This release fixes the following security issues:
-
Fix potential stack overflow in NVT analyzer
3b51d72The NVT_Analyzer (e.g. as instantiated to support the FTP analyzer)
uses a recursive parsing function that may only advance one byte at a
time and can easily cause a stack overflow as a result.Credit to OSS-Fuzz for discovery
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=22898 -
Fix NVT analyzer memory leak from multiple telnet authn name options
e532335Credit to OSS-Fuzz for discovery
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=23069 -
Fix multiple content-transfer-encoding headers causing a memory leak
0195880The MIME analyzer leaks memory if it sees many content-transfer-encoding
headers or also if it see many multipart boundary parameters.Credit to OSS-Fuzz for discovery
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=22871 -
Fix potential leak of Analyzers added to tree during Analyzer::Done
d2eb701It may be possible for remote sources of analyzed packets to specifically
craft traffic to trigger this behavior.Credit to OSS-Fuzz for discovery
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=22630 -
Prevent IP fragment reassembly on packets without minimal IP header
a2f2f7aThe IP fragment reassembly process assumes a packet contains at least
the minimum IP header, but such a check did not previously occur,
resulting in a heap buffer over-read. For example, a self-reported
IPv4 IHL field with a value less than minimum IPv4 header length of
20 bytes. Such packets likely aren't routable on their own, but one
can create an artifical pcap like that or possibly encapsulate it
within another protocol to trigger this bug.
Also fixed are the following bugs:
-
Limit rate of logging MaxMind DB diagnostic messages
#963 -
Fix wrong return value type for
topk_get_top()
BIF
#996 -
Fix opaque Broker types lacking a Type after (de)serialization
#984 -
Fix lack of descriptive printing for intervals converted from
double_to_interval()
e17487e -
Fix some cases of known-services not being logged
#965
2f918ed
Reminder: Zeek 3.0.x is a Long-Term Support release, receiving bug fixes until at least October 2020.