Changelog:
"5.0.9 -- 2022-04-21
Security #4889: ftp: SEGV at flow cleanup due to protocol confusion
Security #5025: ftp: GetLine function buffers data indefinitely if 0x0a was not found int the frag'd input
Security #5028: smtp: GetLine function buffers data indefinitely if 0x0a was not found in the frag'd input
Security #5253: Infinite loop in JsonFTPLogger
Feature #4644: pthreads: set minimum stack size
Bug #4466: dataset file not written when run as user
Bug #4678: Configuration test mode succeeds when reference.config file contains invalid content
Bug #4745: Absent app-layer protocol is always enabled by default
Bug #4819: tcp: insert_data_normal_fail can hit without triggering memcap
Bug #4823: conf: quadratic complexity
Bug #4825: pppoe decoder fails when protocol identity field is only 1 byte
Bug #4827: packetpool: packets in pool may have capture method ReleasePacket callbacks set
Bug #4838: af-packet: cluster_id is not used when trying to set fanout support
Bug #4878: datasets: memory leak in 5.0.x
Bug #4887: dnp3: buffer over read in logging base64 empty objects
Bug #4891: protodetect: SMB vs TLS protocol detection in midstream
Bug #4893: TFTP: memory leak due to missing detect state
Bug #4895: Memory leak with signature using file_data and NFS
Bug #4897: profiling: Invalid performance counter when using sampling
Bug #4901: eve: memory leak related to dns
Bug #4932: smtp: smtp transaction not logged if no email is present
Bug #4955: stream: too aggressive pruning in lossy streams
Bug #4957: SMTP assertion triggered
Bug #4959: suricatasc loop if recv returns no data
Bug #4961: dns: transaction not created when z-bit set
Bug #4963: Run stream reassembly on both directions upon receiving a FIN packet
Bug #5058: dns: probing/parser can return error when it should return incomplete
Bug #5063: Not keyword matches in Kerberos requests
Bug #5096: output: timestamp missing usecs on Arm 32bit + Musl
Bug #5099: htp: server personality radix handling issue
Bug #5101: defrag: policy config can setup radix incorrectly
Bug #5103: Application log cannot to be re-opened when running as non-root user
Bug #5105: iprep: cidr support can set up radix incorrectly
Bug #5107: detect/iponly: rule parsing does not always apply netmask correctly
Bug #5109: swf: coverity warning
Bug #5115: detect/ip_proto: inconsistent behavior when specifying protocol by string
Bug #5117: detect/iponly: mixing netblocks can lead to FN/FP
Bug #5119: smb: excessive CPU utilization and higher packet processing latency due to excessive calls to Vec::extend_from_slice()
Bug #5137: smb: excessive memory use during file transfer
Bug #5150: nfs: Integer underflow in NFS
Bug #5157: xbits: noalert is allowed in rule language with other commands
Bug #5164: iprep: use_cnt can get desynchronized (SIGABRT)
Bug #5171: detect/iponly: non-cidr netmask settings can lead incorrect radix tree
Bug #5193: SSL : over allocation for certificates
Bug #5213: content:"22 2 22"; is parsed without error
Bug #5227: 5.0.x: SMB: Wrong buffer being checked for possible overflow.
Bug #5251: smb: integer underflows and overflows
Task #5006: libhtp 0.5.40"
Additionally, I moved the 'suricata' patch files into a separate directory.
Apart from some line numbers, nothing else was changed.
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Reviewed-by: Adolf Belka <adolf.belka@ipfire.org>
flashrom needs access to /dev/io ports for flashing firmware, a
functionality we cannot cease to support. Therefore, LSM constraints are
disabled for ioport.c, hopefully permitting us to keep it enabled.
Reported-by: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
- These lines were introduced with another patch related to removing IPFire start/stop
capability from wio
- The lines were introduced in commented out form and so are doing nothing.
- It looks like they were added as part of a debugging or investigation work on wio
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org>
- The lines to scan the red interface were introduced at the time of a patch to remove
the IPFire start/stop function from wio. These lines are not related to that change
but were included in the patch with no commit message. The same lines were also added
into wio.cgi in the same patch set but in that case the lines were all commented out.
- These lines look like they were most likely added to the code for investigation or
debugging purposes. Looking at the lines in wio.pl the results obtained are not
used elsewhere in wio for obtaining info on the status of the red interface. Deleting
the lines did not affect anything related to the scanning, setup or monitoring of
systems by wio.
- The lines were wasting space but generally not creating a huge impact on pertformance.
On my production system it scans my red and comes up with a list of 1022 IP's because
of the subnet my ISP uses - xxx.yy.216.0/20
- Scanning those 1022 IP's and sorting them takes my system about 3 seconds. Without
sorting it is around the same level.
- In Bug#12799 the originator has an ISP that is using a private network that has a
defined subnet of 10.0.0.0/8 This is 16,777,214 IP's to be scanned. Even without sorting
my system would end up taking around 13 hours to do that. The bug originator found that
on certain machines that he had IPFire on wio just never stopped scanning.
- As these lines just seem to collect a large amount of IP's on red that are not related
to the actual running red IP, as there was no commit message related to their
introduction and as removing the lines on vm's running dhcp and static red interfaces
and also on my running production system for 4 weeks has shown no impact on the
monitoring capability this patch is being submitted to remove these lines from wio
Fixes: Bug#12799
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org>
mount, as updated via util-linux, no longer writes /etc/mtab, causing
programs to rely on this file's content (such as the check_disk Nagios
plugin) to stop working.
/proc/self/mounts contains all the necessary information, so it is fine
to replace /etc/mtab by a symlink to it.
Fixes: #12843
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
- Malicious filenames can make xzgrep to write to arbitrary files
or (with a GNU sed extension) lead to arbitrary code execution.
- xzgrep from XZ Utils versions up to and including 5.2.5 are
affected. 5.3.1alpha and 5.3.2alpha are affected as well.
- This bug was inherited from gzip's zgrep. gzip 1.12 includes
a fix for zgrep.
- CU167 has gzip-1.12 with the fix already merged.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Fixes: 12831
Jonatan Schlag reported that the command line options of 'vnstat' had changed
"...and seemed to be broken a long time".
=> https://bugzilla.ipfire.org/show_bug.cgi?id=12831#c0
Several command line switches used in networking initscripts were obviously removed.
Affected commands in '.../networking/any' and '.../networking/red'):
...
/usr/bin/vnstat -u -i ${DEVICE} -r --enable --force > /dev/null 2>&1
...
/usr/bin/vnstat -u -i ${DEVICE} -r --disable > /dev/null 2>&1
...
and
...
/usr/bin/vnstat -u -i ppp0 -r --disable > /dev/null 2>&1
...
Adolf Belka tested this, "looked through the changelogs" and found - besides that
the switch '--enable' had been removed "in version 2.0 in 2018" - that '--enable', '--update'
and '--reset' switches are either not needed or not supported anymore.
"The old man page indicates that none of those options are used when the vnstat daemon
is running."
Since we only start and run 'vnstatd' in IPFire it was decided to remove these commands.
Reported-by: jonatan.schlag <jonatan.schlag@ipfire.org>
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
This is recommended by KSPP, Lynis, and others. Indeed, there is no
legitimate reason why an unprivileged user on IPFire should do any
profiling. Unfortunately, this change never landed in the mainline
kernel, hence a distribution patch is necessary.
The second version of this patch rebases the kernel patch by Jeff
Vander Stoep against Linux 5.15.17 to avoid fuzzying.
Tested-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
This script only appeared in conjunction with Core Update 75, released
January 2014. Although it is still being executed while restoring a
backup, it would only be effective if anyone tried to restore a backup
created before C75.
I don't think there is a realistic need to carry this script along any
further. In doubt, it might be better to start from scratch again rather
than trying to restore an 8 year old backup, expecting everything to be
peachy and vanilla with it.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
This reverts commit 77e3829dc1.
For the time being, shipping this was found to be too difficult, since
we cannot get linux-firmware down to an acceptable size limit.
Compressing the firmware on installations would work, but takes about 4
minutes on an Intel Xenon CPU alone, hence it is an unacceptable
workload to do for IPFire installation running on weaker hardware.
Therefore, we do not proceed with this at the moment.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Full changelog, as retrieved from https://www.zlib.net/ChangeLog.txt :
Changes in 1.2.12 (27 Mar 2022)
- Cygwin does not have _wopen(), so do not create gzopen_w() there
- Permit a deflateParams() parameter change as soon as possible
- Limit hash table inserts after switch from stored deflate
- Fix bug when window full in deflate_stored()
- Fix CLEAR_HASH macro to be usable as a single statement
- Avoid a conversion error in gzseek when off_t type too small
- Have Makefile return non-zero error code on test failure
- Avoid some conversion warnings in gzread.c and gzwrite.c
- Update use of errno for newer Windows CE versions
- Small speedup to inflate [psumbera]
- Return an error if the gzputs string length can't fit in an int
- Add address checking in clang to -w option of configure
- Don't compute check value for raw inflate if asked to validate
- Handle case where inflateSync used when header never processed
- Avoid the use of ptrdiff_t
- Avoid an undefined behavior of memcpy() in gzappend()
- Avoid undefined behaviors of memcpy() in gz*printf()
- Avoid an undefined behavior of memcpy() in _tr_stored_block()
- Make the names in functions declarations identical to definitions
- Remove old assembler code in which bugs have manifested
- Fix deflateEnd() to not report an error at start of raw deflate
- Add legal disclaimer to README
- Emphasize the need to continue decompressing gzip members
- Correct the initialization requirements for deflateInit2()
- Fix a bug that can crash deflate on some input when using Z_FIXED
- Assure that the number of bits for deflatePrime() is valid
- Use a structure to make globals in enough.c evident
- Use a macro for the printf format of big_t in enough.c
- Clean up code style in enough.c, update version
- Use inline function instead of macro for index in enough.c
- Clarify that prefix codes are counted in enough.c
- Show all the codes for the maximum tables size in enough.c
- Add gznorm.c example, which normalizes gzip files
- Fix the zran.c example to work on a multiple-member gzip file
- Add tables for crc32_combine(), to speed it up by a factor of 200
- Add crc32_combine_gen() and crc32_combine_op() for fast combines
- Speed up software CRC-32 computation by a factor of 1.5 to 3
- Use atomic test and set, if available, for dynamic CRC tables
- Don't bother computing check value after successful inflateSync()
- Correct comment in crc32.c
- Add use of the ARMv8 crc32 instructions when requested
- Use ARM crc32 instructions if the ARM architecture has them
- Explicitly note that the 32-bit check values are 32 bits
- Avoid adding empty gzip member after gzflush with Z_FINISH
- Fix memory leak on error in gzlog.c
- Fix error in comment on the polynomial representation of a byte
- Clarify gz* function interfaces, referring to parameter names
- Change macro name in inflate.c to avoid collision in VxWorks
- Correct typo in blast.c
- Improve portability of contrib/minizip
- Fix indentation in minizip's zip.c
- Replace black/white with allow/block. (theresa-m)
- minizip warning fix if MAXU32 already defined. (gvollant)
- Fix unztell64() in minizip to work past 4GB. (Daniël Hörchner)
- Clean up minizip to reduce warnings for testing
- Add fallthrough comments for gcc
- Eliminate use of ULL constants
- Separate out address sanitizing from warnings in configure
- Remove destructive aspects of make distclean
- Check for cc masquerading as gcc or clang in configure
- Fix crc32.c to compile local functions only if used
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
This patch enabled that we can compress any firmware files on disk. This
will save some space since /lib/firmware is becoming larger with every
release.
From formerly 828MiB, this is now using ~349MiB which is a saving of
about 480MiB on disk. This is helping us a lot fighting to contain the
distribution to 2GB on /.
Some other firmware that is installed in other packages is not
compressed with this patch which is a bit sad, but potentially not worth
the effort.
In order to ship this change with a Core Update, it might be intuitive
to remove /lib/firmware first and then extract the new update with all
new files. However, I do not know if this all will compress as well as
before since now the files are already individually compressed. It might
be a challenge to ship this.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
They were mistakenly placed after the IPS chains in commit
7b529f5417, but should be placed after the
connection tracking and before the IPS.
Fixes: #12815
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
We used to create some iptables rules that permitted traffic to the
firewall from IPsec peers. This however doesn't work due to changes in
iana-etc and it looks like those rules are entirely absolete now.
This patch removes them which should not cause any functional changes.
Fixes: #12808
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Acked-by: Peter Müller <peter.mueller@ipfire.org>
We have some scripts in /usr/local/bin which cannot be found by any
misc-progs which is fixed by this patch.
Fixes: #12811
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
It is not necessary to have this key present on IPFire systems anymore,
since it has not been in use for years, and we can expect systems to be
sufficiently up-to-date, so they no longer need to rely on old updates
or add-ons signed with this key.
Also, given the current key was generated in 2018, we should consider a
Pakfire key rollover soon.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Acked-by: Michael Tremer <michael.tremer@ipfire.org>
This script appeared in the rootfiles for Core Updates 65 and 66, being
released in late 2012 and early 2013. It is not used elsewhere, and
there is no sense in keeping it around on IPFire installations.
Should this patch be accepted, a corresponding 'rm' statement is
necessary in the update.sh script of the Core Update it will go into.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Reviewed-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
The current setup can fail and block all traffic on RED if the RETURN
rules could not be created.
This can happen when the kernel fails to load the ipset module, as it is
the case after upgrading to a new kernel. Restarting the firewall will
cause that the system is being cut off the internet.
This design now changes that if those rules cannot be created, the
DROP_HOSTILE feature is just inactive, but it would not disrupt any
traffic.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Daniel Weismüller <daniel.weismueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
https://lore.kernel.org/lkml/YhIwUEpymVzmytdp@casper.infradead.org/
ReiserFS is an old file system which has not been actively maintained in
the Linux kernel for a long time. It is potentially going to be removed
soon which is why we shouldn't encourage people to create new
installations with ReiserFS any more.
This patch removes support for ReiserFS from the installer.
We should keep it enabled in the kernel for as long as it is available,
but we will have to encourage users potentially to re-install on a
different file system.
Since ReiserFS isn't very popular any more, I don't think that there
will be many users left.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Acked-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
In some situations or if an error happened, the lock file could be
keep on the system. In such a case the IDS page would be locked forever
until user interaction or reboot of the system.
Now the script checks if it has created such a lock and release it when
the script exists.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Acked-by: Peter Müller <peter.mueller@ipfire.org>
Sometimes, we restore a backup that has been created earlier before
exclude files have been changed. To avoid overwriting those files, we
will consider the exlude list upon restore.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
The DHCP server can instruct clients to configure a certain MTU.
This used to be done by setting the MTU of the interface. However,
dhcpcd has changed this behaviour using routes to.
We used to have a modified version of the old mechanism which no longer
works well with the new system and is therefore to be dropped.
This is the first commit in the series implementing the new behaviour
and telling dhcpcd to use the configured MTU.
Fixes: #12563
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
riscv64 does not return any value on our machine (maybe because it is
emulated?). "undefined" is however seen as a valid value, which makes
the build fail.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
The host might not have the correct tools to strip a foreign
architecture, therefore we need to use the cross tools.
The crosstools might be built in an architecture that they
cannot strip themselves and since they are not being part of the
packaged toolchain, we will just skip them.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
