← Back to team overview

kernel-packages team mailing list archive

[Bug 1595350] Re: Linux netfilter local privilege escalation issues

 

** Description changed:

  The upstream stable rc git tree
  (http://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable-
  rc.git/log/?h=linux-4.6.y) currently has the following commits for
  netfilter that address (with unprivileged user namespaces enabled) local
  privilege escalation. These are the commit references in linus' tree:
  
- f24e230d257af1ad7476c6e81a8dc3127a74204e netfilter: x_tables: don't move to non-existent next rule 
- 36472341017529e2b12573093cc0f68719300997 netfilter: x_tables: validate targets of jumps
- 7d35812c3214afa5b37a675113555259cfd67b98 netfilter: x_tables: add and use xt_check_entry_offsets
- aa412ba225dd3bc36d404c28cdc3d674850d80d0 netfilter: x_tables: kill check_entry helper
- a08e4e190b866579896c09af59b3bdca821da2cd netfilter: x_tables: assert minimum target size
- fc1221b3a163d1386d1052184202d5dc50d302d1 netfilter: x_tables: add compat version of xt_check_entry_offsets
- 7ed2abddd20cf8f6bd27f65bd218f26fa5bf7f44 netfilter: x_tables: check standard target size too
- ce683e5f9d045e5d67d1312a42b359cb2ab2a13c netfilter: x_tables: check for bogus target offset
- 13631bfc604161a9d69cd68991dff8603edd66f9 netfilter: x_tables: validate all offsets and sizes in a rule
- 7b7eba0f3515fca3296b8881d583f7c1042f5226 netfilter: x_tables: don't reject valid target size on some architectures
+ f24e230d257af1ad7476c6e81a8dc3127a74204e
+    netfilter: x_tables: don't move to non-existent next rule
+ 36472341017529e2b12573093cc0f68719300997
+    netfilter: x_tables: validate targets of jumps
+ 7d35812c3214afa5b37a675113555259cfd67b98
+    netfilter: x_tables: add and use xt_check_entry_offsets
+ aa412ba225dd3bc36d404c28cdc3d674850d80d0
+    netfilter: x_tables: kill check_entry helper
+ a08e4e190b866579896c09af59b3bdca821da2cd
+    netfilter: x_tables: assert minimum target size
+ fc1221b3a163d1386d1052184202d5dc50d302d1
+    netfilter: x_tables: add compat version of xt_check_entry_offsets
+ 7ed2abddd20cf8f6bd27f65bd218f26fa5bf7f44
+    netfilter: x_tables: check standard target size too
+ ce683e5f9d045e5d67d1312a42b359cb2ab2a13c
+    netfilter: x_tables: check for bogus target offset
+ 13631bfc604161a9d69cd68991dff8603edd66f9
+    netfilter: x_tables: validate all offsets and sizes in a rule
+ 7b7eba0f3515fca3296b8881d583f7c1042f5226
+    netfilter: x_tables: don't reject valid target size on some architectures
+ 8dddd32756f6fe8e4e82a63361119b7e2384e02f
+    netfilter: arp_tables: simplify translate_compat_table args
+ 7d3f843eed29222254c9feab481f55175a1afcc9
+    netfilter: ip_tables: simplify translate_compat_table args
+ 329a0807124f12fe1c8032f95d8a8eb47047fb0e
+    netfilter: ip6_tables: simplify translate_compat_table args
+ 0188346f21e6546498c2a0f84888797ad4063fc5
+    netfilter: x_tables: xt_compat_match_from_user doesn't need a retval
+ 09d9686047dbbe1cf4faa558d3ecc4aae2046054
+    netfilter: x_tables: do compat validation via translate_table
+ d7591f0c41ce3e67600a982bab6989ef0f07b3ce
+    netfilter: x_tables: introduce and use xt_copy_counters_from_user
  
  CRD: Public

** Description changed:

  The upstream stable rc git tree
  (http://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable-
  rc.git/log/?h=linux-4.6.y) currently has the following commits for
  netfilter that address (with unprivileged user namespaces enabled) local
  privilege escalation. These are the commit references in linus' tree:
  
  f24e230d257af1ad7476c6e81a8dc3127a74204e
-    netfilter: x_tables: don't move to non-existent next rule
+    netfilter: x_tables: don't move to non-existent next rule
  36472341017529e2b12573093cc0f68719300997
-    netfilter: x_tables: validate targets of jumps
+    netfilter: x_tables: validate targets of jumps
  7d35812c3214afa5b37a675113555259cfd67b98
-    netfilter: x_tables: add and use xt_check_entry_offsets
+    netfilter: x_tables: add and use xt_check_entry_offsets
  aa412ba225dd3bc36d404c28cdc3d674850d80d0
-    netfilter: x_tables: kill check_entry helper
+    netfilter: x_tables: kill check_entry helper
  a08e4e190b866579896c09af59b3bdca821da2cd
-    netfilter: x_tables: assert minimum target size
+    netfilter: x_tables: assert minimum target size
  fc1221b3a163d1386d1052184202d5dc50d302d1
-    netfilter: x_tables: add compat version of xt_check_entry_offsets
+    netfilter: x_tables: add compat version of xt_check_entry_offsets
  7ed2abddd20cf8f6bd27f65bd218f26fa5bf7f44
-    netfilter: x_tables: check standard target size too
+    netfilter: x_tables: check standard target size too
  ce683e5f9d045e5d67d1312a42b359cb2ab2a13c
-    netfilter: x_tables: check for bogus target offset
+    netfilter: x_tables: check for bogus target offset
  13631bfc604161a9d69cd68991dff8603edd66f9
-    netfilter: x_tables: validate all offsets and sizes in a rule
+    netfilter: x_tables: validate all offsets and sizes in a rule
  7b7eba0f3515fca3296b8881d583f7c1042f5226
-    netfilter: x_tables: don't reject valid target size on some architectures
+    netfilter: x_tables: don't reject valid target size on some architectures
  8dddd32756f6fe8e4e82a63361119b7e2384e02f
-    netfilter: arp_tables: simplify translate_compat_table args
+    netfilter: arp_tables: simplify translate_compat_table args
  7d3f843eed29222254c9feab481f55175a1afcc9
-    netfilter: ip_tables: simplify translate_compat_table args
+    netfilter: ip_tables: simplify translate_compat_table args
  329a0807124f12fe1c8032f95d8a8eb47047fb0e
-    netfilter: ip6_tables: simplify translate_compat_table args
+    netfilter: ip6_tables: simplify translate_compat_table args
  0188346f21e6546498c2a0f84888797ad4063fc5
-    netfilter: x_tables: xt_compat_match_from_user doesn't need a retval
+    netfilter: x_tables: xt_compat_match_from_user doesn't need a retval
  09d9686047dbbe1cf4faa558d3ecc4aae2046054
-    netfilter: x_tables: do compat validation via translate_table
+    netfilter: x_tables: do compat validation via translate_table
  d7591f0c41ce3e67600a982bab6989ef0f07b3ce
-    netfilter: x_tables: introduce and use xt_copy_counters_from_user
+    netfilter: x_tables: introduce and use xt_copy_counters_from_user
+ 
+ They have also been backported to the 4.4
+ (http://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable-
+ rc.git/log/?h=linux-4.4.y) and 3.14
+ (http://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable-
+ rc.git/log/?h=linux-3.14.y) stable trees, with 3 additional prerequisite
+ backported commits:
+ 
+ bdf533de6968e9686df777dc178486f600c6e617
+    netfilter: x_tables: validate e->target_offset early
+ 6e94e0cfb0887e4013b3b930fa6ab1fe6bb6ba91
+    netfilter: x_tables: make sure e->next_offset covers remaining blob size
+ 54d83fc74aa9ec72794373cb47432c5f7fb1a309
+    netfilter: x_tables: fix unconditional helper
  
  CRD: Public

** Information type changed from Private Security to Public Security

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1595350

Title:
  Linux netfilter local privilege escalation issues

Status in linux package in Ubuntu:
  New

Bug description:
  The upstream stable rc git tree
  (http://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable-
  rc.git/log/?h=linux-4.6.y) currently has the following commits for
  netfilter that address (with unprivileged user namespaces enabled)
  local privilege escalation. These are the commit references in linus'
  tree:

  f24e230d257af1ad7476c6e81a8dc3127a74204e
     netfilter: x_tables: don't move to non-existent next rule
  36472341017529e2b12573093cc0f68719300997
     netfilter: x_tables: validate targets of jumps
  7d35812c3214afa5b37a675113555259cfd67b98
     netfilter: x_tables: add and use xt_check_entry_offsets
  aa412ba225dd3bc36d404c28cdc3d674850d80d0
     netfilter: x_tables: kill check_entry helper
  a08e4e190b866579896c09af59b3bdca821da2cd
     netfilter: x_tables: assert minimum target size
  fc1221b3a163d1386d1052184202d5dc50d302d1
     netfilter: x_tables: add compat version of xt_check_entry_offsets
  7ed2abddd20cf8f6bd27f65bd218f26fa5bf7f44
     netfilter: x_tables: check standard target size too
  ce683e5f9d045e5d67d1312a42b359cb2ab2a13c
     netfilter: x_tables: check for bogus target offset
  13631bfc604161a9d69cd68991dff8603edd66f9
     netfilter: x_tables: validate all offsets and sizes in a rule
  7b7eba0f3515fca3296b8881d583f7c1042f5226
     netfilter: x_tables: don't reject valid target size on some architectures
  8dddd32756f6fe8e4e82a63361119b7e2384e02f
     netfilter: arp_tables: simplify translate_compat_table args
  7d3f843eed29222254c9feab481f55175a1afcc9
     netfilter: ip_tables: simplify translate_compat_table args
  329a0807124f12fe1c8032f95d8a8eb47047fb0e
     netfilter: ip6_tables: simplify translate_compat_table args
  0188346f21e6546498c2a0f84888797ad4063fc5
     netfilter: x_tables: xt_compat_match_from_user doesn't need a retval
  09d9686047dbbe1cf4faa558d3ecc4aae2046054
     netfilter: x_tables: do compat validation via translate_table
  d7591f0c41ce3e67600a982bab6989ef0f07b3ce
     netfilter: x_tables: introduce and use xt_copy_counters_from_user

  They have also been backported to the 4.4
  (http://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable-
  rc.git/log/?h=linux-4.4.y) and 3.14
  (http://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable-
  rc.git/log/?h=linux-3.14.y) stable trees, with 3 additional
  prerequisite backported commits:

  bdf533de6968e9686df777dc178486f600c6e617
     netfilter: x_tables: validate e->target_offset early
  6e94e0cfb0887e4013b3b930fa6ab1fe6bb6ba91
     netfilter: x_tables: make sure e->next_offset covers remaining blob size
  54d83fc74aa9ec72794373cb47432c5f7fb1a309
     netfilter: x_tables: fix unconditional helper

  CRD: Public

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1595350/+subscriptions