Bug 2235688 (CVE-2023-40857)

Summary: CVE-2023-40857 yara: buffer overflow that allows a remote attacker to execute arbtirary code via the yr_execute_cod function
Product: [Other] Security Response Reporter: Marian Rehak <mrehak>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: CLOSED WONTFIX QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: mhuth
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the yara library. This issue occurs due to a buffer overflow vulnerability in the exe.c component that allows a remote attacker to execute arbtirary code via the yr_execute_cod function.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-08-31 12:13:31 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2235690, 2235691, 2235772, 2235773    
Bug Blocks: 2235693    

Description Marian Rehak 2023-08-29 13:23:25 UTC 
Buffer Overflow vulnerability in VirusTotal yara v.4.3.2 allows a remote attacker to execute arbtirary code via the yr_execute_cod function in the exe.c component.

https://github.com/VirusTotal/yara/issues/1945
Comment 2 Sandipan Roy 2023-08-29 17:07:49 UTC 
As per upstream discussion this is not security issue or even a normal issue, 
Untrusted yara rules not supported by its design.

See, 
https://github.com/VirusTotal/yara/issues/1948
https://github.com/VirusTotal/yara/issues/891
Comment 3 Sandipan Roy 2023-08-29 17:15:06 UTC 
Created yara tracking bugs for this issue:

Affects: epel-all [bug 2235772]
Affects: fedora-all [bug 2235773]
Comment 4 Mark Huth 2023-08-31 12:13:31 UTC 
The Insights Malware app only supports running the rules file we provide to the customer.  We ensure the rules file we provide runs without failure by yara is not corrupted.  We can't do much about customers choosing to run their own rules files and crashing yara if the rules file they provide is corrupt.  That is not supported by the malware app.  And it also seems that the Yara maintainers themselves see this as a problem they are willing to accept and won't be fixing.  The upstream issue mentioned in the first comment - https://github.com/VirusTotal/yara/issues/1945 - has been closed as essentially WONTFIX.  As a result, I'm going to close the bugzilla WONTFIX as well.