[kernel] r15168 - in dists/etch-security/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Tue Feb 16 04:29:03 UTC 2010
Author: dannf
Date: Tue Feb 16 04:29:00 2010
New Revision: 15168
Log:
netfilter: ebtables: enforce CAP_NET_ADMIN (CVE-2010-0007)
Added:
dists/etch-security/linux-2.6/debian/patches/bugfix/all/netfilter-ebtables-enforce-CAP_NET_ADMIN.patch
Modified:
dists/etch-security/linux-2.6/debian/changelog
dists/etch-security/linux-2.6/debian/patches/series/26etch2
Modified: dists/etch-security/linux-2.6/debian/changelog
==============================================================================
--- dists/etch-security/linux-2.6/debian/changelog Tue Feb 16 04:21:45 2010 (r15167)
+++ dists/etch-security/linux-2.6/debian/changelog Tue Feb 16 04:29:00 2010 (r15168)
@@ -7,6 +7,7 @@
* hfs: fix a potential buffer overflow (CVE-2009-4020)
* fuse: prevent fuse_put_request on invalid pointer (CVE-2009-4021)
* e1000: enhance frame fragment detection (CVE-2009-4536)
+ * netfilter: ebtables: enforce CAP_NET_ADMIN (CVE-2010-0007)
-- dann frazier <dannf at debian.org> Mon, 15 Feb 2010 18:32:14 -0700
Added: dists/etch-security/linux-2.6/debian/patches/bugfix/all/netfilter-ebtables-enforce-CAP_NET_ADMIN.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/etch-security/linux-2.6/debian/patches/bugfix/all/netfilter-ebtables-enforce-CAP_NET_ADMIN.patch Tue Feb 16 04:29:00 2010 (r15168)
@@ -0,0 +1,49 @@
+commit d470f28d6f38bfd893ddccd2f3c212442caef246
+Author: dann frazier <dannf at hp.com>
+Date: Mon Feb 15 21:27:05 2010 -0700
+
+ [ Adjusted to apply to Debian's 2.6.18 ]
+ From f21c582a940198ef810e7744c9f91cdafd1a6ed5 Mon Sep 17 00:00:00 2001
+ From: Florian Westphal <fwestphal at astaro.com>
+ Date: Fri, 8 Jan 2010 17:31:24 +0100
+ Subject: [PATCH] netfilter: ebtables: enforce CAP_NET_ADMIN
+
+ commit dce766af541f6605fa9889892c0280bab31c66ab upstream.
+
+ normal users are currently allowed to set/modify ebtables rules.
+ Restrict it to processes with CAP_NET_ADMIN.
+
+ Note that this cannot be reproduced with unmodified ebtables binary
+ because it uses SOCK_RAW.
+
+ Signed-off-by: Florian Westphal <fwestphal at astaro.com>
+ Signed-off-by: Patrick McHardy <kaber at trash.net>
+ Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+ ---
+ net/bridge/netfilter/ebtables.c | 6 ++++++
+ 1 files changed, 6 insertions(+), 0 deletions(-)
+
+diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
+index 9301ec4..c2719b3 100644
+--- a/net/bridge/netfilter/ebtables.c
++++ b/net/bridge/netfilter/ebtables.c
+@@ -1417,6 +1417,9 @@ static int do_ebt_set_ctl(struct sock *sk,
+ {
+ int ret;
+
++ if (!capable(CAP_NET_ADMIN))
++ return -EPERM;
++
+ switch(cmd) {
+ case EBT_SO_SET_ENTRIES:
+ ret = do_replace(user, len);
+@@ -1436,6 +1439,9 @@ static int do_ebt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
+ struct ebt_replace tmp;
+ struct ebt_table *t;
+
++ if (!capable(CAP_NET_ADMIN))
++ return -EPERM;
++
+ if (copy_from_user(&tmp, user, sizeof(tmp)))
+ return -EFAULT;
+
Modified: dists/etch-security/linux-2.6/debian/patches/series/26etch2
==============================================================================
--- dists/etch-security/linux-2.6/debian/patches/series/26etch2 Tue Feb 16 04:21:45 2010 (r15167)
+++ dists/etch-security/linux-2.6/debian/patches/series/26etch2 Tue Feb 16 04:29:00 2010 (r15168)
@@ -4,3 +4,4 @@
+ bugfix/all/hfs-fix-a-potential-buffer-overflow.patch
+ bugfix/all/fuse-prevent-fuse_put_request-on-invalid-pointer.patch
+ bugfix/all/e1000-enhance-frame-fragment-detection.patch
++ bugfix/all/netfilter-ebtables-enforce-CAP_NET_ADMIN.patch
More information about the Kernel-svn-changes
mailing list