Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 918589 (CVE-2023-35852, CVE-2023-35853) - <net-analyzer/suricata-6.0.13: multiple vulnerabilities
Summary: <net-analyzer/suricata-6.0.13: multiple vulnerabilities
Status: CONFIRMED
Alias: CVE-2023-35852, CVE-2023-35853
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa?]
Keywords:
Depends on:
Blocks:
 
Reported: 2023-11-26 03:46 UTC by John Helmert III
Modified: 2023-11-26 03:46 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-11-26 03:46:00 UTC
CVE-2023-35852:

In Suricata before 6.0.13 (when there is an adversary who controls an external source of rules), a dataset filename, that comes from a rule, may trigger absolute or relative directory traversal, and lead to write access to a local filesystem. This is addressed in 6.0.13 by requiring allow-absolute-filenames and allow-write (in the datasets rules configuration section) if an installation requires traversal/writing in this situation.

https://github.com/OISF/suricata/commit/aee1523b4591430ebed1ded0bb95508e6717a335
https://github.com/OISF/suricata/commit/735f5aa9ca3b28cfacc7a443f93a44387fbacf17

CVE-2023-35853:

In Suricata before 6.0.13, an adversary who controls an external source of Lua rules may be able to execute Lua code. This is addressed in 6.0.13 by disabling Lua unless allow-rules is true in the security lua configuration section.

https://github.com/OISF/suricata/commit/b95bbcc66db526ffcc880eb439dbe8abc87a81da

These do seem fixed in 6.0.13.