rpms/kernel/F-11 netfilter-ebtables-enforce-cap_net_admin.patch, NONE, 1.1.2.1 kernel.spec, 1.1784.2.2, 1.1784.2.3
Chuck Ebbert
cebbert at fedoraproject.org
Tue Jan 19 19:57:25 UTC 2010
Author: cebbert
Update of /cvs/pkgs/rpms/kernel/F-11
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv24328
Modified Files:
Tag: private-fedora-11-2_6_30
kernel.spec
Added Files:
Tag: private-fedora-11-2_6_30
netfilter-ebtables-enforce-cap_net_admin.patch
Log Message:
CVE-2010-0007: kernel: normal users can modify ebtables rules (#555238)
netfilter-ebtables-enforce-cap_net_admin.patch:
ebtables.c | 6 ++++++
1 file changed, 6 insertions(+)
--- NEW FILE netfilter-ebtables-enforce-cap_net_admin.patch ---
>From dce766af541f6605fa9889892c0280bab31c66ab Mon Sep 17 00:00:00 2001
From: Florian Westphal <fwestphal at astaro.com>
Date: Fri, 8 Jan 2010 17:31:24 +0100
Subject: netfilter: ebtables: enforce CAP_NET_ADMIN
From: Florian Westphal <fwestphal at astaro.com>
commit dce766af541f6605fa9889892c0280bab31c66ab upstream.
normal users are currently allowed to set/modify ebtables rules.
Restrict it to processes with CAP_NET_ADMIN.
Note that this cannot be reproduced with unmodified ebtables binary
because it uses SOCK_RAW.
Signed-off-by: Florian Westphal <fwestphal at astaro.com>
Signed-off-by: Patrick McHardy <kaber at trash.net>
Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
---
net/bridge/netfilter/ebtables.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -1405,6 +1405,9 @@ static int do_ebt_set_ctl(struct sock *s
{
int ret;
+ if (!capable(CAP_NET_ADMIN))
+ return -EPERM;
+
switch(cmd) {
case EBT_SO_SET_ENTRIES:
ret = do_replace(sock_net(sk), user, len);
@@ -1424,6 +1427,9 @@ static int do_ebt_get_ctl(struct sock *s
struct ebt_replace tmp;
struct ebt_table *t;
+ if (!capable(CAP_NET_ADMIN))
+ return -EPERM;
+
if (copy_from_user(&tmp, user, sizeof(tmp)))
return -EFAULT;
Index: kernel.spec
===================================================================
RCS file: /cvs/pkgs/rpms/kernel/F-11/kernel.spec,v
retrieving revision 1.1784.2.2
retrieving revision 1.1784.2.3
diff -u -p -r1.1784.2.2 -r1.1784.2.3
--- kernel.spec 19 Jan 2010 19:24:16 -0000 1.1784.2.2
+++ kernel.spec 19 Jan 2010 19:57:24 -0000 1.1784.2.3
@@ -850,6 +850,8 @@ Patch16473: linux-2.6-libertas-crash.pat
# cve-2010-0006
Patch16500: ipv6-skb_dst-can-be-null-in-ipv6_hop_jumbo.patch
+# cve-2010-0007
+Patch16501: netfilter-ebtables-enforce-cap_net_admin.patch
%endif
@@ -1598,6 +1600,8 @@ ApplyPatch linux-2.6-libertas-crash.patc
# cve-2010-0006
ApplyPatch ipv6-skb_dst-can-be-null-in-ipv6_hop_jumbo.patch
+# cve-2010-0007
+ApplyPatch netfilter-ebtables-enforce-cap_net_admin.patch
# END OF PATCH APPLICATIONS
@@ -2187,6 +2191,9 @@ fi
# and build.
%changelog
+* Tue Jan 19 2010 Chuck Ebbert <cebbert at redhat.com> 2.6.30.10-105.2.3
+- CVE-2010-0007: kernel: normal users can modify ebtables rules (#555238)
+
* Tue Jan 19 2010 Chuck Ebbert <cebbert at redhat.com> 2.6.30.10-105.2.2
- Backport fix for CVE-2010-0006:
kernel: ipv6: skb_dst() can be NULL in ipv6_hop_jumbo() (rhbz#555217)
More information about the scm-commits
mailing list