Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 939049 (CVE-2024-37151, CVE-2024-38534, CVE-2024-38535, CVE-2024-38536)

Summary: net-analyzer/suricata: multiple vulnerabilities
Product: Gentoo Security Reporter: Filip Kobierski <fkobi>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: UNCONFIRMED ---    
Severity: normal CC: maintainer-needed, marek.szuba
Priority: Normal Keywords: PullRequest
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://forum.suricata.io/t/suricata-7-0-6-and-6-0-20-released/4728
Whiteboard: ?? [ebuild]
Package list:
Runtime testing required: ---

Description Filip Kobierski 2024-09-04 12:49:12 UTC
CVE-2024-37151

Mishandling of multiple fragmented packets using the same IP ID value can lead to packet reassembly failure, which can lead to policy bypass.



CVE-2024-38534

Crafted modbus traffic can lead to unlimited resource accumulation within a flow.



CVE-2024-38535

Suricata can run out of memory when parsing crafted HTTP/2 traffic.



CVE-2024-38536

A memory allocation failure due to `http.memcap` being reached leads to a NULL-ptr reference leading to a crash.



My PR

I have created a pull request adding 7.0.6, which is said to be safe from those:
https://github.com/gentoo/gentoo/pull/38398
Comment 1 Marek Szuba 2024-12-13 13:38:03 UTC
As of yesterday evening Suricata is now at version 7.0.8, with further CVEs addressed (source: https://forum.suricata.io/t/suricata-7-0-7-released/, https://forum.suricata.io/t/suricata-7-0-8-released/) since Filip's initial report:

CVE-2024-47187: CRITICAL
datasets: missing hashtable random seed leads to potential DoS

CVE-2024-47188: CRITICAL
http/byte-ranges: missing hashtable random seed leads to potential DoS

CVE-2024-47522: HIGH
ja4: invalid alpn leads to panic

CVE-2024-45795: HIGH
detect/datasets: reachable assertion with unimplemented rule option

CVE-2024-45796: HIGH
defrag: off by one can lead to policy bypass

CVE-2024-55605: CRITICAL
Presently undisclosed

CVE-2024-55626: LOW
Presently undisclosed

CVE-2024-55627: CRITICAL
Presently undisclosed

CVE-2024-55628: HIGH
Presently undisclosed

CVE-2024-55629: HIGH
Presently undisclosed

As far as I can see the only thing requiring changing in the existing ebuild will be the minimal supported version of net-libs/libhtp to >=0.5.49.

Speaking of libhtp, 0.5.49 addresses the following:

CVE-2024-45797: CRITICAL
unbounded header handling leads to denial of service 

and the version bump should be trivial.

BTW. suricata-7.0.7 and up appear to no longer suffer from Bug #937826 / #940295.
Comment 2 Hans de Graaff gentoo-dev Security 2024-12-14 08:14:47 UTC
I've reset the whiteboard given that some of the bugs are still undisclosed.