[kernel] r15168 - in dists/etch-security/linux-2.6/debian: . patches/bugfix/all patches/series

[Dann Frazier]

Author: dannf
Date: Tue Feb 16 04:29:00 2010
New Revision: 15168

Log:
netfilter: ebtables: enforce CAP_NET_ADMIN (CVE-2010-0007)

Added:
   dists/etch-security/linux-2.6/debian/patches/bugfix/all/netfilter-ebtables-enforce-CAP_NET_ADMIN.patch
Modified:
   dists/etch-security/linux-2.6/debian/changelog
   dists/etch-security/linux-2.6/debian/patches/series/26etch2

Modified: dists/etch-security/linux-2.6/debian/changelog
==============================================================================
--- dists/etch-security/linux-2.6/debian/changelog	Tue Feb 16 04:21:45 2010	(r15167)
+++ dists/etch-security/linux-2.6/debian/changelog	Tue Feb 16 04:29:00 2010	(r15168)
@@ -7,6 +7,7 @@
   * hfs: fix a potential buffer overflow (CVE-2009-4020)
   * fuse: prevent fuse_put_request on invalid pointer (CVE-2009-4021)
   * e1000: enhance frame fragment detection (CVE-2009-4536)
+  * netfilter: ebtables: enforce CAP_NET_ADMIN (CVE-2010-0007)
 
  -- dann frazier <dannf at debian.org>  Mon, 15 Feb 2010 18:32:14 -0700
 

Added: dists/etch-security/linux-2.6/debian/patches/bugfix/all/netfilter-ebtables-enforce-CAP_NET_ADMIN.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/etch-security/linux-2.6/debian/patches/bugfix/all/netfilter-ebtables-enforce-CAP_NET_ADMIN.patch	Tue Feb 16 04:29:00 2010	(r15168)
@@ -0,0 +1,49 @@
+commit d470f28d6f38bfd893ddccd2f3c212442caef246
+Author: dann frazier <dannf at hp.com>
+Date:   Mon Feb 15 21:27:05 2010 -0700
+
+    [ Adjusted to apply to Debian's 2.6.18 ]
+    From f21c582a940198ef810e7744c9f91cdafd1a6ed5 Mon Sep 17 00:00:00 2001
+    From: Florian Westphal <fwestphal at astaro.com>
+    Date: Fri, 8 Jan 2010 17:31:24 +0100
+    Subject: [PATCH] netfilter: ebtables: enforce CAP_NET_ADMIN
+    
+    commit dce766af541f6605fa9889892c0280bab31c66ab upstream.
+    
+    normal users are currently allowed to set/modify ebtables rules.
+    Restrict it to processes with CAP_NET_ADMIN.
+    
+    Note that this cannot be reproduced with unmodified ebtables binary
+    because it uses SOCK_RAW.
+    
+    Signed-off-by: Florian Westphal <fwestphal at astaro.com>
+    Signed-off-by: Patrick McHardy <kaber at trash.net>
+    Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+    ---
+     net/bridge/netfilter/ebtables.c |    6 ++++++
+     1 files changed, 6 insertions(+), 0 deletions(-)
+
+diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
+index 9301ec4..c2719b3 100644
+--- a/net/bridge/netfilter/ebtables.c
++++ b/net/bridge/netfilter/ebtables.c
+@@ -1417,6 +1417,9 @@ static int do_ebt_set_ctl(struct sock *sk,
+ {
+ 	int ret;
+ 
++	if (!capable(CAP_NET_ADMIN))
++		return -EPERM;
++
+ 	switch(cmd) {
+ 	case EBT_SO_SET_ENTRIES:
+ 		ret = do_replace(user, len);
+@@ -1436,6 +1439,9 @@ static int do_ebt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
+ 	struct ebt_replace tmp;
+ 	struct ebt_table *t;
+ 
++	if (!capable(CAP_NET_ADMIN))
++		return -EPERM;
++
+ 	if (copy_from_user(&tmp, user, sizeof(tmp)))
+ 		return -EFAULT;
+ 

Modified: dists/etch-security/linux-2.6/debian/patches/series/26etch2
==============================================================================
--- dists/etch-security/linux-2.6/debian/patches/series/26etch2	Tue Feb 16 04:21:45 2010	(r15167)
+++ dists/etch-security/linux-2.6/debian/patches/series/26etch2	Tue Feb 16 04:29:00 2010	(r15168)
@@ -4,3 +4,4 @@
 + bugfix/all/hfs-fix-a-potential-buffer-overflow.patch
 + bugfix/all/fuse-prevent-fuse_put_request-on-invalid-pointer.patch
 + bugfix/all/e1000-enhance-frame-fragment-detection.patch
++ bugfix/all/netfilter-ebtables-enforce-CAP_NET_ADMIN.patch