Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20160310111636.GA15133@nxnw.org>
Date: Thu, 10 Mar 2016 03:16:36 -0800
From: Steve Beattie <steve@...w.org>
To: oss-security@...ts.openwall.com
Cc: cve-assign@...re.org
Subject: Re: CVE Request: Linux Kernel: Linux netfilter
 IPT_SO_SET_REPLACE memory corruption

Hi,

On Thu, Mar 10, 2016 at 10:25:49AM +0100, Marcus Meissner wrote:
> >>From the P0 team at Google:
>
> https://code.google.com/p/google-security-research/issues/detail?id=758
>
> A memory corruption vulnerability exists in the IPT_SO_SET_REPLACE
> ioctl in the netfilter code for iptables support. This ioctl is can be
> triggered by an unprivileged user on PF_INET sockets when unprivileged
> user namespaces are available (CONFIG_USER_NS=y). Android does not
> enable this option, but desktop/server distributions and Chrome OS
> will commonly enable this to allow for containers support or sandboxing.
>
> ...
> 
> I think this needs a CVE.

It likely needs two, one for the issue above,
which has been proposed to be addressed by
http://marc.info/?l=netfilter-devel&m=145757134822741&w=2

and one for the unsigned integer overflow on 32bit kernels
mentioned as an aside at the end of the original report. Proposed
fix is http://marc.info/?l=netfilter-devel&m=145757136822750&w=2

Thanks.
-- 
Steve Beattie
<sbeattie@...ntu.com>
http://NxNW.org/~steve/

Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.