iptables: Security Advisory - iptables - CVE-2019-11360

Porting patch from <https://git.netfilter.org/iptables/commit/iptables/ xshared.c?id=2ae1099a42e6a0f06de305ca13a842ac83d4683e> to solve CVE-2019-11360. (From OE-Core rev: 5a38ef7eef9ecef2d27ae89f01691072bb94a25e) Signed-off-by: Li Zhou <li.zhou@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Li Zhou <li.zhou@windriver.com> 2019-07-19 15:35:46 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2019-07-19 16:19:14 +0100
commit: f56e1ffb1e0943bf0f1c016255e5a6b09d52ca66 (patch)
tree: 33e93580a53e1964102b65b1193c41fc794ce43e
parent: a921c2f9dbefde3592bfe65c80ff1ce973aac89b (diff)
download: poky-f56e1ffb1e0943bf0f1c016255e5a6b09d52ca66.tar.gz
2 files changed, 118 insertions, 0 deletions
diff --git a/meta/recipes-extended/iptables/iptables/CVE-2019-11360.patch b/meta/recipes-extended/iptables/iptables/CVE-2019-11360.patch
new file mode 100644
index 0000000000..f67164fbcc
--- /dev/null
+++ b/meta/recipes-extended/iptables/iptables/CVE-2019-11360.patch
@@ -0,0 +1,117 @@
+From 2ae1099a42e6a0f06de305ca13a842ac83d4683e Mon Sep 17 00:00:00 2001
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Mon, 22 Apr 2019 23:17:27 +0200
+Subject: [PATCH] xshared: check for maximum buffer length in
+ add_param_to_argv()
+Bail out if we go over the boundary, based on patch from Sebastian.
+Reported-by: Sebastian Neef <contact@0day.work>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Upstream-Status: Backport
+CVE: CVE-2019-11360
+Signed-off-by: Li Zhou <li.zhou@windriver.com>
+---
+ iptables/xshared.c | 46 ++++++++++++++++++++++++++++------------------
+ 1 file changed, 28 insertions(+), 18 deletions(-)
+diff --git a/iptables/xshared.c b/iptables/xshared.c
+index fb186fb1..36a2ec5f 100644
+--- a/iptables/xshared.c
+++ b/iptables/xshared.c
+@@ -433,10 +433,24 @@ void save_argv(void)
+        }
+ }
+ 
+struct xt_param_buf {
+       char    buffer[1024];
+       int     len;
+};
+
+static void add_param(struct xt_param_buf *param, const char *curchar)
+{
+       param->buffer[param->len++] = *curchar;
+       if (param->len >= sizeof(param->buffer))
+               xtables_error(PARAMETER_PROBLEM,
+                             "Parameter too long!");
+}
+
+ void add_param_to_argv(char *parsestart, int line)
+ {
+-       int quote_open = 0, escaped = 0, param_len = 0;
+-       char param_buffer[1024], *curchar;
+       int quote_open = 0, escaped = 0;
+       struct xt_param_buf param = {};
+       char *curchar;
+ 
+        /* After fighting with strtok enough, here's now
+         * a 'real' parser. According to Rusty I'm now no
+@@ -445,7 +459,7 @@ void add_param_to_argv(char *parsestart, int line)
+        for (curchar = parsestart; *curchar; curchar++) {
+                if (quote_open) {
+                        if (escaped) {
+-                               param_buffer[param_len++] = *curchar;
+                               add_param(&param, curchar);
+                                escaped = 0;
+                                continue;
+                        } else if (*curchar == '\\') {
+@@ -455,7 +469,7 @@ void add_param_to_argv(char *parsestart, int line)
+                                quote_open = 0;
+                                *curchar = '"';
+                        } else {
+-                               param_buffer[param_len++] = *curchar;
+                               add_param(&param, curchar);
+                                continue;
+                        }
+                } else {
+@@ -471,36 +485,32 @@ void add_param_to_argv(char *parsestart, int line)
+                case ' ':
+                case '\t':
+                case '\n':
+-                       if (!param_len) {
+                       if (!param.len) {
+                                /* two spaces? */
+                                continue;
+                        }
+                        break;
+                default:
+                        /* regular character, copy to buffer */
+-                       param_buffer[param_len++] = *curchar;
+-
+-                       if (param_len >= sizeof(param_buffer))
+-                               xtables_error(PARAMETER_PROBLEM,
+-                                             "Parameter too long!");
+                       add_param(&param, curchar);
+                        continue;
+                }
+ 
+-               param_buffer[param_len] = '\0';
+               param.buffer[param.len] = '\0';
+ 
+                /* check if table name specified */
+-               if ((param_buffer[0] == '-' &&
+-                    param_buffer[1] != '-' &&
+-                    strchr(param_buffer, 't')) ||
+-                   (!strncmp(param_buffer, "--t", 3) &&
+-                    !strncmp(param_buffer, "--table", strlen(param_buffer)))) {
+               if ((param.buffer[0] == '-' &&
+                    param.buffer[1] != '-' &&
+                    strchr(param.buffer, 't')) ||
+                   (!strncmp(param.buffer, "--t", 3) &&
+                    !strncmp(param.buffer, "--table", strlen(param.buffer)))) {
+                        xtables_error(PARAMETER_PROBLEM,
+                                      "The -t option (seen in line %u) cannot be used in %s.\n",
+                                      line, xt_params->program_name);
+                }
+ 
+-               add_argv(param_buffer, 0);
+-               param_len = 0;
+               add_argv(param.buffer, 0);
+               param.len = 0;
+        }
+ }
+ 
+-- 
+2.17.1
diff --git a/meta/recipes-extended/iptables/iptables_1.8.2.bb b/meta/recipes-extended/iptables/iptables_1.8.2.bb
index ad2c1a6f84..8d8483d95c 100644
--- a/meta/recipes-extended/iptables/iptables_1.8.2.bb
+++ b/meta/recipes-extended/iptables/iptables_1.8.2.bb
@@ -11,6 +11,7 @@ SRC_URI = "http://netfilter.org/projects/iptables/files/iptables-${PV}.tar.bz2 \
           file://0001-configure-Add-option-to-enable-disable-libnfnetlink.patch \
           file://0002-configure.ac-only-check-conntrack-when-libnfnetlink-enabled.patch \
           file://0003-extensions-format-security-fixes-in-libipt_icmp.patch  \
+           file://CVE-2019-11360.patch \
 "
 SRC_URI[md5sum] = "944558e88ddcc3b9b0d9550070fa3599"
author	Li Zhou <li.zhou@windriver.com>	2019-07-19 15:35:46 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2019-07-19 16:19:14 +0100
commit	f56e1ffb1e0943bf0f1c016255e5a6b09d52ca66 (patch)
tree	33e93580a53e1964102b65b1193c41fc794ce43e
parent	a921c2f9dbefde3592bfe65c80ff1ce973aac89b (diff)
download	poky-f56e1ffb1e0943bf0f1c016255e5a6b09d52ca66.tar.gz

diff --git a/meta/recipes-extended/iptables/iptables/CVE-2019-11360.patch b/meta/recipes-extended/iptables/iptables/CVE-2019-11360.patch new file mode 100644 index 0000000000..f67164fbcc --- /dev/null +++ b/meta/recipes-extended/iptables/iptables/CVE-2019-11360.patch
@@ -0,0 +1,117 @@
		1	From 2ae1099a42e6a0f06de305ca13a842ac83d4683e Mon Sep 17 00:00:00 2001
		2	From: Pablo Neira Ayuso <pablo@netfilter.org>
		3	Date: Mon, 22 Apr 2019 23:17:27 +0200
		4	Subject: [PATCH] xshared: check for maximum buffer length in
		5	add_param_to_argv()
		6
		7	Bail out if we go over the boundary, based on patch from Sebastian.
		8
		9	Reported-by: Sebastian Neef <contact@0day.work>
		10	Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
		11
		12	Upstream-Status: Backport
		13	CVE: CVE-2019-11360
		14	Signed-off-by: Li Zhou <li.zhou@windriver.com>
		15	---
		16	iptables/xshared.c \| 46 ++++++++++++++++++++++++++++------------------
		17	1 file changed, 28 insertions(+), 18 deletions(-)
		18
		19	diff --git a/iptables/xshared.c b/iptables/xshared.c
		20	index fb186fb1..36a2ec5f 100644
		21	--- a/iptables/xshared.c
		22	+++ b/iptables/xshared.c
		23	@@ -433,10 +433,24 @@ void save_argv(void)
		24	}
		25	}
		26
		27	+struct xt_param_buf {
		28	+ char buffer[1024];
		29	+ int len;
		30	+};
		31	+
		32	+static void add_param(struct xt_param_buf param, const char curchar)
		33	+{
		34	+ param->buffer[param->len++] = *curchar;
		35	+ if (param->len >= sizeof(param->buffer))
		36	+ xtables_error(PARAMETER_PROBLEM,
		37	+ "Parameter too long!");
		38	+}
		39	+
		40	void add_param_to_argv(char *parsestart, int line)
		41	{
		42	- int quote_open = 0, escaped = 0, param_len = 0;
		43	- char param_buffer[1024], *curchar;
		44	+ int quote_open = 0, escaped = 0;
		45	+ struct xt_param_buf param = {};
		46	+ char *curchar;
		47
		48	/* After fighting with strtok enough, here's now
		49	* a 'real' parser. According to Rusty I'm now no
		50	@@ -445,7 +459,7 @@ void add_param_to_argv(char *parsestart, int line)
		51	for (curchar = parsestart; *curchar; curchar++) {
		52	if (quote_open) {
		53	if (escaped) {
		54	- param_buffer[param_len++] = *curchar;
		55	+ add_param(&param, curchar);
		56	escaped = 0;
		57	continue;
		58	} else if (*curchar == '\\') {
		59	@@ -455,7 +469,7 @@ void add_param_to_argv(char *parsestart, int line)
		60	quote_open = 0;
		61	*curchar = '"';
		62	} else {
		63	- param_buffer[param_len++] = *curchar;
		64	+ add_param(&param, curchar);
		65	continue;
		66	}
		67	} else {
		68	@@ -471,36 +485,32 @@ void add_param_to_argv(char *parsestart, int line)
		69	case ' ':
		70	case '\t':
		71	case '\n':
		72	- if (!param_len) {
		73	+ if (!param.len) {
		74	/* two spaces? */
		75	continue;
		76	}
		77	break;
		78	default:
		79	/* regular character, copy to buffer */
		80	- param_buffer[param_len++] = *curchar;
		81	-
		82	- if (param_len >= sizeof(param_buffer))
		83	- xtables_error(PARAMETER_PROBLEM,
		84	- "Parameter too long!");
		85	+ add_param(&param, curchar);
		86	continue;
		87	}
		88
		89	- param_buffer[param_len] = '\0';
		90	+ param.buffer[param.len] = '\0';
		91
		92	/* check if table name specified */
		93	- if ((param_buffer[0] == '-' &&
		94	- param_buffer[1] != '-' &&
		95	- strchr(param_buffer, 't')) \|\|
		96	- (!strncmp(param_buffer, "--t", 3) &&
		97	- !strncmp(param_buffer, "--table", strlen(param_buffer)))) {
		98	+ if ((param.buffer[0] == '-' &&
		99	+ param.buffer[1] != '-' &&
		100	+ strchr(param.buffer, 't')) \|\|
		101	+ (!strncmp(param.buffer, "--t", 3) &&
		102	+ !strncmp(param.buffer, "--table", strlen(param.buffer)))) {
		103	xtables_error(PARAMETER_PROBLEM,
		104	"The -t option (seen in line %u) cannot be used in %s.\n",
		105	line, xt_params->program_name);
		106	}
		107
		108	- add_argv(param_buffer, 0);
		109	- param_len = 0;
		110	+ add_argv(param.buffer, 0);
		111	+ param.len = 0;
		112	}
		113	}
		114
		115	--
		116	2.17.1
		117


diff --git a/meta/recipes-extended/iptables/iptables_1.8.2.bb b/meta/recipes-extended/iptables/iptables_1.8.2.bb index ad2c1a6f84..8d8483d95c 100644 --- a/meta/recipes-extended/iptables/iptables_1.8.2.bb +++ b/meta/recipes-extended/iptables/iptables_1.8.2.bb
@@ -11,6 +11,7 @@ SRC_URI = "http://netfilter.org/projects/iptables/files/iptables-${PV}.tar.bz2 \
11	file://0001-configure-Add-option-to-enable-disable-libnfnetlink.patch \	11	file://0001-configure-Add-option-to-enable-disable-libnfnetlink.patch \
12	file://0002-configure.ac-only-check-conntrack-when-libnfnetlink-enabled.patch \	12	file://0002-configure.ac-only-check-conntrack-when-libnfnetlink-enabled.patch \
13	file://0003-extensions-format-security-fixes-in-libipt_icmp.patch \	13	file://0003-extensions-format-security-fixes-in-libipt_icmp.patch \
		14	file://CVE-2019-11360.patch \
14	"	15	"
15		16
16	SRC_URI[md5sum] = "944558e88ddcc3b9b0d9550070fa3599"	17	SRC_URI[md5sum] = "944558e88ddcc3b9b0d9550070fa3599"