diff --git a/security/zeek/Makefile b/security/zeek/Makefile index 7a33bf518fa0..995decc29172 100644 --- a/security/zeek/Makefile +++ b/security/zeek/Makefile @@ -1,186 +1,185 @@ PORTNAME= zeek -DISTVERSION= 7.0.3 -PORTREVISION= 1 +DISTVERSION= 7.0.4 CATEGORIES= security MASTER_SITES= https://download.zeek.org/ MAINTAINER= leres@FreeBSD.org COMMENT= System for detecting network intruders in real-time WWW= https://www.zeek.org/ LICENSE= CC-BY-4.0 BUILD_DEPENDS= bison>=3.3:devel/bison \ flex>=2.6:textproc/flex \ swig>=4.0.2:devel/swig LIB_DEPENDS= libcares.so:dns/c-ares RUN_DEPENDS= c-ares>=1.25.0:dns/c-ares USES= bison cmake compiler:c++17-lang cpe perl5 python \ shebangfix ssl USE_LDCONFIG= yes EXTRACT_AFTER_ARGS= --exclude ${DISTNAME}/auxil/c-ares \ --no-same-owner --no-same-permissions BINARY_ALIAS= python3=${PYTHON_CMD} PORTSCOUT= limit:^[0-9]*\.0\. CXXFLAGS_powerpc64= -mpower8-vector SHEBANG_FILES= \ auxil/broker/bindings/python/3rdparty/pybind11/docs/conf.py \ auxil/broker/bindings/python/3rdparty/pybind11/setup.py \ auxil/broker/bindings/python/3rdparty/pybind11/tools/make_changelog.py \ auxil/broker/bindings/python/3rdparty/pybind11/tools/setup_global.py.in \ auxil/broker/bindings/python/3rdparty/pybind11/tools/setup_main.py.in \ auxil/btest/btest \ auxil/btest/btest-setsid \ auxil/netcontrol-connectors/acld/acld.py \ auxil/netcontrol-connectors/command-line/command-line.py \ auxil/netcontrol-connectors/openflow/controller.py \ auxil/netcontrol-connectors/test/simple-client.py \ auxil/package-manager/zkg \ auxil/spicy/3rdparty/benchmark/tools/compare.py \ auxil/spicy/3rdparty/benchmark/tools/strip_asm.py \ auxil/spicy/3rdparty/doctest/scripts/bench/bench.py \ auxil/spicy/3rdparty/doctest/scripts/bench/run_all.py \ auxil/spicy/doc/scripts/spicy-doc-to-rst \ auxil/spicy/tests/Scripts/license-header.py \ auxil/spicy/tests/Scripts/stray_baselines.py \ auxil/vcpkg/ports/gobject-introspection/portfile.cmake \ auxil/zeek-aux/devel-tools/github-manage \ auxil/zeek-client/man/build.py \ auxil/zeek-client/zeek-client \ auxil/zeekctl/ZeekControl/test_cli.py \ auxil/zeekctl/auxil/pysubnettree/setup.py \ auxil/zeekctl/auxil/trace-summary/trace-summary \ auxil/zeekctl/bin/stats-to-csv \ auxil/zeekctl/bin/zeekctl.in \ auxil/zeekctl/bin/zeekctld.in \ auxil/zeekctl/testing/Cfg/bin/zeek__test \ auxil/zeekctl/testing/Scripts/diff-to-bytes-output \ auxil/zeekctl/util/extract-strictly-local-conns \ auxil/zeekctl/util/reformat-stats \ ci/collect-repo-info.py \ testing/coverage/coverage_cleanup.py \ testing/scripts/coverage-calc \ testing/scripts/httpd.py SUB_FILES= pkg-message NO_MTREE= yes CMAKE_ON= BROKER_DISABLE_DOC_EXAMPLES BROKER_DISABLE_TESTS \ BUILD_SHARED_LIBS BUILD_STATIC_BROKER INSTALL_AUX_TOOLS CMAKE_ARGS= -DCARES_ROOT_DIR:PATH=${PREFIX} \ -DCMAKE_EXE_LINKER_FLAGS="${OPENSSL_LDFLAGS}" \ -DDISABLE_JAVASCRIPT:BOOL=ON \ -DINSTALL_BTEST:BOOL=OFF \ -DINSTALL_BTEST_PCAPS:BOOL=OFF \ -DINSTALL_ZKG:BOOL=OFF \ -DPY_MOD_INSTALL_DIR:PATH=${PREFIX}/lib/zeekctl \ -DZEEK_ETC_INSTALL_DIR:PATH=${PREFIX}/etc \ -DZEEK_ROOT_DIR:PATH=${PREFIX} \ -DZEEK_SCRIPT_INSTALL_PATH:PATH=${PREFIX}/share/zeek ZEEKUSER?= zeek ZEEKGROUP?= zeek PLIST_SUB+= ZEEKGROUP=${ZEEKGROUP} \ ZEEKUSER=${ZEEKUSER} USERS= ${ZEEKUSER} GROUPS= ${ZEEKGROUP} OPTIONS_DEFINE= GEOIP2 IPSUMDUMP LBL_CF LBL_HF PERFTOOLS SPICY ZEEKCTL \ ZKG OPTIONS_SINGLE= BUILD_TYPE OPTIONS_SINGLE_BUILD_TYPE= DEBUG MINSIZEREL RELEASE RELWITHDEBINFO OPTIONS_DEFAULT= GEOIP2 IPSUMDUMP LBL_CF LBL_HF RELEASE ZEEKCTL \ ZKG OPTIONS_DEFAULT_aarch64= SPICY OPTIONS_DEFAULT_amd64= SPICY OPTIONS_DEFAULT_armv6= SPICY OPTIONS_DEFAULT_armv7= SPICY OPTIONS_DEFAULT_i386= SPICY OPTIONS_SUB= yes DEBUG_DESC= Optimizations off, debug symbols/flags on GEOIP2_DESC= Build with GeoIP2 (MaxMindDB) support IPSUMDUMP_DESC= Enables traffic summaries LBL_CF_DESC= Unix time to formated time/date filter support LBL_HF_DESC= Address to hostname filter support MINSIZEREL_DESC= Optimizations on, debug symbols/flags off PERFTOOLS_DESC= Use Perftools to improve memory & CPU usage RELEASE_DESC= Optimizations on, debug symbols/flags off RELWITHDEBINFO_DESC= Optimizations/debug symbols on, debug flags off SPICY_DESC= Enable the Spicy parser generator ZEEKCTL_DESC= ZeekControl support (implies IPSUMDUMP) ZKG_DESC= Zeek package manager support ZEEKCTL_IMPLIES= IPSUMDUMP GEOIP2_LIB_DEPENDS= libmaxminddb.so:net/libmaxminddb IPSUMDUMP_BUILD_DEPENDS= ipsumdump:net/ipsumdump IPSUMDUMP_RUN_DEPENDS= ipsumdump:net/ipsumdump LBL_CF_RUN_DEPENDS= ${LOCALBASE}/bin/cf:sysutils/lbl-cf LBL_HF_RUN_DEPENDS= ${LOCALBASE}/bin/hf:sysutils/lbl-hf PERFTOOLS_BUILD_DEPENDS= ${LOCALBASE}/bin/perftools-pprof:devel/google-perftools PERFTOOLS_CMAKE_BOOL= ENABLE_PERFTOOLS PERFTOOLS_RUN_DEPENDS= ${LOCALBASE}/bin/perftools-pprof:devel/google-perftools SPICY_CMAKE_OFF= -DDISABLE_SPICY=ON ZEEKCTL_BUILD_DEPENDS= ${LOCALBASE}/bin/bash:shells/bash \ ${PYTHON_PKGNAMEPREFIX}sqlite3>0:databases/py-sqlite3@${PY_FLAVOR} ZEEKCTL_CMAKE_BOOL= INSTALL_ZEEKCTL ZEEKCTL_RUN_DEPENDS= ${LOCALBASE}/bin/bash:shells/bash \ ${PYTHON_PKGNAMEPREFIX}sqlite3>0:databases/py-sqlite3@${PY_FLAVOR} ZKG_RUN_DEPENDS= ${PYTHON_PKGNAMEPREFIX}zkg>=2.7.1:security/py-zkg@${PY_FLAVOR} .include .if ${PORT_OPTIONS:MDEBUG} CMAKE_BUILD_TYPE= Debug STRIP= .elif ${PORT_OPTIONS:MMINSIZEREL} CMAKE_BUILD_TYPE= MinSizeRel .elif ${PORT_OPTIONS:MRELEASE} CMAKE_BUILD_TYPE= Release .elif ${PORT_OPTIONS:MRELWITHDEBINFO} CMAKE_BUILD_TYPE= RelWithDebInfo STRIP= .endif .if ${PORT_OPTIONS:MZEEKCTL} USE_RC_SUBR= zeek .endif post-install-ZEEKCTL-on: ${MKDIR} ${STAGEDIR}${PREFIX}/logs ${MKDIR} ${STAGEDIR}${PREFIX}/spool/tmp ${MKDIR} ${STAGEDIR}${PREFIX}/spool/installed-scripts-do-not-touch/auto ${MKDIR} ${STAGEDIR}${PREFIX}/spool/installed-scripts-do-not-touch/site .for F in zeekctl.cfg networks.cfg node.cfg ${MV} ${STAGEDIR}${PREFIX}/etc/${F} ${STAGEDIR}${PREFIX}/etc/${F}.sample .endfor ${RM} ${STAGEDIR}${PREFIX}/share/zeekctl/scripts/zeekctl-config.sh ${LN} -s ../../../spool/zeekctl-config.sh \ ${STAGEDIR}${PREFIX}/share/zeekctl/scripts/zeekctl-config.sh ${RM} ${STAGEDIR}${PREFIX}/lib/broctl ${LN} -s zeek/python/zeekctl ${STAGEDIR}${PREFIX}/lib/broctl post-install: ${MV} ${STAGEDIR}${DATADIR}/site/local.zeek \ ${STAGEDIR}${DATADIR}/site/local.zeek.sample @${RM} -rf ${STAGEDIR}${PREFIX}/var @${STRIP_CMD} ${STAGEDIR}${PREFIX}/bin/zeek-cut post-install-SPICY-on: @${RM} -rf ${STAGEDIR}${PREFIX}/include/hilti/rt/3rdparty/SafeInt/Archive @${RM} -rf ${STAGEDIR}${PREFIX}/include/hilti/rt/3rdparty/SafeInt/Test pre-install-ZEEKCTL-on: ${MKDIR} ${STAGEDIR}${PREFIX}/etc/rc.d .include diff --git a/security/zeek/distinfo b/security/zeek/distinfo index f2b29e55f71b..7d22239a347e 100644 --- a/security/zeek/distinfo +++ b/security/zeek/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1728089705 -SHA256 (zeek-7.0.3.tar.gz) = 029e389f5405d8831657202a7be542be756a8c5811bfaab7376c1c6b10e1d9e3 -SIZE (zeek-7.0.3.tar.gz) = 95797500 +TIMESTAMP = 1732051259 +SHA256 (zeek-7.0.4.tar.gz) = 131050fee95fd76400322cc9e80db6d797e296361d43e3fb10f3ceb1bf93428e +SIZE (zeek-7.0.4.tar.gz) = 95853546 diff --git a/security/zeek/files/patch-src_DFA.cc b/security/zeek/files/patch-src_DFA.cc deleted file mode 100644 index e02f84c79790..000000000000 --- a/security/zeek/files/patch-src_DFA.cc +++ /dev/null @@ -1,32 +0,0 @@ ---- src/DFA.cc.orig 2024-10-04 22:44:09 UTC -+++ src/DFA.cc -@@ -2,8 +2,6 @@ - - #include "zeek/DFA.h" - --#include "zeek/zeek-config.h" -- - #include "zeek/Desc.h" - #include "zeek/EquivClass.h" - #include "zeek/Hash.h" -@@ -265,9 +263,9 @@ DFA_State* DFA_State_Cache::Lookup(const NFA_state_lis - DFA_State* DFA_State_Cache::Lookup(const NFA_state_list& nfas, DigestStr* digest) { - // We assume that state ID's don't exceed 10 digits, plus - // we allow one more character for the delimiter. -- auto id_tag_buf = std::make_unique(nfas.length() * 11 + 1); -+ auto id_tag_buf = std::make_unique(nfas.length() * 11 + 1); - auto id_tag = id_tag_buf.get(); -- u_char* p = id_tag; -+ char* p = id_tag; - - for ( int i = 0; i < nfas.length(); ++i ) { - NFA_State* n = nfas[i]; -@@ -287,7 +285,7 @@ DFA_State* DFA_State_Cache::Lookup(const NFA_state_lis - // HashKey because the data is copied into the key. - hash128_t hash; - KeyedHash::Hash128(id_tag, p - id_tag, &hash); -- *digest = DigestStr(reinterpret_cast(hash), 16); -+ *digest = DigestStr(reinterpret_cast(hash), 16); - - auto entry = states.find(*digest); - if ( entry == states.end() ) { diff --git a/security/zeek/files/patch-src_DFA.h b/security/zeek/files/patch-src_DFA.h deleted file mode 100644 index 54ee7706a457..000000000000 --- a/security/zeek/files/patch-src_DFA.h +++ /dev/null @@ -1,29 +0,0 @@ ---- src/DFA.h.orig 2024-10-04 22:44:09 UTC -+++ src/DFA.h -@@ -2,7 +2,7 @@ - - #pragma once - --#include // for u_char -+#include - #include - #include - #include -@@ -18,7 +18,7 @@ class DFA_Machine; - - // Transitions to the uncomputed state indicate that we haven't yet - // computed the state to go to. --#define DFA_UNCOMPUTED_STATE -2 -+#define DFA_UNCOMPUTED_STATE (-2) - #define DFA_UNCOMPUTED_STATE_PTR ((DFA_State*)DFA_UNCOMPUTED_STATE) - - class DFA_State : public Obj { -@@ -67,7 +67,7 @@ class DFA_State : public Obj { (protected) - DFA_State* mark; - }; - --using DigestStr = std::basic_string; -+using DigestStr = std::string; - - struct DFA_State_Cache_Stats { - // Sum of all NFA states diff --git a/security/zeek/files/patch-src_analyzer_protocol_ssl_SSL.cc b/security/zeek/files/patch-src_analyzer_protocol_ssl_SSL.cc deleted file mode 100644 index c451c310b38d..000000000000 --- a/security/zeek/files/patch-src_analyzer_protocol_ssl_SSL.cc +++ /dev/null @@ -1,83 +0,0 @@ ---- src/analyzer/protocol/ssl/SSL.cc.orig 2024-10-04 22:44:09 UTC -+++ src/analyzer/protocol/ssl/SSL.cc -@@ -5,7 +5,6 @@ - #include - - #include "zeek/Reporter.h" --#include "zeek/analyzer/Manager.h" - #include "zeek/analyzer/protocol/ssl/events.bif.h" - #include "zeek/analyzer/protocol/ssl/ssl_pac.h" - #include "zeek/analyzer/protocol/ssl/tls-handshake_pac.h" -@@ -32,11 +31,11 @@ static inline T LSB(const T a) { - return (a & 0xff); - } - --static std::basic_string fmt_seq(uint32_t num) { -- std::basic_string out(4, '\0'); -+static std::string fmt_seq(uint32_t num) { -+ std::string out(4, '\0'); - out.reserve(13); - uint32_t netnum = htonl(num); -- out.append(reinterpret_cast(&netnum), 4); -+ out.append(reinterpret_cast(&netnum), 4); - out.append(5, '\0'); - return out; - } -@@ -266,13 +265,13 @@ bool SSL_Analyzer::TryDecryptApplicationData(int len, - // server write_key - const u_char* s_wk = keys.data() + 32; - // client IV -- const u_char* c_iv = keys.data() + 64; -+ const char* c_iv = reinterpret_cast(keys.data()) + 64; - // server IV -- const u_char* s_iv = keys.data() + 68; -+ const char* s_iv = reinterpret_cast(keys.data()) + 68; - - // FIXME: should we change types here? -- u_char* encrypted = (u_char*)data; -- size_t encrypted_len = len; -+ char* encrypted = (char*)data; -+ int encrypted_len = len; - - if ( is_orig ) - c_seq++; -@@ -280,7 +279,7 @@ bool SSL_Analyzer::TryDecryptApplicationData(int len, - s_seq++; - - // AEAD nonce, length 12 -- std::basic_string s_aead_nonce; -+ std::string s_aead_nonce; - if ( is_orig ) - s_aead_nonce.assign(c_iv, 4); - else -@@ -306,14 +305,14 @@ bool SSL_Analyzer::TryDecryptApplicationData(int len, - - // FIXME: aes_256_gcm should not be hardcoded here ;) - if ( is_orig ) -- EVP_DecryptInit(ctx, EVP_aes_256_gcm(), c_wk, s_aead_nonce.data()); -+ EVP_DecryptInit(ctx, EVP_aes_256_gcm(), c_wk, reinterpret_cast(s_aead_nonce.data())); - else -- EVP_DecryptInit(ctx, EVP_aes_256_gcm(), s_wk, s_aead_nonce.data()); -+ EVP_DecryptInit(ctx, EVP_aes_256_gcm(), s_wk, reinterpret_cast(s_aead_nonce.data())); - - EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_TAG, 16, encrypted + encrypted_len); - - // AEAD tag -- std::basic_string s_aead_tag; -+ std::string s_aead_tag; - if ( is_orig ) - s_aead_tag = fmt_seq(c_seq); - else -@@ -330,8 +329,10 @@ bool SSL_Analyzer::TryDecryptApplicationData(int len, - 16); // see OpenSSL manpage - 16 is the block size for the supported cipher - int decrypted_len = 0; - -- EVP_DecryptUpdate(ctx, NULL, &decrypted_len, s_aead_tag.data(), s_aead_tag.size()); -- EVP_DecryptUpdate(ctx, decrypted.data(), &decrypted_len, (const u_char*)encrypted, encrypted_len); -+ EVP_DecryptUpdate(ctx, NULL, &decrypted_len, reinterpret_cast(s_aead_tag.data()), -+ s_aead_tag.size()); -+ EVP_DecryptUpdate(ctx, decrypted.data(), &decrypted_len, reinterpret_cast(encrypted), -+ encrypted_len); - assert(static_cast(decrypted_len) <= decrypted.size()); - decrypted.resize(decrypted_len); -