From 87d1cb26b148834c77c0cefeaa4a528c2f4e999a8f012d3216a9976d7639e37f Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Thu, 4 Apr 2019 13:20:38 +0000 Subject: [PATCH 1/2] Accepting request 691518 from home:kstreitova:branches:security:netfilter - Add iptables-1.8.2-dont_read_garbage.patch that fixes a situation where 'iptables -L' reads garbage from the struct as the kernel never filled it in the bugged case. This can lead to issues like mapping a few TiB of memory [bsc#1106751]. OBS-URL: https://build.opensuse.org/request/show/691518 OBS-URL: https://build.opensuse.org/package/show/security:netfilter/iptables?expand=0&rev=126 --- iptables-1.8.2-dont_read_garbage.patch | 24 ++++++++++++++++++++++++ iptables.changes | 8 ++++++++ iptables.spec | 7 ++++--- 3 files changed, 36 insertions(+), 3 deletions(-) create mode 100644 iptables-1.8.2-dont_read_garbage.patch diff --git a/iptables-1.8.2-dont_read_garbage.patch b/iptables-1.8.2-dont_read_garbage.patch new file mode 100644 index 0000000..05f0204 --- /dev/null +++ b/iptables-1.8.2-dont_read_garbage.patch @@ -0,0 +1,24 @@ +From: Fabian Vogt +Date: 2019-04-04 13:41:59 +0200 +Subject: 'iptables -L' reads garbage +References: [bsc#1106751] +Upstream: reported (https://bugzilla.netfilter.org/show_bug.cgi?id=1331) + +This patch fixes a situation where 'iptables -L' reads garbage +from the struct as the kernel never filled it in the bugged case. +This can lead to issues like mapping a few TiB of memory + +--- + +Index: iptables-1.8.2/libiptc/libiptc.c +=================================================================== +--- iptables-1.8.2.orig/libiptc/libiptc.c ++++ iptables-1.8.2/libiptc/libiptc.c +@@ -1305,6 +1305,7 @@ TC_INIT(const char *tablename) + { + struct xtc_handle *h; + STRUCT_GETINFO info; ++ memset(&info, 0, sizeof(info)); + unsigned int tmp; + socklen_t s; + int sockfd; diff --git a/iptables.changes b/iptables.changes index 5dc94dc..4a8d428 100644 --- a/iptables.changes +++ b/iptables.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Thu Apr 4 11:44:31 UTC 2019 - Kristýna Streitová + +- Add iptables-1.8.2-dont_read_garbage.patch that fixes a situation + where 'iptables -L' reads garbage from the struct as the kernel + never filled it in the bugged case. This can lead to issues like + mapping a few TiB of memory [bsc#1106751]. + ------------------------------------------------------------------- Tue Nov 13 12:09:24 UTC 2018 - Jan Engelhardt diff --git a/iptables.spec b/iptables.spec index 5d1d7cd..6b599ca 100644 --- a/iptables.spec +++ b/iptables.spec @@ -1,7 +1,7 @@ # # spec file for package iptables # -# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -12,7 +12,7 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# Please submit bugfixes or comments via http://bugs.opensuse.org/ # @@ -30,6 +30,7 @@ Source3: %name.keyring Patch3: iptables-batch.patch Patch4: iptables-apply-mktemp-fix.patch Patch5: iptables-batch-lock.patch +Patch6: iptables-1.8.2-dont_read_garbage.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build #git#BuildRequires: autoconf, automake >= 1.10 @@ -141,7 +142,7 @@ xtables --variable=xtlibdir). %prep %setup -q -%patch -P 3 -P 4 -P 5 -p1 +%patch -P 3 -P 4 -P 5 -P 6 -p1 %build # We have the iptables-batch patch, so always regenerate. From f7925e9c5bad78082af23e09d88013e0801615d9cc134db0e2962b40d1db5bf3 Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Thu, 4 Apr 2019 13:22:31 +0000 Subject: [PATCH 2/2] OBS-URL: https://build.opensuse.org/package/show/security:netfilter/iptables?expand=0&rev=127 --- iptables.spec | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/iptables.spec b/iptables.spec index 6b599ca..5f4bed1 100644 --- a/iptables.spec +++ b/iptables.spec @@ -12,7 +12,7 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# Please submit bugfixes or comments via https://bugs.opensuse.org/ # @@ -22,10 +22,10 @@ Release: 0 Summary: IP packet filter administration utilities License: GPL-2.0-only AND Artistic-2.0 Group: Productivity/Networking/Security -Url: http://netfilter.org/projects/iptables/ +URL: https://netfilter.org/projects/iptables/ #Git-Clone: git://git.netfilter.org/iptables -Source: http://netfilter.org/projects/iptables/files/%name-%version.tar.bz2 -Source2: http://netfilter.org/projects/iptables/files/%name-%version.tar.bz2.sig +Source: https://netfilter.org/projects/iptables/files/%name-%version.tar.bz2 +Source2: https://netfilter.org/projects/iptables/files/%name-%version.tar.bz2.sig Source3: %name.keyring Patch3: iptables-batch.patch Patch4: iptables-apply-mktemp-fix.patch @@ -141,8 +141,7 @@ Link your extension (iptables plugins) with $(pkg-config xtables xtables --variable=xtlibdir). %prep -%setup -q -%patch -P 3 -P 4 -P 5 -P 6 -p1 +%autosetup -p1 %build # We have the iptables-batch patch, so always regenerate.