diff --git a/security/suricata/Makefile b/security/suricata/Makefile index f97ef9fc56f2..d2887b48c134 100644 --- a/security/suricata/Makefile +++ b/security/suricata/Makefile @@ -1,134 +1,134 @@ PORTNAME= suricata -DISTVERSION= 6.0.2 -PORTREVISION= 3 +DISTVERSION= 6.0.3 +PORTREVISION= 1 CATEGORIES= security MASTER_SITES= https://www.openinfosecfoundation.org/download/ MAINTAINER= franco@opnsense.org COMMENT= High Performance Network IDS, IPS and Security Monitoring engine LICENSE= GPLv2 LICENSE_FILE= ${WRKSRC}/LICENSE BUILD_DEPENDS= rustc:lang/${RUST_DEFAULT} LIB_DEPENDS= libjansson.so:devel/jansson \ libpcre.so:devel/pcre \ libnet.so:net/libnet \ liblz4.so:archivers/liblz4 \ libyaml.so:textproc/libyaml USES= autoreconf cpe gmake iconv:translit libtool localbase \ pathfix pkgconfig CPE_VENDOR= openinfosecfoundation USE_LDCONFIG= yes USE_RC_SUBR= ${PORTNAME} GNU_CONFIGURE= yes CONFIGURE_ARGS+=--enable-gccprotect \ --enable-bundled-htp \ --disable-gccmarch-native INSTALL_TARGET= install-strip TEST_TARGET= check CONFLICTS_INSTALL= libhtp SUB_FILES= pkg-message PLIST_SUB= PORTVERSION=${DISTVERSION:C/-/_/g} OPTIONS_DEFINE= GEOIP IPFW NETMAP NSS PORTS_PCAP PRELUDE \ PYTHON REDIS TESTS OPTIONS_DEFINE_amd64= HYPERSCAN OPTIONS_DEFAULT= IPFW NETMAP PYTHON OPTIONS_RADIO= SCRIPTS OPTIONS_RADIO_SCRIPTS= LUA LUAJIT OPTIONS_SUB= yes PRELUDE_BROKEN= Compilation broken, see https://redmine.openinfosecfoundation.org/issues/4065 GEOIP_DESC= GeoIP support HYPERSCAN_DESC= Hyperscan support IPFW_DESC= IPFW and IP Divert support for inline IDP LUAJIT_DESC= LuaJIT scripting support LUA_DESC= LUA scripting support NETMAP_DESC= Netmap support for inline IDP NSS_DESC= File checksums and SSL/TLS fingerprinting PORTS_PCAP_DESC= Use libpcap from ports PRELUDE_DESC= Prelude support for NIDS alerts PYTHON_DESC= Python-based update and control utilities REDIS_DESC= Redis output support SCRIPTS_DESC= Scripting TESTS_DESC= Unit tests in suricata binary GEOIP_LIB_DEPENDS= libmaxminddb.so:net/libmaxminddb GEOIP_CONFIGURE_ON= --enable-geoip HYPERSCAN_LIB_DEPENDS= libhs.so:devel/hyperscan IPFW_CONFIGURE_ON= --enable-ipfw -LUAJIT_LIB_DEPENDS= libluajit-5.1.so:lang/luajit +LUAJIT_LIB_DEPENDS= libluajit-5.1.so:lang/luajit-openresty LUAJIT_CONFIGURE_ON= --enable-luajit LUA_USES= lua:51 LUA_CONFIGURE_ON= --enable-lua NETMAP_CONFIGURE_ENABLE= netmap NSS_LIB_DEPENDS= libnss3.so:security/nss \ libnspr4.so:devel/nspr NSS_CONFIGURE_OFF= --disable-nss --disable-nspr PORTS_PCAP_LIB_DEPENDS= libpcap.so.1:net/libpcap PRELUDE_LIB_DEPENDS= libprelude.so:security/libprelude \ libgnutls.so:security/gnutls \ libgcrypt.so:security/libgcrypt \ libgpg-error.so:security/libgpg-error \ libltdl.so:devel/libltdl PRELUDE_CONFIGURE_ON= --with-libprelude-prefix=${LOCALBASE} PRELUDE_CONFIGURE_ENABLE= prelude PYTHON_BUILD_DEPENDS= ${PYTHON_RUN_DEPENDS} PYTHON_RUN_DEPENDS= ${PYTHON_PKGNAMEPREFIX}yaml>0:devel/py-yaml@${PY_FLAVOR} PYTHON_USES= python PYTHON_USE= PYTHON=py3kplist PYTHON_CONFIGURE_ENABLE= python REDIS_LIB_DEPENDS= libhiredis.so:databases/hiredis \ libevent_pthreads.so:devel/libevent REDIS_CONFIGURE_ON= --enable-hiredis \ TESTS_CONFIGURE_ENABLE= unittests pre-patch: @${CP} ${FILESDIR}/ax_check_compile_flag.m4 ${WRKSRC}/m4 post-patch: # Disable vendor checksums @${REINPLACE_CMD} 's,"files":{[^}]*},"files":{},' \ ${WRKSRC}/rust/vendor/*/.cargo-checksum.json post-patch-PYTHON-on: @${REINPLACE_CMD} -e "/AC_PATH_PROGS.*HAVE_PYTHON/ s/python[^,]*,/${PYTHON_VERSION},/g" \ ${WRKSRC}/configure.ac post-install: @${MKDIR} ${STAGEDIR}${ETCDIR} ${STAGEDIR}/var/log/suricata .for f in classification.config reference.config @${MV} ${STAGEDIR}${DATADIR}/${f} ${STAGEDIR}${ETCDIR}/${f}.sample .endfor .for f in suricata.yaml threshold.config ${INSTALL_DATA} ${WRKSRC}/${f} ${STAGEDIR}${ETCDIR}/${f}.sample .endfor post-install-PYTHON-on: (cd ${STAGEDIR}${PREFIX} \ && ${PYTHON_CMD} ${PYTHON_LIBDIR}/compileall.py \ -d ${PYTHONPREFIX_SITELIBDIR} -f ${PYTHONPREFIX_SITELIBDIR:S;${PREFIX}/;;}) .include diff --git a/security/suricata/distinfo b/security/suricata/distinfo index 2e96b779479a..47cdde42ff52 100644 --- a/security/suricata/distinfo +++ b/security/suricata/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1616753087 -SHA256 (suricata-6.0.2.tar.gz) = 5e4647a07cb31b5d6d0049972a45375c137de908a964a44e2d6d231fa3ad4b52 -SIZE (suricata-6.0.2.tar.gz) = 30514801 +TIMESTAMP = 1628041281 +SHA256 (suricata-6.0.3.tar.gz) = daf134bb2d7c980035e9ae60f7aaf313323a809340009f26e48110ccde81f602 +SIZE (suricata-6.0.3.tar.gz) = 32421197 diff --git a/security/suricata/files/patch-3c53a1601 b/security/suricata/files/patch-3c53a1601 new file mode 100644 index 000000000000..d70b3c563e5a --- /dev/null +++ b/security/suricata/files/patch-3c53a1601 @@ -0,0 +1,78 @@ +From 3c53a1601b6f861f8b7f0cd0984b18e78291fe85 Mon Sep 17 00:00:00 2001 +From: Victor Julien +Date: Wed, 18 Aug 2021 20:14:48 +0200 +Subject: [PATCH] threading: don't pass locked flow between threads + +Previously the flow manager would share evicted flows with the workers +while keeping the flows mutex locked. This reduced the number of unlock/ +lock cycles while there was guaranteed to be no contention. + +This turns out to be undefined behavior. A lock is supposed to be locked +and unlocked from the same thread. It appears that FreeBSD is stricter on +this than Linux. + +This patch addresses the issue by unlocking before handing a flow off +to another thread, and locking again from the new thread. + +Issue was reported and largely analyzed by Bill Meeks. + +Bug: #4478 +(cherry picked from commit 9551cd05357925e8bec8e0030d5f98fd07f17839) +--- + src/flow-hash.c | 1 + + src/flow-manager.c | 2 +- + src/flow-timeout.c | 1 + + src/flow-worker.c | 1 + + 4 files changed, 4 insertions(+), 1 deletion(-) + +diff --git a/src/flow-hash.c b/src/flow-hash.c +index ebbd836e81a..760bc53e0a8 100644 +--- src/flow-hash.c ++++ src/flow-hash.c +@@ -669,6 +669,7 @@ static inline void MoveToWorkQueue(ThreadVars *tv, FlowLookupStruct *fls, + f->fb = NULL; + f->next = NULL; + FlowQueuePrivateAppendFlow(&fls->work_queue, f); ++ FLOWLOCK_UNLOCK(f); + } else { + /* implied: TCP but our thread does not own it. So set it + * aside for the Flow Manager to pick it up. */ +diff --git a/src/flow-manager.c b/src/flow-manager.c +index d58a49637d6..9228c88490c 100644 +--- src/flow-manager.c ++++ src/flow-manager.c +@@ -333,9 +333,9 @@ static uint32_t ProcessAsideQueue(FlowManagerTimeoutThread *td, FlowTimeoutCount + FlowForceReassemblyNeedReassembly(f) == 1) + { + FlowForceReassemblyForFlow(f); ++ FLOWLOCK_UNLOCK(f); + /* flow ownership is passed to the worker thread */ + +- /* flow remains locked */ + counters->flows_aside_needs_work++; + continue; + } +diff --git a/src/flow-timeout.c b/src/flow-timeout.c +index 972b35076bd..d6cca490087 100644 +--- src/flow-timeout.c ++++ src/flow-timeout.c +@@ -401,6 +401,7 @@ static inline void FlowForceReassemblyForHash(void) + RemoveFromHash(f, prev_f); + f->flow_end_flags |= FLOW_END_FLAG_SHUTDOWN; + FlowForceReassemblyForFlow(f); ++ FLOWLOCK_UNLOCK(f); + f = next_f; + continue; + } +diff --git a/src/flow-worker.c b/src/flow-worker.c +index 69dbb6ac575..dccf3581dd5 100644 +--- src/flow-worker.c ++++ src/flow-worker.c +@@ -168,6 +168,7 @@ static void CheckWorkQueue(ThreadVars *tv, FlowWorkerThreadData *fw, + { + Flow *f; + while ((f = FlowQueuePrivateGetFromTop(fq)) != NULL) { ++ FLOWLOCK_WRLOCK(f); + f->flow_end_flags |= FLOW_END_FLAG_TIMEOUT; //TODO emerg + + const FlowStateType state = f->flow_state; diff --git a/security/suricata/pkg-plist b/security/suricata/pkg-plist index 2b679f9da5c2..5fcb57aa716a 100644 --- a/security/suricata/pkg-plist +++ b/security/suricata/pkg-plist @@ -1,166 +1,167 @@ bin/suricata %%PYTHON%%bin/suricata-update %%PYTHON%%bin/suricatactl %%PYTHON%%bin/suricatasc include/htp/bstr.h include/htp/bstr_builder.h include/htp/htp.h include/htp/htp_base64.h include/htp/htp_config.h include/htp/htp_connection_parser.h include/htp/htp_core.h include/htp/htp_decompressors.h include/htp/htp_hooks.h include/htp/htp_list.h include/htp/htp_multipart.h include/htp/htp_table.h include/htp/htp_transaction.h include/htp/htp_urlencoded.h include/htp/htp_utf8_decoder.h include/htp/htp_version.h include/htp/lzma/7zTypes.h include/htp/lzma/LzmaDec.h +include/suricata-plugin.h lib/libhtp.a lib/libhtp.so lib/libhtp.so.2 lib/libhtp.so.2.0.0 libdata/pkgconfig/htp.pc man/man1/suricata.1.gz %%PYTHON%%man/man1/suricatactl-filestore.1.gz %%PYTHON%%man/man1/suricatactl.1.gz %%PYTHON%%man/man1/suricatasc.1.gz %%DOCSDIR%%/AUTHORS %%DOCSDIR%%/Basic_Setup.txt %%DOCSDIR%%/GITGUIDE %%DOCSDIR%%/INSTALL %%DOCSDIR%%/INSTALL.PF_RING %%DOCSDIR%%/INSTALL.WINDOWS %%DOCSDIR%%/NEWS %%DOCSDIR%%/README %%DOCSDIR%%/Setting_up_IPSinline_for_Linux.txt %%DOCSDIR%%/TODO %%DOCSDIR%%/Third_Party_Installation_Guides.txt %%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata-%%PORTVERSION%%-py%%PYTHON_VER%%.egg-info %%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata/__init__.py %%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata/__init__.pyc %%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata/config/__init__.py %%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata/config/__init__.pyc %%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata/config/defaults.py %%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata/config/defaults.pyc %%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata/ctl/__init__.py %%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata/ctl/__init__.pyc %%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata/ctl/filestore.py %%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata/ctl/filestore.pyc %%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata/ctl/loghandler.py %%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata/ctl/loghandler.pyc %%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata/ctl/main.py %%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata/ctl/main.pyc %%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata/ctl/test_filestore.py %%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata/ctl/test_filestore.pyc %%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata/sc/__init__.py %%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata/sc/__init__.pyc %%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata/sc/specs.py %%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata/sc/specs.pyc %%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata/sc/suricatasc.py %%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata/sc/suricatasc.pyc %%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata/update/__init__.py %%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata/update/__init__.pyc %%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata/update/commands/__init__.py %%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata/update/commands/__init__.pyc %%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata/update/commands/addsource.py %%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata/update/commands/addsource.pyc %%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata/update/commands/checkversions.py %%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata/update/commands/checkversions.pyc %%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata/update/commands/disablesource.py %%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata/update/commands/disablesource.pyc %%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata/update/commands/enablesource.py %%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata/update/commands/enablesource.pyc %%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata/update/commands/listsources.py %%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata/update/commands/listsources.pyc %%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata/update/commands/removesource.py %%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata/update/commands/removesource.pyc %%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata/update/commands/updatesources.py %%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata/update/commands/updatesources.pyc %%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata/update/compat/__init__.py %%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata/update/compat/__init__.pyc %%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata/update/compat/argparse/__init__.py %%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata/update/compat/argparse/__init__.pyc %%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata/update/compat/argparse/argparse.py %%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata/update/compat/argparse/argparse.pyc %%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata/update/compat/ordereddict.py %%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata/update/compat/ordereddict.pyc %%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata/update/config.py %%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata/update/config.pyc %%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata/update/configs/__init__.py %%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata/update/configs/__init__.pyc %%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata/update/configs/disable.conf %%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata/update/configs/drop.conf %%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata/update/configs/enable.conf %%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata/update/configs/modify.conf %%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata/update/configs/threshold.in %%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata/update/configs/update.yaml %%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata/update/data/__init__.py %%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata/update/data/__init__.pyc %%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata/update/data/index.py %%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata/update/data/index.pyc %%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata/update/data/update.py %%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata/update/data/update.pyc %%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata/update/engine.py %%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata/update/engine.pyc %%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata/update/exceptions.py %%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata/update/exceptions.pyc %%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata/update/extract.py %%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata/update/extract.pyc %%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata/update/loghandler.py %%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata/update/loghandler.pyc %%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata/update/main.py %%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata/update/main.pyc %%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata/update/maps.py %%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata/update/maps.pyc %%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata/update/matchers.py %%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata/update/matchers.pyc %%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata/update/net.py %%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata/update/net.pyc %%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata/update/notes.py %%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata/update/notes.pyc %%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata/update/osinfo.py %%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata/update/osinfo.pyc %%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata/update/parsers.py %%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata/update/parsers.pyc %%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata/update/rule.py %%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata/update/rule.pyc %%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata/update/sources.py %%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata/update/sources.pyc %%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata/update/util.py %%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata/update/util.pyc %%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata/update/version.py %%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata/update/version.pyc -%%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata_update-1.2.1-py%%PYTHON_VER%%.egg-info +%%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata_update-1.2.2-py%%PYTHON_VER%%.egg-info %%PYTHON%%%%PYTHON_SITELIBDIR%%/suricatasc/__init__.py %%PYTHON%%%%PYTHON_SITELIBDIR%%/suricatasc/__init__.pyc %%DATADIR%%/rules/app-layer-events.rules %%DATADIR%%/rules/decoder-events.rules %%DATADIR%%/rules/dhcp-events.rules %%DATADIR%%/rules/dnp3-events.rules %%DATADIR%%/rules/dns-events.rules %%DATADIR%%/rules/files.rules %%DATADIR%%/rules/http-events.rules %%DATADIR%%/rules/ipsec-events.rules %%DATADIR%%/rules/kerberos-events.rules %%DATADIR%%/rules/modbus-events.rules %%DATADIR%%/rules/nfs-events.rules %%DATADIR%%/rules/ntp-events.rules %%DATADIR%%/rules/smb-events.rules %%DATADIR%%/rules/smtp-events.rules %%DATADIR%%/rules/stream-events.rules %%DATADIR%%/rules/tls-events.rules @sample %%ETCDIR%%/classification.config.sample @sample %%ETCDIR%%/reference.config.sample @sample %%ETCDIR%%/suricata.yaml.sample @sample %%ETCDIR%%/threshold.config.sample @dir %%DATADIR%% @dir %%DOCSDIR%% @dir %%ETCDIR%% @dir include/htp @dir(root,wheel,0700) /var/log/suricata @postunexec if [ -d %D/%%ETCDIR%% ]; then echo "==> If you are permanently removing this port, run ``rm -rf ${PKG_PREFIX}/%%ETCDIR%%`` to remove configuration files."; fi