summaryrefslogtreecommitdiffstats
path: root/meta/recipes-extended
diff options
context:
space:
mode:
authorLi Zhou <li.zhou@windriver.com>2019-07-19 15:35:46 +0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2019-07-19 16:19:14 +0100
commitf56e1ffb1e0943bf0f1c016255e5a6b09d52ca66 (patch)
tree33e93580a53e1964102b65b1193c41fc794ce43e /meta/recipes-extended
parenta921c2f9dbefde3592bfe65c80ff1ce973aac89b (diff)
downloadpoky-f56e1ffb1e0943bf0f1c016255e5a6b09d52ca66.tar.gz
iptables: Security Advisory - iptables - CVE-2019-11360
Porting patch from <https://git.netfilter.org/iptables/commit/iptables/ xshared.c?id=2ae1099a42e6a0f06de305ca13a842ac83d4683e> to solve CVE-2019-11360. (From OE-Core rev: 5a38ef7eef9ecef2d27ae89f01691072bb94a25e) Signed-off-by: Li Zhou <li.zhou@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-extended')
-rw-r--r--meta/recipes-extended/iptables/iptables/CVE-2019-11360.patch117
-rw-r--r--meta/recipes-extended/iptables/iptables_1.8.2.bb1
2 files changed, 118 insertions, 0 deletions
diff --git a/meta/recipes-extended/iptables/iptables/CVE-2019-11360.patch b/meta/recipes-extended/iptables/iptables/CVE-2019-11360.patch
new file mode 100644
index 0000000000..f67164fbcc
--- /dev/null
+++ b/meta/recipes-extended/iptables/iptables/CVE-2019-11360.patch
@@ -0,0 +1,117 @@
1From 2ae1099a42e6a0f06de305ca13a842ac83d4683e Mon Sep 17 00:00:00 2001
2From: Pablo Neira Ayuso <pablo@netfilter.org>
3Date: Mon, 22 Apr 2019 23:17:27 +0200
4Subject: [PATCH] xshared: check for maximum buffer length in
5 add_param_to_argv()
6
7Bail out if we go over the boundary, based on patch from Sebastian.
8
9Reported-by: Sebastian Neef <contact@0day.work>
10Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
11
12Upstream-Status: Backport
13CVE: CVE-2019-11360
14Signed-off-by: Li Zhou <li.zhou@windriver.com>
15---
16 iptables/xshared.c | 46 ++++++++++++++++++++++++++++------------------
17 1 file changed, 28 insertions(+), 18 deletions(-)
18
19diff --git a/iptables/xshared.c b/iptables/xshared.c
20index fb186fb1..36a2ec5f 100644
21--- a/iptables/xshared.c
22+++ b/iptables/xshared.c
23@@ -433,10 +433,24 @@ void save_argv(void)
24 }
25 }
26
27+struct xt_param_buf {
28+ char buffer[1024];
29+ int len;
30+};
31+
32+static void add_param(struct xt_param_buf *param, const char *curchar)
33+{
34+ param->buffer[param->len++] = *curchar;
35+ if (param->len >= sizeof(param->buffer))
36+ xtables_error(PARAMETER_PROBLEM,
37+ "Parameter too long!");
38+}
39+
40 void add_param_to_argv(char *parsestart, int line)
41 {
42- int quote_open = 0, escaped = 0, param_len = 0;
43- char param_buffer[1024], *curchar;
44+ int quote_open = 0, escaped = 0;
45+ struct xt_param_buf param = {};
46+ char *curchar;
47
48 /* After fighting with strtok enough, here's now
49 * a 'real' parser. According to Rusty I'm now no
50@@ -445,7 +459,7 @@ void add_param_to_argv(char *parsestart, int line)
51 for (curchar = parsestart; *curchar; curchar++) {
52 if (quote_open) {
53 if (escaped) {
54- param_buffer[param_len++] = *curchar;
55+ add_param(&param, curchar);
56 escaped = 0;
57 continue;
58 } else if (*curchar == '\\') {
59@@ -455,7 +469,7 @@ void add_param_to_argv(char *parsestart, int line)
60 quote_open = 0;
61 *curchar = '"';
62 } else {
63- param_buffer[param_len++] = *curchar;
64+ add_param(&param, curchar);
65 continue;
66 }
67 } else {
68@@ -471,36 +485,32 @@ void add_param_to_argv(char *parsestart, int line)
69 case ' ':
70 case '\t':
71 case '\n':
72- if (!param_len) {
73+ if (!param.len) {
74 /* two spaces? */
75 continue;
76 }
77 break;
78 default:
79 /* regular character, copy to buffer */
80- param_buffer[param_len++] = *curchar;
81-
82- if (param_len >= sizeof(param_buffer))
83- xtables_error(PARAMETER_PROBLEM,
84- "Parameter too long!");
85+ add_param(&param, curchar);
86 continue;
87 }
88
89- param_buffer[param_len] = '\0';
90+ param.buffer[param.len] = '\0';
91
92 /* check if table name specified */
93- if ((param_buffer[0] == '-' &&
94- param_buffer[1] != '-' &&
95- strchr(param_buffer, 't')) ||
96- (!strncmp(param_buffer, "--t", 3) &&
97- !strncmp(param_buffer, "--table", strlen(param_buffer)))) {
98+ if ((param.buffer[0] == '-' &&
99+ param.buffer[1] != '-' &&
100+ strchr(param.buffer, 't')) ||
101+ (!strncmp(param.buffer, "--t", 3) &&
102+ !strncmp(param.buffer, "--table", strlen(param.buffer)))) {
103 xtables_error(PARAMETER_PROBLEM,
104 "The -t option (seen in line %u) cannot be used in %s.\n",
105 line, xt_params->program_name);
106 }
107
108- add_argv(param_buffer, 0);
109- param_len = 0;
110+ add_argv(param.buffer, 0);
111+ param.len = 0;
112 }
113 }
114
115--
1162.17.1
117
diff --git a/meta/recipes-extended/iptables/iptables_1.8.2.bb b/meta/recipes-extended/iptables/iptables_1.8.2.bb
index ad2c1a6f84..8d8483d95c 100644
--- a/meta/recipes-extended/iptables/iptables_1.8.2.bb
+++ b/meta/recipes-extended/iptables/iptables_1.8.2.bb
@@ -11,6 +11,7 @@ SRC_URI = "http://netfilter.org/projects/iptables/files/iptables-${PV}.tar.bz2 \
11 file://0001-configure-Add-option-to-enable-disable-libnfnetlink.patch \ 11 file://0001-configure-Add-option-to-enable-disable-libnfnetlink.patch \
12 file://0002-configure.ac-only-check-conntrack-when-libnfnetlink-enabled.patch \ 12 file://0002-configure.ac-only-check-conntrack-when-libnfnetlink-enabled.patch \
13 file://0003-extensions-format-security-fixes-in-libipt_icmp.patch \ 13 file://0003-extensions-format-security-fixes-in-libipt_icmp.patch \
14 file://CVE-2019-11360.patch \
14" 15"
15 16
16SRC_URI[md5sum] = "944558e88ddcc3b9b0d9550070fa3599" 17SRC_URI[md5sum] = "944558e88ddcc3b9b0d9550070fa3599"