diff options
| -rw-r--r-- | CVE-2017-17448-netfilter-nfnetlink_cthelper-Add-missing-permission-checks.patch | 78 | ||||
| -rw-r--r-- | CVE-2017-17450-netfilter-xt_osf-Add-missing-permission-checks.patch | 60 | ||||
| -rw-r--r-- | PKGBUILD | 16 | ||||
| -rw-r--r-- | config.x86_64 | 2 |
4 files changed, 7 insertions, 149 deletions
diff --git a/CVE-2017-17448-netfilter-nfnetlink_cthelper-Add-missing-permission-checks.patch b/CVE-2017-17448-netfilter-nfnetlink_cthelper-Add-missing-permission-checks.patch deleted file mode 100644 index 60ead71..0000000 --- a/CVE-2017-17448-netfilter-nfnetlink_cthelper-Add-missing-permission-checks.patch +++ /dev/null @@ -1,78 +0,0 @@ -From 4b380c42f7d00a395feede754f0bc2292eebe6e5 Mon Sep 17 00:00:00 2001 -From: Kevin Cernekee <cernekee@chromium.org> -Date: Sun, 3 Dec 2017 12:12:45 -0800 -Subject: [PATCH] netfilter: nfnetlink_cthelper: Add missing permission checks - -The capability check in nfnetlink_rcv() verifies that the caller -has CAP_NET_ADMIN in the namespace that "owns" the netlink socket. -However, nfnl_cthelper_list is shared by all net namespaces on the -system. An unprivileged user can create user and net namespaces -in which he holds CAP_NET_ADMIN to bypass the netlink_net_capable() -check: - - $ nfct helper list - nfct v1.4.4: netlink error: Operation not permitted - $ vpnns -- nfct helper list - { - .name = ftp, - .queuenum = 0, - .l3protonum = 2, - .l4protonum = 6, - .priv_data_len = 24, - .status = enabled, - }; - -Add capable() checks in nfnetlink_cthelper, as this is cleaner than -trying to generalize the solution. - -Signed-off-by: Kevin Cernekee <cernekee@chromium.org> -Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> ---- - net/netfilter/nfnetlink_cthelper.c | 10 ++++++++++ - 1 file changed, 10 insertions(+) - -diff --git a/net/netfilter/nfnetlink_cthelper.c b/net/netfilter/nfnetlink_cthelper.c -index 41628b393673..d33ce6d5ebce 100644 ---- a/net/netfilter/nfnetlink_cthelper.c -+++ b/net/netfilter/nfnetlink_cthelper.c -@@ -17,6 +17,7 @@ - #include <linux/types.h> - #include <linux/list.h> - #include <linux/errno.h> -+#include <linux/capability.h> - #include <net/netlink.h> - #include <net/sock.h> - -@@ -407,6 +408,9 @@ static int nfnl_cthelper_new(struct net *net, struct sock *nfnl, - struct nfnl_cthelper *nlcth; - int ret = 0; - -+ if (!capable(CAP_NET_ADMIN)) -+ return -EPERM; -+ - if (!tb[NFCTH_NAME] || !tb[NFCTH_TUPLE]) - return -EINVAL; - -@@ -611,6 +615,9 @@ static int nfnl_cthelper_get(struct net *net, struct sock *nfnl, - struct nfnl_cthelper *nlcth; - bool tuple_set = false; - -+ if (!capable(CAP_NET_ADMIN)) -+ return -EPERM; -+ - if (nlh->nlmsg_flags & NLM_F_DUMP) { - struct netlink_dump_control c = { - .dump = nfnl_cthelper_dump_table, -@@ -678,6 +685,9 @@ static int nfnl_cthelper_del(struct net *net, struct sock *nfnl, - struct nfnl_cthelper *nlcth, *n; - int j = 0, ret; - -+ if (!capable(CAP_NET_ADMIN)) -+ return -EPERM; -+ - if (tb[NFCTH_NAME]) - helper_name = nla_data(tb[NFCTH_NAME]); - --- -2.15.1 - diff --git a/CVE-2017-17450-netfilter-xt_osf-Add-missing-permission-checks.patch b/CVE-2017-17450-netfilter-xt_osf-Add-missing-permission-checks.patch deleted file mode 100644 index 992c336..0000000 --- a/CVE-2017-17450-netfilter-xt_osf-Add-missing-permission-checks.patch +++ /dev/null @@ -1,60 +0,0 @@ -From 916a27901de01446bcf57ecca4783f6cff493309 Mon Sep 17 00:00:00 2001 -From: Kevin Cernekee <cernekee@chromium.org> -Date: Tue, 5 Dec 2017 15:42:41 -0800 -Subject: [PATCH] netfilter: xt_osf: Add missing permission checks - -The capability check in nfnetlink_rcv() verifies that the caller -has CAP_NET_ADMIN in the namespace that "owns" the netlink socket. -However, xt_osf_fingers is shared by all net namespaces on the -system. An unprivileged user can create user and net namespaces -in which he holds CAP_NET_ADMIN to bypass the netlink_net_capable() -check: - - vpnns -- nfnl_osf -f /tmp/pf.os - - vpnns -- nfnl_osf -f /tmp/pf.os -d - -These non-root operations successfully modify the systemwide OS -fingerprint list. Add new capable() checks so that they can't. - -Signed-off-by: Kevin Cernekee <cernekee@chromium.org> -Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> ---- - net/netfilter/xt_osf.c | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/net/netfilter/xt_osf.c b/net/netfilter/xt_osf.c -index 36e14b1f061d..a34f314a8c23 100644 ---- a/net/netfilter/xt_osf.c -+++ b/net/netfilter/xt_osf.c -@@ -19,6 +19,7 @@ - #include <linux/module.h> - #include <linux/kernel.h> - -+#include <linux/capability.h> - #include <linux/if.h> - #include <linux/inetdevice.h> - #include <linux/ip.h> -@@ -70,6 +71,9 @@ static int xt_osf_add_callback(struct net *net, struct sock *ctnl, - struct xt_osf_finger *kf = NULL, *sf; - int err = 0; - -+ if (!capable(CAP_NET_ADMIN)) -+ return -EPERM; -+ - if (!osf_attrs[OSF_ATTR_FINGER]) - return -EINVAL; - -@@ -115,6 +119,9 @@ static int xt_osf_remove_callback(struct net *net, struct sock *ctnl, - struct xt_osf_finger *sf; - int err = -ENOENT; - -+ if (!capable(CAP_NET_ADMIN)) -+ return -EPERM; -+ - if (!osf_attrs[OSF_ATTR_FINGER]) - return -EINVAL; - --- -2.15.1 - @@ -5,7 +5,7 @@ pkgbase=linux-libre-hardened _majver=4.14 -_minver=15 +_minver=17 _fullver=${_majver}.${_minver} _basever=${_majver}-gnu _pkgver=${_fullver}-gnu @@ -32,24 +32,20 @@ source=(https://linux-libre.fsfla.org/pub/linux-libre/releases/${_basever}/linux drm-i915-edp-Only-use-the-alternate-fixed-mode-if-its-asked-for.patch CVE-2017-8824-dccp-use-after-free-in-DCCP-code.patch - CVE-2017-17448-netfilter-nfnetlink_cthelper-Add-missing-permission-checks.patch - CVE-2017-17450-netfilter-xt_osf-Add-missing-permission-checks.patch ) sha256sums=('70f0098d823472402619a053211532423d15bfef628de7f49616014c81658278' 'SKIP' - '49fe7fff699ec3301b346eedf36fb7cb7999103a2a71e7e18992718a2243958b' + 'a7569d770004cefbcf98d6d70ce3c9012463d13491dd8678391bdb97faafb790' 'SKIP' - 'a9058fbc7ece8cc1920bc3659201c69ecd078de7b87e19a9977e66d9acd007ee' + '77b6c3188a029d3a03164b2ca75bcd9781ea8a32b1e021114667e4a39c1b4bd1' 'SKIP' - '4ed436afcc0f707c1c827f720f5ed90f609593fb1a73f8d7fae2413020cc43e1' + '50184a1ffa47bf180952175968d22c0153ba2e916f55563858c2614e1f249213' 'ae2e95db94ef7176207c690224169594d49445e04249d2499e9d2fbc117a0b21' '75f99f5239e03238f88d1a834c50043ec32b1dc568f2cc291b07d04718483919' 'ad6344badc91ad0630caacde83f7f9b97276f80d26a20619a87952be65492c65' '294c928b8252112d621df1d13fbfeade13f28ddea034d44e89db41b66d2b7d45' 'c08d12c699398ef88b764be1837b9ee11f2efd3188bd1bf4e8f85dfbeee58148' - '6be803c62b7ce41f1b4de6c867715398812b1c1a3e68a0078512f2872e2a3fa9' - 'b833ad4354fcd2cc6ee60c971088f77aa5b06a58fce346c40268c0b05b1e8cb5' - '72efa781c8ee1175a8865e6a12568aaf3bac4b76d4285819c6a75a3e5fe41435') + '6be803c62b7ce41f1b4de6c867715398812b1c1a3e68a0078512f2872e2a3fa9') validpgpkeys=( '474402C8C582DAFBE389C427BCB7CF877E7D47A7' # Alexandre Oliva '65EEFE022108E2B708CBFCF7F9E712E59AF5F22A' # Daniel Micay @@ -67,8 +63,6 @@ prepare() { # Hotfixes patch -p1 -i "${srcdir}/CVE-2017-8824-dccp-use-after-free-in-DCCP-code.patch" - patch -p1 -i "${srcdir}/CVE-2017-17448-netfilter-nfnetlink_cthelper-Add-missing-permission-checks.patch" - patch -p1 -i "${srcdir}/CVE-2017-17450-netfilter-xt_osf-Add-missing-permission-checks.patch" patch -p1 -i "${srcdir}/drm-i915-edp-Only-use-the-alternate-fixed-mode-if-its-asked-for.patch" patch -p1 -i "${srcdir}/xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-lookup.patch" diff --git a/config.x86_64 b/config.x86_64 index 8b3eb9b..cf98540 100644 --- a/config.x86_64 +++ b/config.x86_64 @@ -197,6 +197,7 @@ CONFIG_RD_LZO=y CONFIG_RD_LZ4=y CONFIG_CC_OPTIMIZE_FOR_PERFORMANCE=y # CONFIG_CC_OPTIMIZE_FOR_SIZE is not set +# CONFIG_LOCAL_SANITIZE is not set CONFIG_SYSCTL=y CONFIG_ANON_INODES=y CONFIG_HAVE_UID16=y @@ -227,6 +228,7 @@ CONFIG_SIGNALFD=y CONFIG_TIMERFD=y CONFIG_EVENTFD=y CONFIG_BPF_SYSCALL=y +CONFIG_BPF_JIT_ALWAYS_ON=y CONFIG_SHMEM=y CONFIG_AIO=y CONFIG_ADVISE_SYSCALLS=y |