summaryrefslogtreecommitdiffstats
path: root/meta
diff options
context:
space:
mode:
Diffstat (limited to 'meta')
-rw-r--r--meta/recipes-extended/iptables/iptables/0003-extensions-format-security-fixes-in-libipt_icmp.patch61
-rw-r--r--meta/recipes-extended/iptables/iptables/CVE-2019-11360.patch117
-rw-r--r--meta/recipes-extended/iptables/iptables_1.8.3.bb (renamed from meta/recipes-extended/iptables/iptables_1.8.2.bb)13
3 files changed, 9 insertions, 182 deletions
diff --git a/meta/recipes-extended/iptables/iptables/0003-extensions-format-security-fixes-in-libipt_icmp.patch b/meta/recipes-extended/iptables/iptables/0003-extensions-format-security-fixes-in-libipt_icmp.patch
deleted file mode 100644
index e26594d19b..0000000000
--- a/meta/recipes-extended/iptables/iptables/0003-extensions-format-security-fixes-in-libipt_icmp.patch
+++ /dev/null
@@ -1,61 +0,0 @@
1From 907e429d7548157016cd51aba4adc5d0c7d9f816 Mon Sep 17 00:00:00 2001
2From: =?UTF-8?q?Adam=20Go=C5=82=C4=99biowski?= <adamg@pld-linux.org>
3Date: Wed, 14 Nov 2018 07:35:28 +0100
4Subject: extensions: format-security fixes in libip[6]t_icmp
5MIME-Version: 1.0
6Content-Type: text/plain; charset=UTF-8
7Content-Transfer-Encoding: 8bit
8
9commit 61d6c3834de3 ("xtables: add 'printf' attribute to xlate_add")
10introduced support for gcc feature to check format string against passed
11argument. This commit adds missing bits to extenstions's libipt_icmp.c
12and libip6t_icmp6.c that were causing build to fail.
13
14Fixes: 61d6c3834de3 ("xtables: add 'printf' attribute to xlate_add")
15Signed-off-by: Adam Gołębiowski <adamg@pld-linux.org>
16Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
17
18Upstream-Status: Backport
19---
20 extensions/libip6t_icmp6.c | 4 ++--
21 extensions/libipt_icmp.c | 2 +-
22 2 files changed, 3 insertions(+), 3 deletions(-)
23
24diff --git a/extensions/libip6t_icmp6.c b/extensions/libip6t_icmp6.c
25index 45a71875..cc7bfaeb 100644
26--- a/extensions/libip6t_icmp6.c
27+++ b/extensions/libip6t_icmp6.c
28@@ -230,7 +230,7 @@ static unsigned int type_xlate_print(struct xt_xlate *xl, unsigned int icmptype,
29 type_name = icmp6_type_xlate(icmptype);
30
31 if (type_name) {
32- xt_xlate_add(xl, type_name);
33+ xt_xlate_add(xl, "%s", type_name);
34 } else {
35 for (i = 0; i < ARRAY_SIZE(icmpv6_codes); ++i)
36 if (icmpv6_codes[i].type == icmptype &&
37@@ -239,7 +239,7 @@ static unsigned int type_xlate_print(struct xt_xlate *xl, unsigned int icmptype,
38 break;
39
40 if (i != ARRAY_SIZE(icmpv6_codes))
41- xt_xlate_add(xl, icmpv6_codes[i].name);
42+ xt_xlate_add(xl, "%s", icmpv6_codes[i].name);
43 else
44 return 0;
45 }
46diff --git a/extensions/libipt_icmp.c b/extensions/libipt_icmp.c
47index 54189976..e76257c5 100644
48--- a/extensions/libipt_icmp.c
49+++ b/extensions/libipt_icmp.c
50@@ -236,7 +236,7 @@ static unsigned int type_xlate_print(struct xt_xlate *xl, unsigned int icmptype,
51 if (icmp_codes[i].type == icmptype &&
52 icmp_codes[i].code_min == code_min &&
53 icmp_codes[i].code_max == code_max) {
54- xt_xlate_add(xl, icmp_codes[i].name);
55+ xt_xlate_add(xl, "%s", icmp_codes[i].name);
56 return 1;
57 }
58 }
59--
60cgit v1.2.1
61
diff --git a/meta/recipes-extended/iptables/iptables/CVE-2019-11360.patch b/meta/recipes-extended/iptables/iptables/CVE-2019-11360.patch
deleted file mode 100644
index f67164fbcc..0000000000
--- a/meta/recipes-extended/iptables/iptables/CVE-2019-11360.patch
+++ /dev/null
@@ -1,117 +0,0 @@
1From 2ae1099a42e6a0f06de305ca13a842ac83d4683e Mon Sep 17 00:00:00 2001
2From: Pablo Neira Ayuso <pablo@netfilter.org>
3Date: Mon, 22 Apr 2019 23:17:27 +0200
4Subject: [PATCH] xshared: check for maximum buffer length in
5 add_param_to_argv()
6
7Bail out if we go over the boundary, based on patch from Sebastian.
8
9Reported-by: Sebastian Neef <contact@0day.work>
10Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
11
12Upstream-Status: Backport
13CVE: CVE-2019-11360
14Signed-off-by: Li Zhou <li.zhou@windriver.com>
15---
16 iptables/xshared.c | 46 ++++++++++++++++++++++++++++------------------
17 1 file changed, 28 insertions(+), 18 deletions(-)
18
19diff --git a/iptables/xshared.c b/iptables/xshared.c
20index fb186fb1..36a2ec5f 100644
21--- a/iptables/xshared.c
22+++ b/iptables/xshared.c
23@@ -433,10 +433,24 @@ void save_argv(void)
24 }
25 }
26
27+struct xt_param_buf {
28+ char buffer[1024];
29+ int len;
30+};
31+
32+static void add_param(struct xt_param_buf *param, const char *curchar)
33+{
34+ param->buffer[param->len++] = *curchar;
35+ if (param->len >= sizeof(param->buffer))
36+ xtables_error(PARAMETER_PROBLEM,
37+ "Parameter too long!");
38+}
39+
40 void add_param_to_argv(char *parsestart, int line)
41 {
42- int quote_open = 0, escaped = 0, param_len = 0;
43- char param_buffer[1024], *curchar;
44+ int quote_open = 0, escaped = 0;
45+ struct xt_param_buf param = {};
46+ char *curchar;
47
48 /* After fighting with strtok enough, here's now
49 * a 'real' parser. According to Rusty I'm now no
50@@ -445,7 +459,7 @@ void add_param_to_argv(char *parsestart, int line)
51 for (curchar = parsestart; *curchar; curchar++) {
52 if (quote_open) {
53 if (escaped) {
54- param_buffer[param_len++] = *curchar;
55+ add_param(&param, curchar);
56 escaped = 0;
57 continue;
58 } else if (*curchar == '\\') {
59@@ -455,7 +469,7 @@ void add_param_to_argv(char *parsestart, int line)
60 quote_open = 0;
61 *curchar = '"';
62 } else {
63- param_buffer[param_len++] = *curchar;
64+ add_param(&param, curchar);
65 continue;
66 }
67 } else {
68@@ -471,36 +485,32 @@ void add_param_to_argv(char *parsestart, int line)
69 case ' ':
70 case '\t':
71 case '\n':
72- if (!param_len) {
73+ if (!param.len) {
74 /* two spaces? */
75 continue;
76 }
77 break;
78 default:
79 /* regular character, copy to buffer */
80- param_buffer[param_len++] = *curchar;
81-
82- if (param_len >= sizeof(param_buffer))
83- xtables_error(PARAMETER_PROBLEM,
84- "Parameter too long!");
85+ add_param(&param, curchar);
86 continue;
87 }
88
89- param_buffer[param_len] = '\0';
90+ param.buffer[param.len] = '\0';
91
92 /* check if table name specified */
93- if ((param_buffer[0] == '-' &&
94- param_buffer[1] != '-' &&
95- strchr(param_buffer, 't')) ||
96- (!strncmp(param_buffer, "--t", 3) &&
97- !strncmp(param_buffer, "--table", strlen(param_buffer)))) {
98+ if ((param.buffer[0] == '-' &&
99+ param.buffer[1] != '-' &&
100+ strchr(param.buffer, 't')) ||
101+ (!strncmp(param.buffer, "--t", 3) &&
102+ !strncmp(param.buffer, "--table", strlen(param.buffer)))) {
103 xtables_error(PARAMETER_PROBLEM,
104 "The -t option (seen in line %u) cannot be used in %s.\n",
105 line, xt_params->program_name);
106 }
107
108- add_argv(param_buffer, 0);
109- param_len = 0;
110+ add_argv(param.buffer, 0);
111+ param.len = 0;
112 }
113 }
114
115--
1162.17.1
117
diff --git a/meta/recipes-extended/iptables/iptables_1.8.2.bb b/meta/recipes-extended/iptables/iptables_1.8.3.bb
index 8d8483d95c..6ac3fc60c5 100644
--- a/meta/recipes-extended/iptables/iptables_1.8.2.bb
+++ b/meta/recipes-extended/iptables/iptables_1.8.3.bb
@@ -10,12 +10,10 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263\
10SRC_URI = "http://netfilter.org/projects/iptables/files/iptables-${PV}.tar.bz2 \ 10SRC_URI = "http://netfilter.org/projects/iptables/files/iptables-${PV}.tar.bz2 \
11 file://0001-configure-Add-option-to-enable-disable-libnfnetlink.patch \ 11 file://0001-configure-Add-option-to-enable-disable-libnfnetlink.patch \
12 file://0002-configure.ac-only-check-conntrack-when-libnfnetlink-enabled.patch \ 12 file://0002-configure.ac-only-check-conntrack-when-libnfnetlink-enabled.patch \
13 file://0003-extensions-format-security-fixes-in-libipt_icmp.patch \
14 file://CVE-2019-11360.patch \
15" 13"
16 14
17SRC_URI[md5sum] = "944558e88ddcc3b9b0d9550070fa3599" 15SRC_URI[md5sum] = "29de711d15c040c402cf3038c69ff513"
18SRC_URI[sha256sum] = "a3778b50ed1a3256f9ca975de82c2204e508001fc2471238c8c97f3d1c4c12af" 16SRC_URI[sha256sum] = "a23cac034181206b4545f4e7e730e76e08b5f3dd78771ba9645a6756de9cdd80"
19 17
20inherit autotools pkgconfig 18inherit autotools pkgconfig
21 19
@@ -49,6 +47,13 @@ python populate_packages_prepend() {
49 47
50FILES_${PN} += "${datadir}/xtables" 48FILES_${PN} += "${datadir}/xtables"
51 49
50# Include the symlinks as well in respective packages
51FILES_${PN}-module-xt-conntrack += "${libdir}/xtables/libxt_state.so"
52FILES_${PN}-module-xt-ct += "${libdir}/xtables/libxt_NOTRACK.so"
53
54INSANE_SKIP_${PN}-module-xt-conntrack = "dev-so"
55INSANE_SKIP_${PN}-module-xt-ct = "dev-so"
56
52ALLOW_EMPTY_${PN}-modules = "1" 57ALLOW_EMPTY_${PN}-modules = "1"
53 58
54RDEPENDS_${PN} = "${PN}-module-xt-standard" 59RDEPENDS_${PN} = "${PN}-module-xt-standard"