[arch-commits] Commit in linux-hardened/trunk (4 files)
Levente Polyak
anthraxx at archlinux.org
Tue Feb 6 00:39:19 UTC 2018
Date: Tuesday, February 6, 2018 @ 00:39:19
Author: anthraxx
Revision: 289327
upgpkg: linux-hardened 4.14.17.a-1
- remove applied security patches
Modified:
linux-hardened/trunk/PKGBUILD
linux-hardened/trunk/config.x86_64
Deleted:
linux-hardened/trunk/CVE-2017-17448-netfilter-nfnetlink_cthelper-Add-missing-permission-checks.patch
linux-hardened/trunk/CVE-2017-17450-netfilter-xt_osf-Add-missing-permission-checks.patch
---------------------------------------------------------------------------------+
CVE-2017-17448-netfilter-nfnetlink_cthelper-Add-missing-permission-checks.patch | 78 ----------
CVE-2017-17450-netfilter-xt_osf-Add-missing-permission-checks.patch | 60 -------
PKGBUILD | 14 -
config.x86_64 | 4
4 files changed, 8 insertions(+), 148 deletions(-)
Deleted: CVE-2017-17448-netfilter-nfnetlink_cthelper-Add-missing-permission-checks.patch
===================================================================
--- CVE-2017-17448-netfilter-nfnetlink_cthelper-Add-missing-permission-checks.patch 2018-02-05 23:46:52 UTC (rev 289326)
+++ CVE-2017-17448-netfilter-nfnetlink_cthelper-Add-missing-permission-checks.patch 2018-02-06 00:39:19 UTC (rev 289327)
@@ -1,78 +0,0 @@
-From 4b380c42f7d00a395feede754f0bc2292eebe6e5 Mon Sep 17 00:00:00 2001
-From: Kevin Cernekee <cernekee at chromium.org>
-Date: Sun, 3 Dec 2017 12:12:45 -0800
-Subject: [PATCH] netfilter: nfnetlink_cthelper: Add missing permission checks
-
-The capability check in nfnetlink_rcv() verifies that the caller
-has CAP_NET_ADMIN in the namespace that "owns" the netlink socket.
-However, nfnl_cthelper_list is shared by all net namespaces on the
-system. An unprivileged user can create user and net namespaces
-in which he holds CAP_NET_ADMIN to bypass the netlink_net_capable()
-check:
-
- $ nfct helper list
- nfct v1.4.4: netlink error: Operation not permitted
- $ vpnns -- nfct helper list
- {
- .name = ftp,
- .queuenum = 0,
- .l3protonum = 2,
- .l4protonum = 6,
- .priv_data_len = 24,
- .status = enabled,
- };
-
-Add capable() checks in nfnetlink_cthelper, as this is cleaner than
-trying to generalize the solution.
-
-Signed-off-by: Kevin Cernekee <cernekee at chromium.org>
-Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
----
- net/netfilter/nfnetlink_cthelper.c | 10 ++++++++++
- 1 file changed, 10 insertions(+)
-
-diff --git a/net/netfilter/nfnetlink_cthelper.c b/net/netfilter/nfnetlink_cthelper.c
-index 41628b393673..d33ce6d5ebce 100644
---- a/net/netfilter/nfnetlink_cthelper.c
-+++ b/net/netfilter/nfnetlink_cthelper.c
-@@ -17,6 +17,7 @@
- #include <linux/types.h>
- #include <linux/list.h>
- #include <linux/errno.h>
-+#include <linux/capability.h>
- #include <net/netlink.h>
- #include <net/sock.h>
-
-@@ -407,6 +408,9 @@ static int nfnl_cthelper_new(struct net *net, struct sock *nfnl,
- struct nfnl_cthelper *nlcth;
- int ret = 0;
-
-+ if (!capable(CAP_NET_ADMIN))
-+ return -EPERM;
-+
- if (!tb[NFCTH_NAME] || !tb[NFCTH_TUPLE])
- return -EINVAL;
-
-@@ -611,6 +615,9 @@ static int nfnl_cthelper_get(struct net *net, struct sock *nfnl,
- struct nfnl_cthelper *nlcth;
- bool tuple_set = false;
-
-+ if (!capable(CAP_NET_ADMIN))
-+ return -EPERM;
-+
- if (nlh->nlmsg_flags & NLM_F_DUMP) {
- struct netlink_dump_control c = {
- .dump = nfnl_cthelper_dump_table,
-@@ -678,6 +685,9 @@ static int nfnl_cthelper_del(struct net *net, struct sock *nfnl,
- struct nfnl_cthelper *nlcth, *n;
- int j = 0, ret;
-
-+ if (!capable(CAP_NET_ADMIN))
-+ return -EPERM;
-+
- if (tb[NFCTH_NAME])
- helper_name = nla_data(tb[NFCTH_NAME]);
-
---
-2.15.1
-
Deleted: CVE-2017-17450-netfilter-xt_osf-Add-missing-permission-checks.patch
===================================================================
--- CVE-2017-17450-netfilter-xt_osf-Add-missing-permission-checks.patch 2018-02-05 23:46:52 UTC (rev 289326)
+++ CVE-2017-17450-netfilter-xt_osf-Add-missing-permission-checks.patch 2018-02-06 00:39:19 UTC (rev 289327)
@@ -1,60 +0,0 @@
-From 916a27901de01446bcf57ecca4783f6cff493309 Mon Sep 17 00:00:00 2001
-From: Kevin Cernekee <cernekee at chromium.org>
-Date: Tue, 5 Dec 2017 15:42:41 -0800
-Subject: [PATCH] netfilter: xt_osf: Add missing permission checks
-
-The capability check in nfnetlink_rcv() verifies that the caller
-has CAP_NET_ADMIN in the namespace that "owns" the netlink socket.
-However, xt_osf_fingers is shared by all net namespaces on the
-system. An unprivileged user can create user and net namespaces
-in which he holds CAP_NET_ADMIN to bypass the netlink_net_capable()
-check:
-
- vpnns -- nfnl_osf -f /tmp/pf.os
-
- vpnns -- nfnl_osf -f /tmp/pf.os -d
-
-These non-root operations successfully modify the systemwide OS
-fingerprint list. Add new capable() checks so that they can't.
-
-Signed-off-by: Kevin Cernekee <cernekee at chromium.org>
-Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
----
- net/netfilter/xt_osf.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/net/netfilter/xt_osf.c b/net/netfilter/xt_osf.c
-index 36e14b1f061d..a34f314a8c23 100644
---- a/net/netfilter/xt_osf.c
-+++ b/net/netfilter/xt_osf.c
-@@ -19,6 +19,7 @@
- #include <linux/module.h>
- #include <linux/kernel.h>
-
-+#include <linux/capability.h>
- #include <linux/if.h>
- #include <linux/inetdevice.h>
- #include <linux/ip.h>
-@@ -70,6 +71,9 @@ static int xt_osf_add_callback(struct net *net, struct sock *ctnl,
- struct xt_osf_finger *kf = NULL, *sf;
- int err = 0;
-
-+ if (!capable(CAP_NET_ADMIN))
-+ return -EPERM;
-+
- if (!osf_attrs[OSF_ATTR_FINGER])
- return -EINVAL;
-
-@@ -115,6 +119,9 @@ static int xt_osf_remove_callback(struct net *net, struct sock *ctnl,
- struct xt_osf_finger *sf;
- int err = -ENOENT;
-
-+ if (!capable(CAP_NET_ADMIN))
-+ return -EPERM;
-+
- if (!osf_attrs[OSF_ATTR_FINGER])
- return -EINVAL;
-
---
-2.15.1
-
Modified: PKGBUILD
===================================================================
--- PKGBUILD 2018-02-05 23:46:52 UTC (rev 289326)
+++ PKGBUILD 2018-02-06 00:39:19 UTC (rev 289327)
@@ -5,7 +5,7 @@
pkgbase=linux-hardened
_srcname=linux-4.14
-_pkgver=4.14.15
+_pkgver=4.14.17
pkgver=${_pkgver}.a
pkgrel=1
url='https://github.com/copperhead/linux-hardened'
@@ -29,25 +29,21 @@
drm-i915-edp-Only-use-the-alternate-fixed-mode-if-its-asked-for.patch
CVE-2017-8824-dccp-use-after-free-in-DCCP-code.patch
- CVE-2017-17448-netfilter-nfnetlink_cthelper-Add-missing-permission-checks.patch
- CVE-2017-17450-netfilter-xt_osf-Add-missing-permission-checks.patch
)
replaces=('linux-grsec')
sha256sums=('f81d59477e90a130857ce18dc02f4fbe5725854911db1e7ba770c7cd350f96a7'
'SKIP'
- '54a6359ed333e619db8c5c88020ff20f1e25635337f01f50a7488ec2fc0fe030'
+ '1e62d56e37bd15daec7c3d20a605624e1e0a21c44856880c6dbe0c9e41cabfa8'
'SKIP'
- 'a9058fbc7ece8cc1920bc3659201c69ecd078de7b87e19a9977e66d9acd007ee'
+ '77b6c3188a029d3a03164b2ca75bcd9781ea8a32b1e021114667e4a39c1b4bd1'
'SKIP'
- '7928cf08457106c025cc165b823379af8cbff947b6f99485acbdc12a622cdaa5'
+ '9cff1bfc26d019905c67eed2a81b7d99e6662791b5b1f77784835ef435b8425f'
'ae2e95db94ef7176207c690224169594d49445e04249d2499e9d2fbc117a0b21'
'75f99f5239e03238f88d1a834c50043ec32b1dc568f2cc291b07d04718483919'
'ad6344badc91ad0630caacde83f7f9b97276f80d26a20619a87952be65492c65'
'294c928b8252112d621df1d13fbfeade13f28ddea034d44e89db41b66d2b7d45'
'c08d12c699398ef88b764be1837b9ee11f2efd3188bd1bf4e8f85dfbeee58148'
- '6be803c62b7ce41f1b4de6c867715398812b1c1a3e68a0078512f2872e2a3fa9'
- 'b833ad4354fcd2cc6ee60c971088f77aa5b06a58fce346c40268c0b05b1e8cb5'
- '72efa781c8ee1175a8865e6a12568aaf3bac4b76d4285819c6a75a3e5fe41435')
+ '6be803c62b7ce41f1b4de6c867715398812b1c1a3e68a0078512f2872e2a3fa9')
validpgpkeys=(
'ABAF11C65A2970B130ABE3C479BE3E4300411886' # Linus Torvalds
'647F28654894E3BD457199BE38DBBDC86092693E' # Greg Kroah-Hartman
Modified: config.x86_64
===================================================================
--- config.x86_64 2018-02-05 23:46:52 UTC (rev 289326)
+++ config.x86_64 2018-02-06 00:39:19 UTC (rev 289327)
@@ -1,6 +1,6 @@
#
# Automatically generated file; DO NOT EDIT.
-# Linux/x86 4.14.15 Kernel Configuration
+# Linux/x86 4.14.17 Kernel Configuration
#
CONFIG_64BIT=y
CONFIG_X86_64=y
@@ -197,6 +197,7 @@
CONFIG_RD_LZ4=y
CONFIG_CC_OPTIMIZE_FOR_PERFORMANCE=y
# CONFIG_CC_OPTIMIZE_FOR_SIZE is not set
+# CONFIG_LOCAL_SANITIZE is not set
CONFIG_SYSCTL=y
CONFIG_ANON_INODES=y
CONFIG_HAVE_UID16=y
@@ -227,6 +228,7 @@
CONFIG_TIMERFD=y
CONFIG_EVENTFD=y
CONFIG_BPF_SYSCALL=y
+CONFIG_BPF_JIT_ALWAYS_ON=y
CONFIG_SHMEM=y
CONFIG_AIO=y
CONFIG_ADVISE_SYSCALLS=y
More information about the arch-commits
mailing list