CVE-2023-35852-2

commit 735f5aa9ca3b28cfacc7a443f93a44387fbacf17
Author: Jason Ish <jason.ish@oisf.net>
Date:   Tue Jun 6 16:04:56 2023 -0600

    datasets: flag to disable "write" actions

    Add a new configuration flag, "datasets.rules.allow-write" to control
    if rules can contain "save" or "state" rules which allow write access
    to the file system.

    Ticket: #6123

Gbp-Pq: Name CVE-2023-35852-2.patch

diff --git a/src/detect-dataset.c b/src/detect-dataset.c
index de1a5b416a020447a92479e261462829550a4307..5ed31dcb40b3cab908871a6aad3ccab5c530ab62 100644 (file)
--- a/src/detect-dataset.c
+++ b/src/detect-dataset.c
@@ -307,6 +307,15 @@ static int SetupSavePath(const DetectEngineCtx *de_ctx,
 {
     SCLogDebug("save %s", save);
 
+    int allow_save = 1;
+    if (ConfGetBool("datasets.rules.allow-write", &allow_save)) {
+        if (!allow_save) {
+            SCLogError(SC_ERR_INVALID_SIGNATURE,
+                    "Rules containing save/state datasets have been disabled");
+            return -1;
+        }
+    }
+
     int allow_absolute = 0;
     (void)ConfGetBool("datasets.rules.allow-absolute-filenames", &allow_absolute);
     if (allow_absolute) {

diff --git a/suricata.yaml.in b/suricata.yaml.in
index 8dd81215a1e57b6929da318a5c15461182f35c67..9940bf6a707a76df0ddbfa48a849d55f25330d5f 100644 (file)
--- a/suricata.yaml.in
+++ b/suricata.yaml.in
@@ -982,6 +982,11 @@ asn1-max-frames: 256
 #    # ".." components to reference parent directories in rules that specify
 #    # their filenames.
 #    #allow-absolute-filenames: false
+#
+#    # Allow datasets in rules write access for "save" and
+#    # "state". This is enabled by default, however write access is
+#    # limited to the data directory.
+#    #allow-write: true
 
 ##############################################################################
 ##