[kernel] r15083 - in dists/etch-security/linux-2.6.24/debian: . patches/bugfix/all patches/series

[Dann Frazier]

Author: dannf
Date: Mon Feb  1 05:05:25 2010
New Revision: 15083

Log:
netfilter: ebtables: enforce CAP_NET_ADMIN (CVE-2010-0007)

Added:
   dists/etch-security/linux-2.6.24/debian/patches/bugfix/all/netfilter-ebtables-enforce-CAP_NET_ADMIN.patch
      - copied unchanged from r15068, dists/lenny-security/linux-2.6/debian/patches/bugfix/all/netfilter-ebtables-enforce-CAP_NET_ADMIN.patch
Modified:
   dists/etch-security/linux-2.6.24/debian/changelog
   dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.9etch2

Modified: dists/etch-security/linux-2.6.24/debian/changelog
==============================================================================
--- dists/etch-security/linux-2.6.24/debian/changelog	Mon Feb  1 05:02:25 2010	(r15082)
+++ dists/etch-security/linux-2.6.24/debian/changelog	Mon Feb  1 05:05:25 2010	(r15083)
@@ -20,6 +20,7 @@
   * e1000e: enhance frame fragment detection (CVE-2009-4538)
   * kernel/signal.c: fix kernel information leak with print-fatal-signals=1
     (CVE-2010-0003)
+  * netfilter: ebtables: enforce CAP_NET_ADMIN (CVE-2010-0007)
 
  -- dann frazier <dannf at debian.org>  Sun, 31 Jan 2010 17:17:52 -0700
 

Copied: dists/etch-security/linux-2.6.24/debian/patches/bugfix/all/netfilter-ebtables-enforce-CAP_NET_ADMIN.patch (from r15068, dists/lenny-security/linux-2.6/debian/patches/bugfix/all/netfilter-ebtables-enforce-CAP_NET_ADMIN.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/etch-security/linux-2.6.24/debian/patches/bugfix/all/netfilter-ebtables-enforce-CAP_NET_ADMIN.patch	Mon Feb  1 05:05:25 2010	(r15083, copy of r15068, dists/lenny-security/linux-2.6/debian/patches/bugfix/all/netfilter-ebtables-enforce-CAP_NET_ADMIN.patch)
@@ -0,0 +1,47 @@
+From f21c582a940198ef810e7744c9f91cdafd1a6ed5 Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fwestphal at astaro.com>
+Date: Fri, 8 Jan 2010 17:31:24 +0100
+Subject: [PATCH] netfilter: ebtables: enforce CAP_NET_ADMIN
+
+commit dce766af541f6605fa9889892c0280bab31c66ab upstream.
+
+normal users are currently allowed to set/modify ebtables rules.
+Restrict it to processes with CAP_NET_ADMIN.
+
+Note that this cannot be reproduced with unmodified ebtables binary
+because it uses SOCK_RAW.
+
+Signed-off-by: Florian Westphal <fwestphal at astaro.com>
+Signed-off-by: Patrick McHardy <kaber at trash.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+---
+ net/bridge/netfilter/ebtables.c |    6 ++++++
+ 1 files changed, 6 insertions(+), 0 deletions(-)
+
+diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
+index 32afff8..d6beca9 100644
+--- a/net/bridge/netfilter/ebtables.c
++++ b/net/bridge/netfilter/ebtables.c
+@@ -1436,6 +1436,9 @@ static int do_ebt_set_ctl(struct sock *sk,
+ {
+ 	int ret;
+ 
++	if (!capable(CAP_NET_ADMIN))
++		return -EPERM;
++
+ 	switch(cmd) {
+ 	case EBT_SO_SET_ENTRIES:
+ 		ret = do_replace(user, len);
+@@ -1455,6 +1458,9 @@ static int do_ebt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
+ 	struct ebt_replace tmp;
+ 	struct ebt_table *t;
+ 
++	if (!capable(CAP_NET_ADMIN))
++		return -EPERM;
++
+ 	if (copy_from_user(&tmp, user, sizeof(tmp)))
+ 		return -EFAULT;
+ 
+-- 
+1.6.6
+

Modified: dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.9etch2
==============================================================================
--- dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.9etch2	Mon Feb  1 05:02:25 2010	(r15082)
+++ dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.9etch2	Mon Feb  1 05:05:25 2010	(r15083)
@@ -16,3 +16,4 @@
 + bugfix/all/e1000-enhance-frame-fragment-detection.patch
 + bugfix/all/e1000e-enhance-frame-fragment-detection.patch
 + bugfix/all/signal-fix-information-leak-with-print-fatal-signals.patch
++ bugfix/all/netfilter-ebtables-enforce-CAP_NET_ADMIN.patch