[Zeek-Announce] Bro 2.6.2 release (security update)

Thu May 30 09:29:35 PDT 2019

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

A security patch release, Bro v2.6.2, is now available for download:

  https://www.zeek.org/download/index.html

The following Denial of Service vulnerabilities are addressed:

* Integer type mismatches in BinPAC-generated parser code and Bro
  analyzer code may allow for crafted packet data to cause
  unintentional code paths in the analysis logic to be taken due to
  unsafe integer conversions causing the parser and analysis logic
  to each expect different fields to have been parsed.  One such
  example, reported by Maksim Shudrak, causes the Kerberos analyzer
  to dereference a null pointer.  CVE-2019-12175 was assigned for
  this issue.

* The Kerberos parser allows for several fields to be left
  uninitialized, but they were not marked with an &optional attribute
  and several usages lacked existence checks.  Crafted packet data
  could potentially cause an attempt to access such uninitialized
  fields, generate a runtime error/exception, and leak memory.
  Existence checks and &optional attributes have been added to the
  relevent Kerberos fields.

* BinPAC-generated protocol parsers commonly contain fields whose
  length is derived from other packet input, and for those that allow
  for incremental parsing, BinPAC did not impose a limit on how
  large such a field could grow, allowing for remotely-controlled
  packet data to cause growth of BinPAC's flowbuffer bounded only
  by the numeric limit of an unsigned 64-bit integer, leading
  to memory exhaustion.  There is now a generalized limit for
  how large flowbuffers are allowed to grow, tunable by setting
  "BinPAC::flowbuffer_capacity_max".