rpms/kernel/F-11 netfilter-ebtables-enforce-cap_net_admin.patch, NONE, 1.1.2.1 kernel.spec, 1.1784.2.2, 1.1784.2.3

Tue Jan 19 19:57:25 UTC 2010

Author: cebbert

Update of /cvs/pkgs/rpms/kernel/F-11
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv24328

Modified Files:
      Tag: private-fedora-11-2_6_30
	kernel.spec 
Added Files:
      Tag: private-fedora-11-2_6_30
	netfilter-ebtables-enforce-cap_net_admin.patch 
Log Message:
CVE-2010-0007: kernel: normal users can modify ebtables rules (#555238)

netfilter-ebtables-enforce-cap_net_admin.patch:
 ebtables.c |    6 ++++++
 1 file changed, 6 insertions(+)

--- NEW FILE netfilter-ebtables-enforce-cap_net_admin.patch ---
>From dce766af541f6605fa9889892c0280bab31c66ab Mon Sep 17 00:00:00 2001
From: Florian Westphal <fwestphal at astaro.com>
Date: Fri, 8 Jan 2010 17:31:24 +0100
Subject: netfilter: ebtables: enforce CAP_NET_ADMIN

From: Florian Westphal <fwestphal at astaro.com>

commit dce766af541f6605fa9889892c0280bab31c66ab upstream.

normal users are currently allowed to set/modify ebtables rules.
Restrict it to processes with CAP_NET_ADMIN.

Note that this cannot be reproduced with unmodified ebtables binary
because it uses SOCK_RAW.

Signed-off-by: Florian Westphal <fwestphal at astaro.com>
Signed-off-by: Patrick McHardy <kaber at trash.net>
Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>

---
 net/bridge/netfilter/ebtables.c |    6 ++++++
 1 file changed, 6 insertions(+)

--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -1405,6 +1405,9 @@ static int do_ebt_set_ctl(struct sock *s
 {
 	int ret;
 
+	if (!capable(CAP_NET_ADMIN))
+		return -EPERM;
+
 	switch(cmd) {
 	case EBT_SO_SET_ENTRIES:
 		ret = do_replace(sock_net(sk), user, len);
@@ -1424,6 +1427,9 @@ static int do_ebt_get_ctl(struct sock *s
 	struct ebt_replace tmp;
 	struct ebt_table *t;
 
+	if (!capable(CAP_NET_ADMIN))
+		return -EPERM;
+
 	if (copy_from_user(&tmp, user, sizeof(tmp)))
 		return -EFAULT;
 


Index: kernel.spec
===================================================================
RCS file: /cvs/pkgs/rpms/kernel/F-11/kernel.spec,v
retrieving revision 1.1784.2.2
retrieving revision 1.1784.2.3
diff -u -p -r1.1784.2.2 -r1.1784.2.3
--- kernel.spec	19 Jan 2010 19:24:16 -0000	1.1784.2.2
+++ kernel.spec	19 Jan 2010 19:57:24 -0000	1.1784.2.3
@@ -850,6 +850,8 @@ Patch16473: linux-2.6-libertas-crash.pat
 
 # cve-2010-0006
 Patch16500: ipv6-skb_dst-can-be-null-in-ipv6_hop_jumbo.patch
+# cve-2010-0007
+Patch16501: netfilter-ebtables-enforce-cap_net_admin.patch
 
 %endif
 
@@ -1598,6 +1600,8 @@ ApplyPatch linux-2.6-libertas-crash.patc
 
 # cve-2010-0006
 ApplyPatch ipv6-skb_dst-can-be-null-in-ipv6_hop_jumbo.patch
+# cve-2010-0007
+ApplyPatch netfilter-ebtables-enforce-cap_net_admin.patch
 
 # END OF PATCH APPLICATIONS
 
@@ -2187,6 +2191,9 @@ fi
 # and build.
 
 %changelog
+* Tue Jan 19 2010 Chuck Ebbert <cebbert at redhat.com>  2.6.30.10-105.2.3
+- CVE-2010-0007: kernel: normal users can modify ebtables rules (#555238)
+
 * Tue Jan 19 2010 Chuck Ebbert <cebbert at redhat.com>  2.6.30.10-105.2.2
 - Backport fix for CVE-2010-0006:
   kernel: ipv6: skb_dst() can be NULL in ipv6_hop_jumbo() (rhbz#555217)

