Date: Thu, 10 Mar 2016 03:16:36 -0800 From: Steve Beattie <steve@...w.org> To: oss-security@...ts.openwall.com Cc: cve-assign@...re.org Subject: Re: CVE Request: Linux Kernel: Linux netfilter IPT_SO_SET_REPLACE memory corruption Hi, On Thu, Mar 10, 2016 at 10:25:49AM +0100, Marcus Meissner wrote: > >>From the P0 team at Google: > > https://code.google.com/p/google-security-research/issues/detail?id=758 > > A memory corruption vulnerability exists in the IPT_SO_SET_REPLACE > ioctl in the netfilter code for iptables support. This ioctl is can be > triggered by an unprivileged user on PF_INET sockets when unprivileged > user namespaces are available (CONFIG_USER_NS=y). Android does not > enable this option, but desktop/server distributions and Chrome OS > will commonly enable this to allow for containers support or sandboxing. > > ... > > I think this needs a CVE. It likely needs two, one for the issue above, which has been proposed to be addressed by http://marc.info/?l=netfilter-devel&m=145757134822741&w=2 and one for the unsigned integer overflow on 32bit kernels mentioned as an aside at the end of the original report. Proposed fix is http://marc.info/?l=netfilter-devel&m=145757136822750&w=2 Thanks. -- Steve Beattie <sbeattie@...ntu.com> http://NxNW.org/~steve/ Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.