FEDORA-2018-1ec1cd6db3 created by fab 4 years ago for Fedora 27

Security fix for binpac, bump to 2.5.3 (#1493520)

This update has been submitted for testing by fab.

4 years ago

This update has been pushed to testing.

4 years ago

This update has reached 7 days in testing and can be pushed to stable now if the maintainer wishes

4 years ago
  • Security issue: bro binary is setcap cap_net_admin for ALL users!
  • bro-core should depend on gperftools-libs not gperftools to avoid pulling in a large dependency tree including gtk.
  • bro-devel should require bro not bro-core as it claims to depend on libbroccoli.so.5.
  • bro.service should probably be using the new version from rocknsm that runs as the bro user. See https://bugzilla.redhat.com/show_bug.cgi?id=1493520#c14
  • Why is ./configure --enable-debug present? This presumably disables optimization. Bro appears to compile with RelWithDebugInfo by default anyway.
  • The 0%{?_undocumented_hack_closes_scriptlets} hacks are not needed since there are no longer comments between those sections as in the rocknsm version, and do not work for me with that version anyway (still give the error described in https://bugzilla.redhat.com/show_bug.cgi?id=1315935).

Suggested patch:

diff --git a/bro.spec b/bro.spec
index 3fb0848..df31be2 100644
--- a/bro.spec
+++ b/bro.spec
@@ -36,7 +36,7 @@ Summary:        The core bro installation without broctl
 Requires:       bind-libs
 Requires:       GeoIP
 %ifnarch s390 s390x
-Requires:       gperftools
+Requires:       gperftools-libs
 Requires:       libpcap
 %if 0%{?fedora} >= 26
@@ -80,7 +80,7 @@ and open-science communities.
 Summary:        Compile-time generated source files needed to build bro packages

 Requires:  cmake
-Requires:  bro-core = %{version}-%{release}
+Requires:  bro = %{version}-%{release}

 %description -n bro-devel
 Installs the compile-time generated files known as BRODIST needed to build bro
@@ -105,7 +105,7 @@ This package contains the header files for binpac.

 %package -n broctl
 Summary:          A control tool for bro
-Buildarch:        noarch
+BuildArch:        noarch
 BuildRequires:    python2-devel
 BuildRequires:    systemd
 BuildRequires:    pysubnettree
@@ -220,7 +220,6 @@ sed -i -e '1i#! /usr/bin/bash' aux/broctl/bin/set-bro-path aux/broctl/bin/helper
     --plugindir=%{_libdir}/bro/plugins \
     --distdir=%{_usrsrc}/%{name}-%{version} \
     --disable-rpath \
-    --enable-debug \
     --enable-mobile-ipv6 \
 make %{?_smp_mflags}
@@ -326,14 +325,8 @@ exit 0
 %systemd_postun bro.service

 %post -n broccoli -p /sbin/ldconfig
-%if ( 0%{?_undocumented_hack_closes_scriptlets} )

 %postun -n broccoli -p /sbin/ldconfig
-%if ( 0%{?_undocumented_hack_closes_scriptlets} )

 make test
@@ -345,7 +338,7 @@ make test
 %files -n bro-core
 %license COPYING
-%caps(cap_net_admin,cap_net_raw=pie) %{_bindir}/bro
+%attr(0750,root,bro) %caps(cap_net_admin,cap_net_raw=pie) %{_bindir}/bro

N.B. I actually tested this on CentOS 7.3 from source, just lightly modifying the python-sphinx dependency. The issues above should all apply to this build as well. The python_sitelib changes in the EPEL7 branch break the build for me, the original python2_sitelib works fine.

Bug in my above suggested patch: The bro group needs to be added by bro-core not later if taking the capabilities approach there. Otherwise, /usr/bin/bro is set to root,root on machines that don't already have the bro group as the dependency relationship means broctl is installed after bro-core. All of the other files under the bro group and systemd service script are owned by the broctl package so this is a little awkward. I'm assuming here that chmoding the bro binary when broctl is installed would be frowned upon.

User Icon rebus provided feedback 4 years ago
User Icon lobocode commented & provided feedback 3 years ago


Please login to add feedback.

Content Type
Test Gating
Unstable by Karma
Stable by Karma
Stable by Time
4 years ago
in testing
4 years ago
BZ#1493520 bro-2.5.3 is available
BZ#1531130 CVE-2017-1000458 bro: Out-of-bounds write in the ContentLine analyzer [fedora-all]

Automated Test Results