserror-1.0.44.sha256sum] = "611040a08a0439f8248d1990b111c95baa9c704c805fa1f62104b39655fd7f90" +SRC_URI[thiserror-impl-1.0.44.sha256sum] = "090198534930841fab3a5d1bb637cde49e339654e606195f8d9c76eeb081dc96" +SRC_URI[time-0.3.25.sha256sum] = "b0fdd63d58b18d663fbdf70e049f00a22c8e42be082203be7f26589213cd75ea" +SRC_URI[time-core-0.1.1.sha256sum] = "7300fbefb4dadc1af235a9cef3737cea692a9d97e1b9cbcd4ebdae6f8868e6fb" +SRC_URI[time-macros-0.2.11.sha256sum] = "eb71511c991639bb078fd5bf97757e03914361c48100d52878b8e52b46fb92cd" +SRC_URI[unicode-ident-1.0.11.sha256sum] = "301abaae475aa91687eb82514b328ab47a211a533026cb25fc3e519b86adfc3c" SRC_URI[unicode-xid-0.2.4.sha256sum] = "f962df74c8c05a667b5ee8bcf162993134c104e96440b663c8daa176dc772d8c" SRC_URI[untrusted-0.7.1.sha256sum] = "a156c684c91ea7d62626509bce3cb4e1d9ed5c4d978f7b4352658f96a4c26b4a" -SRC_URI[wasm-bindgen-0.2.84.sha256sum] = "31f8dcbc21f30d9b8f2ea926ecb58f6b91192c17e9d33594b3df58b2007ca53b" -SRC_URI[wasm-bindgen-backend-0.2.84.sha256sum] = "95ce90fd5bcc06af55a641a86428ee4229e44e07033963a2290a8e241607ccb9" -SRC_URI[wasm-bindgen-macro-0.2.84.sha256sum] = "4c21f77c0bedc37fd5dc21f897894a5ca01e7bb159884559461862ae90c0b4c5" -SRC_URI[wasm-bindgen-macro-support-0.2.84.sha256sum] = "2aff81306fcac3c7515ad4e177f521b5c9a15f2b08f4e32d823066102f35a5f6" -SRC_URI[wasm-bindgen-shared-0.2.84.sha256sum] = "0046fef7e28c3804e5e38bfa31ea2a0f73905319b677e57ebe37e49358989b5d" -SRC_URI[web-sys-0.3.61.sha256sum] = "e33b99f4b23ba3eec1a53ac264e35a755f00e966e0065077d6027c0f575b0b97" +SRC_URI[wasm-bindgen-0.2.87.sha256sum] = "7706a72ab36d8cb1f80ffbf0e071533974a60d0a308d01a5d0375bf60499a342" +SRC_URI[wasm-bindgen-backend-0.2.87.sha256sum] = "5ef2b6d3c510e9625e5fe6f509ab07d66a760f0885d858736483c32ed7809abd" +SRC_URI[wasm-bindgen-macro-0.2.87.sha256sum] = "dee495e55982a3bd48105a7b947fd2a9b4a8ae3010041b9e0faab3f9cd028f1d" +SRC_URI[wasm-bindgen-macro-support-0.2.87.sha256sum] = "54681b18a46765f095758388f2d0cf16eb8d4169b639ab575a8f5693af210c7b" +SRC_URI[wasm-bindgen-shared-0.2.87.sha256sum] = "ca6ad05a4870b2bf5fe995117d3728437bd27d7cd5f06f13c17443ef369775a1" +SRC_URI[web-sys-0.3.64.sha256sum] = "9b85cbef8c220a6abc02aefd892dfc0fc23afb1c6a426316ec33253a3877249b" SRC_URI[winapi-0.3.9.sha256sum] = "5c839a674fcd7a98952e593242ea400abe93992746761e38641405d28b00f419" SRC_URI[winapi-i686-pc-windows-gnu-0.4.0.sha256sum] = "ac3b87c63620426dd9b991e5ce0329eff545bccbbb34f3be09ff6fb6ab51b7b6" SRC_URI[winapi-x86_64-pc-windows-gnu-0.4.0.sha256sum] = "712e227841d057c1ee1cd2fb22fa7e5a5461ae8e48fa2ca79ec42cfc1931183f" +# from rust/vendor/regex/Cargo.lock + +SRC_URI[aho-corasick-0.7.18.sha256sum] = "1e37cfd5e7657ada45f742d6e99ca5788580b5c529dc78faf11ece6dc702656f" +SRC_URI[cfg-if-1.0.0.sha256sum] = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd" +SRC_URI[getrandom-0.2.6.sha256sum] = "9be70c98951c83b8d2f8f60d7065fa6d5146873094452a1008da8c2f1e4205ad" +SRC_URI[lazy_static-1.4.0.sha256sum] = "e2abad23fbc42b3700f2f279844dc832adb2b2eb069b2df918f455c4e18cc646" +SRC_URI[libc-0.2.125.sha256sum] = "5916d2ae698f6de9bfb891ad7a8d65c09d232dc58cc4ac433c7da3b2fd84bc2b" +SRC_URI[memchr-2.5.0.sha256sum] = "2dffe52ecf27772e601905b7522cb4ef790d2cc203488bbd0e2fe85fcb74566d" +SRC_URI[quickcheck-1.0.3.sha256sum] = "588f6378e4dd99458b60ec275b4477add41ce4fa9f64dcba6f15adccb19b50d6" +SRC_URI[rand-0.8.5.sha256sum] = "34af8d1a0e25924bc5b7c43c079c942339d8f0a8b57c39049bef581b46327404" +SRC_URI[rand_core-0.6.3.sha256sum] = "d34f1408f55294453790c48b2f1ebbb1c5b4b7563eb1f418bcfcfdbb06ebb4e7" +SRC_URI[regex-syntax-0.6.26.sha256sum] = "49b3de9ec5dc0a3417da371aab17d729997c15010e7fd24ff707773a33bddb64" +SRC_URI[wasi-0.10.2+wasi-snapshot-preview1.sha256sum] = "fd6fbd9a79829dd1ad0cc20627bf1ed606756a7f77edff7b66b7064f9cb327c6" +# from rust/vendor/bendy/Cargo.lock + +SRC_URI[addr2line-0.14.0.sha256sum] = "7c0929d69e78dd9bf5408269919fcbcaeb2e35e5d43e5815517cdc6a8e11a423" +SRC_URI[adler-0.2.3.sha256sum] = "ee2a4ec343196209d6594e19543ae87a39f96d5534d7174822a3ad825dd6ed7e" +SRC_URI[aho-corasick-0.7.15.sha256sum] = "7404febffaa47dac81aa44dba71523c9d069b1bdc50a77db41195149e17f68e5" +SRC_URI[autocfg-1.0.1.sha256sum] = "cdb031dd78e28731d87d56cc8ffef4a8f36ca26c38fe2de700543e627f8a464a" +SRC_URI[backtrace-0.3.54.sha256sum] = "2baad346b2d4e94a24347adeee9c7a93f412ee94b9cc26e5b59dea23848e9f28" +SRC_URI[cfg-if-1.0.0.sha256sum] = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd" +SRC_URI[failure-0.1.8.sha256sum] = "d32e9bd16cc02eae7db7ef620b392808b89f6a5e16bb3497d159c6b92a0f4f86" +SRC_URI[failure_derive-0.1.8.sha256sum] = "aa4da3c766cd7a0db8242e326e9e4e081edd567072893ed320008189715366a4" +SRC_URI[gimli-0.23.0.sha256sum] = "f6503fe142514ca4799d4c26297c4248239fe8838d827db6bd6065c6ed29a6ce" +SRC_URI[lazy_static-1.4.0.sha256sum] = "e2abad23fbc42b3700f2f279844dc832adb2b2eb069b2df918f455c4e18cc646" +SRC_URI[libc-0.2.80.sha256sum] = "4d58d1b70b004888f764dfbf6a26a3b0342a1632d33968e4a179d8011c760614" +SRC_URI[memchr-2.3.4.sha256sum] = "0ee1c47aaa256ecabcaea351eae4a9b01ef39ed810004e298d2511ed284b1525" +SRC_URI[miniz_oxide-0.4.3.sha256sum] = "0f2d26ec3309788e423cfbf68ad1800f061638098d76a83681af979dc4eda19d" +SRC_URI[object-0.22.0.sha256sum] = "8d3b63360ec3cb337817c2dbd47ab4a0f170d285d8e5a2064600f3def1402397" +SRC_URI[proc-macro2-1.0.24.sha256sum] = "1e0704ee1a7e00d7bb417d0770ea303c1bccbabf0ef1667dae92b5967f5f8a71" +SRC_URI[quote-1.0.7.sha256sum] = "aa563d17ecb180e500da1cfd2b028310ac758de548efdd203e18f283af693f37" +SRC_URI[regex-1.4.2.sha256sum] = "38cf2c13ed4745de91a5eb834e11c00bcc3709e773173b2ce4c56c9fbde04b9c" +SRC_URI[regex-syntax-0.6.21.sha256sum] = "3b181ba2dcf07aaccad5448e8ead58db5b742cf85dfe035e2227f137a539a189" +SRC_URI[rustc-demangle-0.1.18.sha256sum] = "6e3bad0ee36814ca07d7968269dd4b7ec89ec2da10c4bb613928d3077083c232" +SRC_URI[serde-1.0.117.sha256sum] = "b88fa983de7720629c9387e9f517353ed404164b1e482c970a90c1a4aaf7dc1a" +SRC_URI[serde_bytes-0.11.5.sha256sum] = "16ae07dd2f88a366f15bd0632ba725227018c69a1c8550a927324f8eb8368bb9" +SRC_URI[serde_derive-1.0.117.sha256sum] = "cbd1ae72adb44aab48f325a02444a5fc079349a8d804c1fc922aed3f7454c74e" +SRC_URI[syn-1.0.48.sha256sum] = "cc371affeffc477f42a221a1e4297aedcea33d47d19b61455588bd9d8f6b19ac" +SRC_URI[synstructure-0.12.4.sha256sum] = "b834f2d66f734cb897113e34aaff2f1ab4719ca946f9a7358dba8f8064148701" +SRC_URI[thread_local-1.0.1.sha256sum] = "d40c6d1b69745a6ec6fb1ca717914848da4b44ae29d9b3080cbee91d72a69b14" +SRC_URI[unicode-xid-0.2.1.sha256sum] = "f7fe0bb3479651439c9112f72b6c505038574c9fbb575ed1bf3b797fa39dd564" +# from rust/vendor/flate2/Cargo.lock + +SRC_URI[adler-1.0.2.sha256sum] = "f26201604c87b1e01bd3d98f8d5d9a8fcbb815e8cedb41ffccbeb4bf593a35fe" +SRC_URI[cc-1.0.79.sha256sum] = "50d30906286121d95be3d479533b458f87493b30a4b5f79a607db8f5d11aa91f" +SRC_URI[cfg-if-1.0.0.sha256sum] = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd" +SRC_URI[cloudflare-zlib-sys-0.3.0.sha256sum] = "2040b6d1edfee6d75f172d81e2d2a7807534f3f294ce18184c70e7bb0105cd6f" +SRC_URI[cmake-0.1.50.sha256sum] = "a31c789563b815f77f4250caee12365734369f942439b7defd71e18a48197130" +SRC_URI[crc32fast-1.3.2.sha256sum] = "b540bd8bc810d3885c6ea91e2018302f68baba2129ab3e88f32389ee9370880d" +SRC_URI[getrandom-0.2.9.sha256sum] = "c85e1d9ab2eadba7e5040d4e09cbd6d072b76a557ad64e797c2cb9d4da21d7e4" +SRC_URI[libc-0.2.144.sha256sum] = "2b00cc1c228a6782d0f076e7b232802e0c5689d41bb5df366f2a6b6621cfdfe1" +SRC_URI[libz-ng-sys-1.1.10.sha256sum] = "425fb6808068335c8c7c69d1cff0a7d1ed8f681e9ac040272f160a89e6f43b8b" +SRC_URI[libz-sys-1.1.10.sha256sum] = "24e6ab01971eb092ffe6a7d42f49f9ff42662f17604681e2843ad65077ba47dc" +SRC_URI[miniz_oxide-0.7.1.sha256sum] = "e7810e0be55b428ada41041c41f32c9f1a42817901b4ccf45fa3d4b6561e74c7" +SRC_URI[pkg-config-0.3.27.sha256sum] = "26072860ba924cbfa98ea39c8c19b4dd6a4a25423dbdf219c1eca91aa0cf6964" +SRC_URI[ppv-lite86-0.2.17.sha256sum] = "5b40af805b3121feab8a3c29f04d8ad262fa8e0561883e7653e024ae4479e6de" +SRC_URI[quickcheck-1.0.3.sha256sum] = "588f6378e4dd99458b60ec275b4477add41ce4fa9f64dcba6f15adccb19b50d6" +SRC_URI[rand-0.8.5.sha256sum] = "34af8d1a0e25924bc5b7c43c079c942339d8f0a8b57c39049bef581b46327404" +SRC_URI[rand_chacha-0.3.1.sha256sum] = "e6c10a63a0fa32252be49d21e7709d4d4baf8d231c2dbce1eaa8141b9b127d88" +SRC_URI[rand_core-0.6.4.sha256sum] = "ec0be4795e2f6a28069bec0b5ff3e2ac9bafc99e6a9a7dc3547996c5c816922c" +SRC_URI[vcpkg-0.2.15.sha256sum] = "accd4ea62f7bb7a82fe23066fb0957d48ef677f6eeb8215f372f52e48bb32426" +SRC_URI[wasi-0.11.0+wasi-snapshot-preview1.sha256sum] = "9c8d87e72b64a3b4db28d11ce29237c246188f4f51057d65a7eab63b7987e423" diff --git a/recipes-ids/suricata/suricata_7.0.0.bb b/recipes-ids/suricata/suricata_7.0.12.bb similarity index 86% rename from recipes-ids/suricata/suricata_7.0.0.bb rename to recipes-ids/suricata/suricata_7.0.12.bb index 62baa35..ff022e0 100644 --- a/recipes-ids/suricata/suricata_7.0.0.bb +++ b/recipes-ids/suricata/suricata_7.0.12.bb @@ -5,7 +5,7 @@ require suricata.inc LIC_FILES_CHKSUM = "file://LICENSE;beginline=1;endline=2;md5=c70d8d3310941dcdfcd1e02800a1f548" SRC_URI = "http://www.openinfosecfoundation.org/download/suricata-${PV}.tar.gz" -SRC_URI[sha256sum] = "7bcd1313118366451465dc3f8385a3f6aadd084ffe44dd257dda8105863bb769" +SRC_URI[sha256sum] = "da5a591c749fed2bd986fc3b3cac25d9cfd3b453f57becf14610746999d3c5dd" DEPENDS = "lz4 libhtp" @@ -15,29 +15,7 @@ SRC_URI += " \ file://suricata.yaml \ file://suricata.service \ file://run-ptest \ - file://fixup.patch \ - file://CVE-2024-45795.patch \ - file://CVE-2024-45796.patch \ - file://CVE-2024-55605.patch \ - file://CVE-2025-29916-01.patch \ - file://CVE-2025-29916-02.patch \ - file://CVE-2025-29916-03.patch \ - file://CVE-2025-29917.patch \ - file://CVE-2025-29918.patch \ - file://CVE-2024-32663-001.patch \ - file://CVE-2024-32663-002.patch \ - file://CVE-2024-32664.patch \ - file://CVE-2024-32867-001.patch \ - file://CVE-2024-32867-002.patch \ - file://CVE-2024-32867-003.patch \ - file://CVE-2024-32867-004.patch \ - file://CVE-2024-55627-001.patch \ - file://CVE-2024-55627-002.patch \ - file://CVE-2024-55627-003.patch \ - file://CVE-2024-55628-001.patch \ - file://CVE-2024-55628-002.patch \ - file://CVE-2024-55628-003.patch \ - file://CVE-2024-55628-004.patch \ + file://0001-Skip-pkg-Makefile-from-using-its-own-rust-steps.patch \ " inherit autotools pkgconfig python3native systemd ptest cargo cargo-update-recipe-crates