Project

General

Profile

Actions

Security #6195

closed

process exit in hyperscan error handling

Added by Victor Julien over 1 year ago. Updated about 1 year ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Label:
CVE:
Git IDs:
Severity:
HIGH
Disclosure Date:

Description

A malformed rule can cause the process to exit due to hyperscan integration triggering a fatal error if hyperscan can't compile a pattern.

This can happen during a rule upgrade, which would exit the process. The process could then not start back up again until the offending rule is removed.

The issue would be mitigated by using a "test" step in the rule upgrade process. In this case the ruleset update would be rejected.


Subtasks 1 (0 open1 closed)

Security #6196: process exit in hyperscan error handling (6.0.x backport)ClosedVictor JulienActions

Related issues 1 (0 open1 closed)

Related to Suricata - Security #6122: lua: flag to disable lua supportClosedJason IshActions
Actions #1

Updated by OISF Ticketbot over 1 year ago

  • Subtask #6196 added
Actions #2

Updated by OISF Ticketbot over 1 year ago

  • Label deleted (Needs backport to 6.0)
Actions #3

Updated by Victor Julien over 1 year ago

Actions #4

Updated by Victor Julien over 1 year ago

  • Status changed from New to In Progress
  • Assignee changed from OISF Dev to Victor Julien
Actions #5

Updated by Victor Julien over 1 year ago

  • Target version changed from 7.0.0 to 7.0.1
Actions #6

Updated by Jeff Lucovsky over 1 year ago

I'll take a look at this; can you share the rule that causes hs compilation to fail?

Actions #7

Updated by Victor Julien over 1 year ago

I have a fix and test.

Actions #8

Updated by Victor Julien over 1 year ago

  • Status changed from In Progress to In Review
Actions #9

Updated by Victor Julien over 1 year ago

  • Severity changed from MODERATE to HIGH
Actions #10

Updated by Victor Julien about 1 year ago

  • Status changed from In Review to Resolved
Actions #12

Updated by Victor Julien about 1 year ago

  • Private changed from Yes to No
Actions

Also available in: Atom PDF