[linux] 04/11: drop bugfix/all/netfilter-nfnetlink_cthelper-add-missing-permission-.patch

Fri Feb 2 15:17:07 UTC 2018

This is an automated email from the git hooks/post-receive script.

corsac pushed a commit to branch stretch
in repository linux.

commit 0870383e9630af267e4154d672e6ea8ec627c95d
Author: Yves-Alexis Perez <corsac at corsac.net>
Date:   Thu Feb 1 21:21:28 2018 +0100

    drop bugfix/all/netfilter-nfnetlink_cthelper-add-missing-permission-.patch
---
 debian/changelog                                   |  1 +
 ...fnetlink_cthelper-add-missing-permission-.patch | 74 ----------------------
 debian/patches/series                              |  1 -
 3 files changed, 1 insertion(+), 75 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index e0fca7e..68fb2b0 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -860,6 +860,7 @@ linux (4.9.79-1) UNRELEASED; urgency=medium
     - bugfix/all/kvm-fix-stack-out-of-bounds-read-in-write_mmio.patch
     - bugfix/all/bluetooth-prevent-stack-info-leak-from-the-efs-element.patch
     - bugfix/all/mm-mmap.c-do-not-blow-on-prot_none-map_fixed-holes-i.patch
+    - bugfix/all/netfilter-nfnetlink_cthelper-add-missing-permission-.patch
   * bpf: avoid ABI change in 4.9.77.
   * Ignore ABI change for cpu_tlbstate (symbol not exported _GPL anymore)
   * sched/rt: Avoid ABI change in 4.9.66.
diff --git a/debian/patches/bugfix/all/netfilter-nfnetlink_cthelper-add-missing-permission-.patch b/debian/patches/bugfix/all/netfilter-nfnetlink_cthelper-add-missing-permission-.patch
deleted file mode 100644
index 37ab05d..0000000
--- a/debian/patches/bugfix/all/netfilter-nfnetlink_cthelper-add-missing-permission-.patch
+++ /dev/null
@@ -1,74 +0,0 @@
-From: Kevin Cernekee <cernekee at chromium.org>
-Date: Sun, 3 Dec 2017 12:12:45 -0800
-Subject: netfilter: nfnetlink_cthelper: Add missing permission checks
-Origin: https://git.kernel.org/linus/4b380c42f7d00a395feede754f0bc2292eebe6e5
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-17448
-
-The capability check in nfnetlink_rcv() verifies that the caller
-has CAP_NET_ADMIN in the namespace that "owns" the netlink socket.
-However, nfnl_cthelper_list is shared by all net namespaces on the
-system.  An unprivileged user can create user and net namespaces
-in which he holds CAP_NET_ADMIN to bypass the netlink_net_capable()
-check:
-
-    $ nfct helper list
-    nfct v1.4.4: netlink error: Operation not permitted
-    $ vpnns -- nfct helper list
-    {
-            .name = ftp,
-            .queuenum = 0,
-            .l3protonum = 2,
-            .l4protonum = 6,
-            .priv_data_len = 24,
-            .status = enabled,
-    };
-
-Add capable() checks in nfnetlink_cthelper, as this is cleaner than
-trying to generalize the solution.
-
-Signed-off-by: Kevin Cernekee <cernekee at chromium.org>
-Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
----
- net/netfilter/nfnetlink_cthelper.c | 10 ++++++++++
- 1 file changed, 10 insertions(+)
-
---- a/net/netfilter/nfnetlink_cthelper.c
-+++ b/net/netfilter/nfnetlink_cthelper.c
-@@ -17,6 +17,7 @@
- #include <linux/types.h>
- #include <linux/list.h>
- #include <linux/errno.h>
-+#include <linux/capability.h>
- #include <net/netlink.h>
- #include <net/sock.h>
- 
-@@ -392,6 +393,9 @@ static int nfnl_cthelper_new(struct net
- 	struct nfnl_cthelper *nlcth;
- 	int ret = 0;
- 
-+	if (!capable(CAP_NET_ADMIN))
-+		return -EPERM;
-+
- 	if (!tb[NFCTH_NAME] || !tb[NFCTH_TUPLE])
- 		return -EINVAL;
- 
-@@ -595,6 +599,9 @@ static int nfnl_cthelper_get(struct net
- 	struct nfnl_cthelper *nlcth;
- 	bool tuple_set = false;
- 
-+	if (!capable(CAP_NET_ADMIN))
-+		return -EPERM;
-+
- 	if (nlh->nlmsg_flags & NLM_F_DUMP) {
- 		struct netlink_dump_control c = {
- 			.dump = nfnl_cthelper_dump_table,
-@@ -661,6 +668,9 @@ static int nfnl_cthelper_del(struct net
- 	struct nfnl_cthelper *nlcth, *n;
- 	int j = 0, ret;
- 
-+	if (!capable(CAP_NET_ADMIN))
-+		return -EPERM;
-+
- 	if (tb[NFCTH_NAME])
- 		helper_name = nla_data(tb[NFCTH_NAME]);
- 
diff --git a/debian/patches/series b/debian/patches/series
index 68cabb9..2369877 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -138,7 +138,6 @@ bugfix/all/dccp-cve-2017-8824-use-after-free-in-dccp-code.patch
 bugfix/all/media-dvb-usb-v2-lmedm04-Improve-logic-checking-of-w.patch
 bugfix/all/media-dvb-usb-v2-lmedm04-move-ts2020-attach-to-dm04_.patch
 bugfix/all/media-hdpvr-fix-an-error-handling-path-in-hdpvr_prob.patch
-bugfix/all/netfilter-nfnetlink_cthelper-add-missing-permission-.patch
 bugfix/all/netfilter-xt_osf-add-missing-permission-checks.patch
 bugfix/all/nfsd-auth-Fix-gid-sorting-when-rootsquash-enabled.patch
 

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git

