Accepting request 978320 from security:netfilter

Automatic submission by obs-autosubmit

OBS-URL: https://build.opensuse.org/request/show/978320
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/iptables?expand=0&rev=78
This commit is contained in:
Dominique Leuenberger 2022-05-22 18:26:26 +00:00 committed by Git OBS Bridge
commit aff189e902
7 changed files with 42 additions and 28 deletions

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:c109c96bb04998cd44156622d36f8e04b140701ec60531a10668cfdff5e8d8f0
size 717862

Binary file not shown.

3
iptables-1.8.8.tar.bz2 Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:71c75889dc710676631553eb1511da0177bbaaf1b551265b912d236c3f51859f
size 746985

BIN
iptables-1.8.8.tar.bz2.sig Normal file

Binary file not shown.

View File

@ -10,10 +10,10 @@ Date: 2017-06-26T10:53:24+0000
iptables/xshared.c | 8 +++++++-
2 files changed, 28 insertions(+), 1 deletion(-)
Index: iptables-1.8.6/iptables/iptables-batch.c
Index: iptables-1.8.8/iptables/iptables-batch.c
===================================================================
--- iptables-1.8.6.orig/iptables/iptables-batch.c
+++ iptables-1.8.6/iptables/iptables-batch.c
--- iptables-1.8.8.orig/iptables/iptables-batch.c
+++ iptables-1.8.8/iptables/iptables-batch.c
@@ -403,6 +403,27 @@ main(int argc, char *argv[])
tables[3].name = "raw";
tables[3].handle = NULL;
@ -27,7 +27,7 @@ Index: iptables-1.8.6/iptables/iptables-batch.c
+ * call sequence needs to be locked until the commit is performed.
+ *
+ * Sadly, the xtables_lock() implementation is not very cooperative.
+ * There is no unlock() equivalent. The lock file descriptor is smiply
+ * There is no unlock() equivalent. The lock file descriptor is simply
+ * left open until the process exits. Thus, we would have deadlocks
+ * when calling do_command{4,6} the second time.
+ *
@ -42,34 +42,34 @@ Index: iptables-1.8.6/iptables/iptables-batch.c
while((r = getline(&iline, &llen, fp)) != -1)
{
Index: iptables-1.8.6/iptables/xshared.c
Index: iptables-1.8.8/iptables/xshared.c
===================================================================
--- iptables-1.8.6.orig/iptables/xshared.c
+++ iptables-1.8.6/iptables/xshared.c
@@ -248,10 +248,14 @@ void xs_init_match(struct xtables_match
--- iptables-1.8.8.orig/iptables/xshared.c
+++ iptables-1.8.8/iptables/xshared.c
@@ -262,10 +262,14 @@ static void alarm_ignore(int i) {
static int xtables_lock(int wait, struct timeval *wait_interval)
static int xtables_lock(int wait)
{
+ static bool already_locked = false;
struct timeval time_left, wait_time;
struct sigaction sigact_alarm;
const char *lock_file;
int fd, i = 0;
int fd;
+ if (already_locked)
+ /* Avoid deadlocks, see iptables-batch.c */
+ return true;
time_left.tv_sec = wait;
time_left.tv_usec = 0;
@@ -267,8 +271,10 @@ static int xtables_lock(int wait, struct
lock_file = getenv("XTABLES_LOCKFILE");
if (lock_file == NULL || lock_file[0] == '\0')
lock_file = XT_LOCK_NAME;
@@ -285,8 +289,10 @@ static int xtables_lock(int wait)
alarm(wait);
}
if (wait == -1) {
- if (flock(fd, LOCK_EX) == 0)
+ if (flock(fd, LOCK_EX) == 0) {
+ already_locked = true;
return fd;
+ }
- if (flock(fd, LOCK_EX) == 0)
+ if (flock(fd, LOCK_EX) == 0) {
+ already_locked = true;
return fd;
+ }
fprintf(stderr, "Can't lock %s: %s\n", lock_file,
strerror(errno));
if (errno == EINTR) {
errno = EWOULDBLOCK;

View File

@ -1,3 +1,17 @@
-------------------------------------------------------------------
Fri May 13 15:39:33 UTC 2022 - Jan Engelhardt <jengelh@inai.de>
- Update to release 1.8.8
* Add iptables-translate support for: sctp match's
--chunk-types option, connlimit match, multiport match's
--ports option, and the tcpmss match.
* Reject setuid executables in libxtables for safety reasons
* Extended arptables-nft with -C, -I, -R, -S cmomands and the
"-c N,M" counter syntax.
* Debug output in iptables-restore (all variants), iptables-nft
and ebtables-nft when specifying -v multiple times
* Improved performance of iptables-save and -restore
-------------------------------------------------------------------
Thu Dec 30 15:05:20 UTC 2021 - Danilo Spinella <danilo.spinella@suse.com>

View File

@ -1,7 +1,7 @@
#
# spec file for package iptables
#
# Copyright (c) 2021 SUSE LLC
# Copyright (c) 2022 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@ -23,7 +23,7 @@
%endif
Name: iptables
Version: 1.8.7
Version: 1.8.8
Release: 0
Summary: IP packet filter administration utilities
License: Artistic-2.0 AND GPL-2.0-only