FEDORA-2018-1ec1cd6db3

security update in Fedora 27 for bro

Status: obsolete

Security fix for binpac, bump to 2.5.3 (#1493520)

Comments 7

This update has been submitted for testing by fab.

This update has been pushed to testing.

This update has reached 7 days in testing and can be pushed to stable now if the maintainer wishes

  • Security issue: bro binary is setcap cap_net_admin for ALL users!
  • bro-core should depend on gperftools-libs not gperftools to avoid pulling in a large dependency tree including gtk.
  • bro-devel should require bro not bro-core as it claims to depend on libbroccoli.so.5.
  • bro.service should probably be using the new version from rocknsm that runs as the bro user. See https://bugzilla.redhat.com/show_bug.cgi?id=1493520#c14
  • Why is ./configure --enable-debug present? This presumably disables optimization. Bro appears to compile with RelWithDebugInfo by default anyway.
  • The 0%{?_undocumented_hack_closes_scriptlets} hacks are not needed since there are no longer comments between those sections as in the rocknsm version, and do not work for me with that version anyway (still give the error described in https://bugzilla.redhat.com/show_bug.cgi?id=1315935).

Suggested patch:

diff --git a/bro.spec b/bro.spec
index 3fb0848..df31be2 100644
--- a/bro.spec
+++ b/bro.spec
@@ -36,7 +36,7 @@ Summary:        The core bro installation without broctl
 Requires:       bind-libs
 Requires:       GeoIP
 %ifnarch s390 s390x
-Requires:       gperftools
+Requires:       gperftools-libs
 %endif
 Requires:       libpcap
 %if 0%{?fedora} >= 26
@@ -80,7 +80,7 @@ and open-science communities.
 Summary:        Compile-time generated source files needed to build bro packages

 Requires:  cmake
-Requires:  bro-core = %{version}-%{release}
+Requires:  bro = %{version}-%{release}

 %description -n bro-devel
 Installs the compile-time generated files known as BRODIST needed to build bro
@@ -105,7 +105,7 @@ This package contains the header files for binpac.

 %package -n broctl
 Summary:          A control tool for bro
-Buildarch:        noarch
+BuildArch:        noarch
 BuildRequires:    python2-devel
 BuildRequires:    systemd
 BuildRequires:    pysubnettree
@@ -220,7 +220,6 @@ sed -i -e '1i#! /usr/bin/bash' aux/broctl/bin/set-bro-path aux/broctl/bin/helper
     --plugindir=%{_libdir}/bro/plugins \
     --distdir=%{_usrsrc}/%{name}-%{version} \
     --disable-rpath \
-    --enable-debug \
     --enable-mobile-ipv6 \
     --enable-binpac
 make %{?_smp_mflags}
@@ -326,14 +325,8 @@ exit 0
 %systemd_postun bro.service

 %post -n broccoli -p /sbin/ldconfig
-%if ( 0%{?_undocumented_hack_closes_scriptlets} )
-%postun
-%endif

 %postun -n broccoli -p /sbin/ldconfig
-%if ( 0%{?_undocumented_hack_closes_scriptlets} )
-%postun
-%endif

 %check
 make test
@@ -345,7 +338,7 @@ make test
 %files -n bro-core
 %doc CHANGES NEWS README VERSION
 %license COPYING
-%caps(cap_net_admin,cap_net_raw=pie) %{_bindir}/bro
+%attr(0750,root,bro) %caps(cap_net_admin,cap_net_raw=pie) %{_bindir}/bro
 %{_bindir}/bro-config
 %{_bindir}/bro-cut
 %{_mandir}/man1/bro-cut.1*

N.B. I actually tested this on CentOS 7.3 from source, just lightly modifying the python-sphinx dependency. The issues above should all apply to this build as well. The python_sitelib changes in the EPEL7 branch break the build for me, the original python2_sitelib works fine.

Bug in my above suggested patch: The bro group needs to be added by bro-core not later if taking the capabilities approach there. Otherwise, /usr/bin/bro is set to root,root on machines that don't already have the bro group as the dependency relationship means broctl is installed after bro-core. All of the other files under the bro group and systemd service script are owned by the broctl package so this is a little awkward. I'm assuming here that chmoding the bro binary when broctl is installed would be frowned upon.

Content Type
RPM
Status
obsolete
Test Gating
Submitted by
Update Type
security
Update Severity
unspecified
Karma
+2
stable threshold: 3
unstable threshold: -3
Autopush
Enabled
Dates
submitted a year ago
in testing a year ago

Related Bugs 2

00 #1493520 bro-2.5.3 is available
00 #1531130 CVE-2017-1000458 bro: Out-of-bounds write in the ContentLine analyzer [fedora-all]

Automated Test Results