diff --git a/iptables-1.8.2-dont_read_garbage.patch b/iptables-1.8.2-dont_read_garbage.patch new file mode 100644 index 0000000..05f0204 --- /dev/null +++ b/iptables-1.8.2-dont_read_garbage.patch @@ -0,0 +1,24 @@ +From: Fabian Vogt +Date: 2019-04-04 13:41:59 +0200 +Subject: 'iptables -L' reads garbage +References: [bsc#1106751] +Upstream: reported (https://bugzilla.netfilter.org/show_bug.cgi?id=1331) + +This patch fixes a situation where 'iptables -L' reads garbage +from the struct as the kernel never filled it in the bugged case. +This can lead to issues like mapping a few TiB of memory + +--- + +Index: iptables-1.8.2/libiptc/libiptc.c +=================================================================== +--- iptables-1.8.2.orig/libiptc/libiptc.c ++++ iptables-1.8.2/libiptc/libiptc.c +@@ -1305,6 +1305,7 @@ TC_INIT(const char *tablename) + { + struct xtc_handle *h; + STRUCT_GETINFO info; ++ memset(&info, 0, sizeof(info)); + unsigned int tmp; + socklen_t s; + int sockfd; diff --git a/iptables.changes b/iptables.changes index 5dc94dc..4a8d428 100644 --- a/iptables.changes +++ b/iptables.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Thu Apr 4 11:44:31 UTC 2019 - Kristýna Streitová + +- Add iptables-1.8.2-dont_read_garbage.patch that fixes a situation + where 'iptables -L' reads garbage from the struct as the kernel + never filled it in the bugged case. This can lead to issues like + mapping a few TiB of memory [bsc#1106751]. + ------------------------------------------------------------------- Tue Nov 13 12:09:24 UTC 2018 - Jan Engelhardt diff --git a/iptables.spec b/iptables.spec index 5d1d7cd..5f4bed1 100644 --- a/iptables.spec +++ b/iptables.spec @@ -1,7 +1,7 @@ # # spec file for package iptables # -# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -22,14 +22,15 @@ Release: 0 Summary: IP packet filter administration utilities License: GPL-2.0-only AND Artistic-2.0 Group: Productivity/Networking/Security -Url: http://netfilter.org/projects/iptables/ +URL: https://netfilter.org/projects/iptables/ #Git-Clone: git://git.netfilter.org/iptables -Source: http://netfilter.org/projects/iptables/files/%name-%version.tar.bz2 -Source2: http://netfilter.org/projects/iptables/files/%name-%version.tar.bz2.sig +Source: https://netfilter.org/projects/iptables/files/%name-%version.tar.bz2 +Source2: https://netfilter.org/projects/iptables/files/%name-%version.tar.bz2.sig Source3: %name.keyring Patch3: iptables-batch.patch Patch4: iptables-apply-mktemp-fix.patch Patch5: iptables-batch-lock.patch +Patch6: iptables-1.8.2-dont_read_garbage.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build #git#BuildRequires: autoconf, automake >= 1.10 @@ -140,8 +141,7 @@ Link your extension (iptables plugins) with $(pkg-config xtables xtables --variable=xtlibdir). %prep -%setup -q -%patch -P 3 -P 4 -P 5 -p1 +%autosetup -p1 %build # We have the iptables-batch patch, so always regenerate.