Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 10 Mar 2016 03:16:36 -0800
From: Steve Beattie <steve@...w.org>
To: oss-security@...ts.openwall.com
Cc: cve-assign@...re.org
Subject: Re: CVE Request: Linux Kernel: Linux netfilter
 IPT_SO_SET_REPLACE memory corruption

Hi,

On Thu, Mar 10, 2016 at 10:25:49AM +0100, Marcus Meissner wrote:
> >>From the P0 team at Google:
>
> https://code.google.com/p/google-security-research/issues/detail?id=758
>
> A memory corruption vulnerability exists in the IPT_SO_SET_REPLACE
> ioctl in the netfilter code for iptables support. This ioctl is can be
> triggered by an unprivileged user on PF_INET sockets when unprivileged
> user namespaces are available (CONFIG_USER_NS=y). Android does not
> enable this option, but desktop/server distributions and Chrome OS
> will commonly enable this to allow for containers support or sandboxing.
>
> ...
> 
> I think this needs a CVE.

It likely needs two, one for the issue above,
which has been proposed to be addressed by
http://marc.info/?l=netfilter-devel&m=145757134822741&w=2

and one for the unsigned integer overflow on 32bit kernels
mentioned as an aside at the end of the original report. Proposed
fix is http://marc.info/?l=netfilter-devel&m=145757136822750&w=2

Thanks.
-- 
Steve Beattie
<sbeattie@...ntu.com>
http://NxNW.org/~steve/

Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ