Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 918589 (CVE-2023-35852, CVE-2023-35853)

Summary: <net-analyzer/suricata-6.0.13: multiple vulnerabilities
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: marecki
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: ~3 [noglsa]
Package list:
Runtime testing required: ---

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-11-26 03:46:00 UTC 
CVE-2023-35852:

In Suricata before 6.0.13 (when there is an adversary who controls an external source of rules), a dataset filename, that comes from a rule, may trigger absolute or relative directory traversal, and lead to write access to a local filesystem. This is addressed in 6.0.13 by requiring allow-absolute-filenames and allow-write (in the datasets rules configuration section) if an installation requires traversal/writing in this situation.

https://github.com/OISF/suricata/commit/aee1523b4591430ebed1ded0bb95508e6717a335
https://github.com/OISF/suricata/commit/735f5aa9ca3b28cfacc7a443f93a44387fbacf17

CVE-2023-35853:

In Suricata before 6.0.13, an adversary who controls an external source of Lua rules may be able to execute Lua code. This is addressed in 6.0.13 by disabling Lua unless allow-rules is true in the security lua configuration section.

https://github.com/OISF/suricata/commit/b95bbcc66db526ffcc880eb439dbe8abc87a81da

These do seem fixed in 6.0.13.
Comment 1 Hans de Graaff gentoo-dev Security 2024-04-24 12:59:39 UTC 
No stable versions for this package. Adjusted severity accordingly and that means we are all done.