From: Pierre Chifflier Date: Sun, 30 Mar 2025 10:03:02 +0000 (+0200) Subject: CVE-2023-35852-2 X-Git-Tag: archive/raspbian/1%6.0.1-3+rpi1+deb11u1^2~7 X-Git-Url: https://dgit.raspbian.org/%22http://www.example.com/cgi/%22/%22http:/www.example.com/cgi/%22?a=commitdiff_plain;h=3d0f525e0527d6531a269a3306c10bfccbb65276;p=suricata.git CVE-2023-35852-2 commit 735f5aa9ca3b28cfacc7a443f93a44387fbacf17 Author: Jason Ish Date: Tue Jun 6 16:04:56 2023 -0600 datasets: flag to disable "write" actions Add a new configuration flag, "datasets.rules.allow-write" to control if rules can contain "save" or "state" rules which allow write access to the file system. Ticket: #6123 Gbp-Pq: Name CVE-2023-35852-2.patch --- diff --git a/src/detect-dataset.c b/src/detect-dataset.c index de1a5b41..5ed31dcb 100644 --- a/src/detect-dataset.c +++ b/src/detect-dataset.c @@ -307,6 +307,15 @@ static int SetupSavePath(const DetectEngineCtx *de_ctx, { SCLogDebug("save %s", save); + int allow_save = 1; + if (ConfGetBool("datasets.rules.allow-write", &allow_save)) { + if (!allow_save) { + SCLogError(SC_ERR_INVALID_SIGNATURE, + "Rules containing save/state datasets have been disabled"); + return -1; + } + } + int allow_absolute = 0; (void)ConfGetBool("datasets.rules.allow-absolute-filenames", &allow_absolute); if (allow_absolute) { diff --git a/suricata.yaml.in b/suricata.yaml.in index 8dd81215..9940bf6a 100644 --- a/suricata.yaml.in +++ b/suricata.yaml.in @@ -982,6 +982,11 @@ asn1-max-frames: 256 # # ".." components to reference parent directories in rules that specify # # their filenames. # #allow-absolute-filenames: false +# +# # Allow datasets in rules write access for "save" and +# # "state". This is enabled by default, however write access is +# # limited to the data directory. +# #allow-write: true ############################################################################## ##