SHA256
1
0
forked from pool/iptables

Accepting request 691518 from home:kstreitova:branches:security:netfilter

- Add iptables-1.8.2-dont_read_garbage.patch that fixes a situation
  where 'iptables -L' reads garbage from the struct as the kernel
  never filled it in the bugged case. This can lead to issues like
  mapping a few TiB of memory [bsc#1106751].

OBS-URL: https://build.opensuse.org/request/show/691518
OBS-URL: https://build.opensuse.org/package/show/security:netfilter/iptables?expand=0&rev=126
This commit is contained in:
Jan Engelhardt 2019-04-04 13:20:38 +00:00 committed by Git OBS Bridge
parent 725c31dfd6
commit 87d1cb26b1
3 changed files with 36 additions and 3 deletions

View File

@ -0,0 +1,24 @@
From: Fabian Vogt <fvogt@suse.com>
Date: 2019-04-04 13:41:59 +0200
Subject: 'iptables -L' reads garbage
References: [bsc#1106751]
Upstream: reported (https://bugzilla.netfilter.org/show_bug.cgi?id=1331)
This patch fixes a situation where 'iptables -L' reads garbage
from the struct as the kernel never filled it in the bugged case.
This can lead to issues like mapping a few TiB of memory
---
Index: iptables-1.8.2/libiptc/libiptc.c
===================================================================
--- iptables-1.8.2.orig/libiptc/libiptc.c
+++ iptables-1.8.2/libiptc/libiptc.c
@@ -1305,6 +1305,7 @@ TC_INIT(const char *tablename)
{
struct xtc_handle *h;
STRUCT_GETINFO info;
+ memset(&info, 0, sizeof(info));
unsigned int tmp;
socklen_t s;
int sockfd;

View File

@ -1,3 +1,11 @@
-------------------------------------------------------------------
Thu Apr 4 11:44:31 UTC 2019 - Kristýna Streitová <kstreitova@suse.com>
- Add iptables-1.8.2-dont_read_garbage.patch that fixes a situation
where 'iptables -L' reads garbage from the struct as the kernel
never filled it in the bugged case. This can lead to issues like
mapping a few TiB of memory [bsc#1106751].
------------------------------------------------------------------- -------------------------------------------------------------------
Tue Nov 13 12:09:24 UTC 2018 - Jan Engelhardt <jengelh@inai.de> Tue Nov 13 12:09:24 UTC 2018 - Jan Engelhardt <jengelh@inai.de>

View File

@ -1,7 +1,7 @@
# #
# spec file for package iptables # spec file for package iptables
# #
# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. # Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
# #
# All modifications and additions to the file contributed by third parties # All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed # remain the property of their copyright owners, unless otherwise agreed
@ -12,7 +12,7 @@
# license that conforms to the Open Source Definition (Version 1.9) # license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative. # published by the Open Source Initiative.
# Please submit bugfixes or comments via https://bugs.opensuse.org/ # Please submit bugfixes or comments via http://bugs.opensuse.org/
# #
@ -30,6 +30,7 @@ Source3: %name.keyring
Patch3: iptables-batch.patch Patch3: iptables-batch.patch
Patch4: iptables-apply-mktemp-fix.patch Patch4: iptables-apply-mktemp-fix.patch
Patch5: iptables-batch-lock.patch Patch5: iptables-batch-lock.patch
Patch6: iptables-1.8.2-dont_read_garbage.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRoot: %{_tmppath}/%{name}-%{version}-build
#git#BuildRequires: autoconf, automake >= 1.10 #git#BuildRequires: autoconf, automake >= 1.10
@ -141,7 +142,7 @@ xtables --variable=xtlibdir).
%prep %prep
%setup -q %setup -q
%patch -P 3 -P 4 -P 5 -p1 %patch -P 3 -P 4 -P 5 -P 6 -p1
%build %build
# We have the iptables-batch patch, so always regenerate. # We have the iptables-batch patch, so always regenerate.