[arch-commits] Commit in linux-hardened/trunk (4 files)

Levente Polyak anthraxx at archlinux.org
Tue Feb 6 00:39:19 UTC 2018 

    Date: Tuesday, February 6, 2018 @ 00:39:19
  Author: anthraxx
Revision: 289327

upgpkg: linux-hardened 4.14.17.a-1

- remove applied security patches

Modified:
  linux-hardened/trunk/PKGBUILD
  linux-hardened/trunk/config.x86_64
Deleted:
  linux-hardened/trunk/CVE-2017-17448-netfilter-nfnetlink_cthelper-Add-missing-permission-checks.patch
  linux-hardened/trunk/CVE-2017-17450-netfilter-xt_osf-Add-missing-permission-checks.patch

---------------------------------------------------------------------------------+
 CVE-2017-17448-netfilter-nfnetlink_cthelper-Add-missing-permission-checks.patch |   78 ----------
 CVE-2017-17450-netfilter-xt_osf-Add-missing-permission-checks.patch             |   60 -------
 PKGBUILD                                                                        |   14 -
 config.x86_64                                                                   |    4 
 4 files changed, 8 insertions(+), 148 deletions(-)

Deleted: CVE-2017-17448-netfilter-nfnetlink_cthelper-Add-missing-permission-checks.patch
===================================================================
--- CVE-2017-17448-netfilter-nfnetlink_cthelper-Add-missing-permission-checks.patch	2018-02-05 23:46:52 UTC (rev 289326)
+++ CVE-2017-17448-netfilter-nfnetlink_cthelper-Add-missing-permission-checks.patch	2018-02-06 00:39:19 UTC (rev 289327)
@@ -1,78 +0,0 @@
-From 4b380c42f7d00a395feede754f0bc2292eebe6e5 Mon Sep 17 00:00:00 2001
-From: Kevin Cernekee <cernekee at chromium.org>
-Date: Sun, 3 Dec 2017 12:12:45 -0800
-Subject: [PATCH] netfilter: nfnetlink_cthelper: Add missing permission checks
-
-The capability check in nfnetlink_rcv() verifies that the caller
-has CAP_NET_ADMIN in the namespace that "owns" the netlink socket.
-However, nfnl_cthelper_list is shared by all net namespaces on the
-system.  An unprivileged user can create user and net namespaces
-in which he holds CAP_NET_ADMIN to bypass the netlink_net_capable()
-check:
-
-    $ nfct helper list
-    nfct v1.4.4: netlink error: Operation not permitted
-    $ vpnns -- nfct helper list
-    {
-            .name = ftp,
-            .queuenum = 0,
-            .l3protonum = 2,
-            .l4protonum = 6,
-            .priv_data_len = 24,
-            .status = enabled,
-    };
-
-Add capable() checks in nfnetlink_cthelper, as this is cleaner than
-trying to generalize the solution.
-
-Signed-off-by: Kevin Cernekee <cernekee at chromium.org>
-Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
----
- net/netfilter/nfnetlink_cthelper.c | 10 ++++++++++
- 1 file changed, 10 insertions(+)
-
-diff --git a/net/netfilter/nfnetlink_cthelper.c b/net/netfilter/nfnetlink_cthelper.c
-index 41628b393673..d33ce6d5ebce 100644
---- a/net/netfilter/nfnetlink_cthelper.c
-+++ b/net/netfilter/nfnetlink_cthelper.c
-@@ -17,6 +17,7 @@
- #include <linux/types.h>
- #include <linux/list.h>
- #include <linux/errno.h>
-+#include <linux/capability.h>
- #include <net/netlink.h>
- #include <net/sock.h>
- 
-@@ -407,6 +408,9 @@ static int nfnl_cthelper_new(struct net *net, struct sock *nfnl,
- 	struct nfnl_cthelper *nlcth;
- 	int ret = 0;
- 
-+	if (!capable(CAP_NET_ADMIN))
-+		return -EPERM;
-+
- 	if (!tb[NFCTH_NAME] || !tb[NFCTH_TUPLE])
- 		return -EINVAL;
- 
-@@ -611,6 +615,9 @@ static int nfnl_cthelper_get(struct net *net, struct sock *nfnl,
- 	struct nfnl_cthelper *nlcth;
- 	bool tuple_set = false;
- 
-+	if (!capable(CAP_NET_ADMIN))
-+		return -EPERM;
-+
- 	if (nlh->nlmsg_flags & NLM_F_DUMP) {
- 		struct netlink_dump_control c = {
- 			.dump = nfnl_cthelper_dump_table,
-@@ -678,6 +685,9 @@ static int nfnl_cthelper_del(struct net *net, struct sock *nfnl,
- 	struct nfnl_cthelper *nlcth, *n;
- 	int j = 0, ret;
- 
-+	if (!capable(CAP_NET_ADMIN))
-+		return -EPERM;
-+
- 	if (tb[NFCTH_NAME])
- 		helper_name = nla_data(tb[NFCTH_NAME]);
- 
--- 
-2.15.1
-

Deleted: CVE-2017-17450-netfilter-xt_osf-Add-missing-permission-checks.patch
===================================================================
--- CVE-2017-17450-netfilter-xt_osf-Add-missing-permission-checks.patch	2018-02-05 23:46:52 UTC (rev 289326)
+++ CVE-2017-17450-netfilter-xt_osf-Add-missing-permission-checks.patch	2018-02-06 00:39:19 UTC (rev 289327)
@@ -1,60 +0,0 @@
-From 916a27901de01446bcf57ecca4783f6cff493309 Mon Sep 17 00:00:00 2001
-From: Kevin Cernekee <cernekee at chromium.org>
-Date: Tue, 5 Dec 2017 15:42:41 -0800
-Subject: [PATCH] netfilter: xt_osf: Add missing permission checks
-
-The capability check in nfnetlink_rcv() verifies that the caller
-has CAP_NET_ADMIN in the namespace that "owns" the netlink socket.
-However, xt_osf_fingers is shared by all net namespaces on the
-system.  An unprivileged user can create user and net namespaces
-in which he holds CAP_NET_ADMIN to bypass the netlink_net_capable()
-check:
-
-    vpnns -- nfnl_osf -f /tmp/pf.os
-
-    vpnns -- nfnl_osf -f /tmp/pf.os -d
-
-These non-root operations successfully modify the systemwide OS
-fingerprint list.  Add new capable() checks so that they can't.
-
-Signed-off-by: Kevin Cernekee <cernekee at chromium.org>
-Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
----
- net/netfilter/xt_osf.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/net/netfilter/xt_osf.c b/net/netfilter/xt_osf.c
-index 36e14b1f061d..a34f314a8c23 100644
---- a/net/netfilter/xt_osf.c
-+++ b/net/netfilter/xt_osf.c
-@@ -19,6 +19,7 @@
- #include <linux/module.h>
- #include <linux/kernel.h>
- 
-+#include <linux/capability.h>
- #include <linux/if.h>
- #include <linux/inetdevice.h>
- #include <linux/ip.h>
-@@ -70,6 +71,9 @@ static int xt_osf_add_callback(struct net *net, struct sock *ctnl,
- 	struct xt_osf_finger *kf = NULL, *sf;
- 	int err = 0;
- 
-+	if (!capable(CAP_NET_ADMIN))
-+		return -EPERM;
-+
- 	if (!osf_attrs[OSF_ATTR_FINGER])
- 		return -EINVAL;
- 
-@@ -115,6 +119,9 @@ static int xt_osf_remove_callback(struct net *net, struct sock *ctnl,
- 	struct xt_osf_finger *sf;
- 	int err = -ENOENT;
- 
-+	if (!capable(CAP_NET_ADMIN))
-+		return -EPERM;
-+
- 	if (!osf_attrs[OSF_ATTR_FINGER])
- 		return -EINVAL;
- 
--- 
-2.15.1
-

Modified: PKGBUILD
===================================================================
--- PKGBUILD	2018-02-05 23:46:52 UTC (rev 289326)
+++ PKGBUILD	2018-02-06 00:39:19 UTC (rev 289327)
@@ -5,7 +5,7 @@
 
 pkgbase=linux-hardened
 _srcname=linux-4.14
-_pkgver=4.14.15
+_pkgver=4.14.17
 pkgver=${_pkgver}.a
 pkgrel=1
 url='https://github.com/copperhead/linux-hardened'
@@ -29,25 +29,21 @@
         drm-i915-edp-Only-use-the-alternate-fixed-mode-if-its-asked-for.patch
 
         CVE-2017-8824-dccp-use-after-free-in-DCCP-code.patch
-        CVE-2017-17448-netfilter-nfnetlink_cthelper-Add-missing-permission-checks.patch
-        CVE-2017-17450-netfilter-xt_osf-Add-missing-permission-checks.patch
 )
 replaces=('linux-grsec')
 sha256sums=('f81d59477e90a130857ce18dc02f4fbe5725854911db1e7ba770c7cd350f96a7'
             'SKIP'
-            '54a6359ed333e619db8c5c88020ff20f1e25635337f01f50a7488ec2fc0fe030'
+            '1e62d56e37bd15daec7c3d20a605624e1e0a21c44856880c6dbe0c9e41cabfa8'
             'SKIP'
-            'a9058fbc7ece8cc1920bc3659201c69ecd078de7b87e19a9977e66d9acd007ee'
+            '77b6c3188a029d3a03164b2ca75bcd9781ea8a32b1e021114667e4a39c1b4bd1'
             'SKIP'
-            '7928cf08457106c025cc165b823379af8cbff947b6f99485acbdc12a622cdaa5'
+            '9cff1bfc26d019905c67eed2a81b7d99e6662791b5b1f77784835ef435b8425f'
             'ae2e95db94ef7176207c690224169594d49445e04249d2499e9d2fbc117a0b21'
             '75f99f5239e03238f88d1a834c50043ec32b1dc568f2cc291b07d04718483919'
             'ad6344badc91ad0630caacde83f7f9b97276f80d26a20619a87952be65492c65'
             '294c928b8252112d621df1d13fbfeade13f28ddea034d44e89db41b66d2b7d45'
             'c08d12c699398ef88b764be1837b9ee11f2efd3188bd1bf4e8f85dfbeee58148'
-            '6be803c62b7ce41f1b4de6c867715398812b1c1a3e68a0078512f2872e2a3fa9'
-            'b833ad4354fcd2cc6ee60c971088f77aa5b06a58fce346c40268c0b05b1e8cb5'
-            '72efa781c8ee1175a8865e6a12568aaf3bac4b76d4285819c6a75a3e5fe41435')
+            '6be803c62b7ce41f1b4de6c867715398812b1c1a3e68a0078512f2872e2a3fa9')
 validpgpkeys=(
               'ABAF11C65A2970B130ABE3C479BE3E4300411886' # Linus Torvalds
               '647F28654894E3BD457199BE38DBBDC86092693E' # Greg Kroah-Hartman

Modified: config.x86_64
===================================================================
--- config.x86_64	2018-02-05 23:46:52 UTC (rev 289326)
+++ config.x86_64	2018-02-06 00:39:19 UTC (rev 289327)
@@ -1,6 +1,6 @@
 #
 # Automatically generated file; DO NOT EDIT.
-# Linux/x86 4.14.15 Kernel Configuration
+# Linux/x86 4.14.17 Kernel Configuration
 #
 CONFIG_64BIT=y
 CONFIG_X86_64=y
@@ -197,6 +197,7 @@
 CONFIG_RD_LZ4=y
 CONFIG_CC_OPTIMIZE_FOR_PERFORMANCE=y
 # CONFIG_CC_OPTIMIZE_FOR_SIZE is not set
+# CONFIG_LOCAL_SANITIZE is not set
 CONFIG_SYSCTL=y
 CONFIG_ANON_INODES=y
 CONFIG_HAVE_UID16=y
@@ -227,6 +228,7 @@
 CONFIG_TIMERFD=y
 CONFIG_EVENTFD=y
 CONFIG_BPF_SYSCALL=y
+CONFIG_BPF_JIT_ALWAYS_ON=y
 CONFIG_SHMEM=y
 CONFIG_AIO=y
 CONFIG_ADVISE_SYSCALLS=y

More information about the arch-commits mailing list