From 4c1f1ed13b794b7826421933cb5a933368e35736 Mon Sep 17 00:00:00 2001
From: jc_gargma <jc_gargma@iserlohn-fortress.net>
Date: Tue, 6 Feb 2018 18:15:42 -0800
Subject: Updated to 4.14.17.a

---
 ...lter-xt_osf-Add-missing-permission-checks.patch | 60 ----------------------
 1 file changed, 60 deletions(-)
 delete mode 100644 CVE-2017-17450-netfilter-xt_osf-Add-missing-permission-checks.patch

(limited to 'CVE-2017-17450-netfilter-xt_osf-Add-missing-permission-checks.patch')

diff --git a/CVE-2017-17450-netfilter-xt_osf-Add-missing-permission-checks.patch b/CVE-2017-17450-netfilter-xt_osf-Add-missing-permission-checks.patch
deleted file mode 100644
index 992c336..0000000
--- a/CVE-2017-17450-netfilter-xt_osf-Add-missing-permission-checks.patch
+++ /dev/null
@@ -1,60 +0,0 @@
-From 916a27901de01446bcf57ecca4783f6cff493309 Mon Sep 17 00:00:00 2001
-From: Kevin Cernekee <cernekee@chromium.org>
-Date: Tue, 5 Dec 2017 15:42:41 -0800
-Subject: [PATCH] netfilter: xt_osf: Add missing permission checks
-
-The capability check in nfnetlink_rcv() verifies that the caller
-has CAP_NET_ADMIN in the namespace that "owns" the netlink socket.
-However, xt_osf_fingers is shared by all net namespaces on the
-system.  An unprivileged user can create user and net namespaces
-in which he holds CAP_NET_ADMIN to bypass the netlink_net_capable()
-check:
-
-    vpnns -- nfnl_osf -f /tmp/pf.os
-
-    vpnns -- nfnl_osf -f /tmp/pf.os -d
-
-These non-root operations successfully modify the systemwide OS
-fingerprint list.  Add new capable() checks so that they can't.
-
-Signed-off-by: Kevin Cernekee <cernekee@chromium.org>
-Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
----
- net/netfilter/xt_osf.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/net/netfilter/xt_osf.c b/net/netfilter/xt_osf.c
-index 36e14b1f061d..a34f314a8c23 100644
---- a/net/netfilter/xt_osf.c
-+++ b/net/netfilter/xt_osf.c
-@@ -19,6 +19,7 @@
- #include <linux/module.h>
- #include <linux/kernel.h>
- 
-+#include <linux/capability.h>
- #include <linux/if.h>
- #include <linux/inetdevice.h>
- #include <linux/ip.h>
-@@ -70,6 +71,9 @@ static int xt_osf_add_callback(struct net *net, struct sock *ctnl,
- 	struct xt_osf_finger *kf = NULL, *sf;
- 	int err = 0;
- 
-+	if (!capable(CAP_NET_ADMIN))
-+		return -EPERM;
-+
- 	if (!osf_attrs[OSF_ATTR_FINGER])
- 		return -EINVAL;
- 
-@@ -115,6 +119,9 @@ static int xt_osf_remove_callback(struct net *net, struct sock *ctnl,
- 	struct xt_osf_finger *sf;
- 	int err = -ENOENT;
- 
-+	if (!capable(CAP_NET_ADMIN))
-+		return -EPERM;
-+
- 	if (!osf_attrs[OSF_ATTR_FINGER])
- 		return -EINVAL;
- 
--- 
-2.15.1
-
-- 
cgit v1.2.1