Package: iptables
Version: 1.8.8-1
Severity: important
Tags: upstream
X-Debbugs-Cc: lbouch...@scaleway.com
This is the description for the upstream fix of this bug[1] :
This is an odd bug: If the number of chains is right and one renames the
last one in the list, libiptc dereferences a NULL pointer.
Commit 97bf4e68fc0794adba3243fd96f40f4568e7216f fixes this bug upstream.
This bug is to have the fix included in Debian in order to avoid such
segmentation faults.
For Sid, iptables uses the new nft libraries so the problem
does not appear unless the -legacy commands are used.
The following code (adapted from the upstream commit to work on Sid)
may be used to reproduce the issue :
----------------------------------------8<--------------------------------
#!/bin/bash
#
# Cover for a bug in libiptc:
# - the chain 'node-98-tmp' is the last in the list sorted by name
# - there are 81 chains in total, so three chain index buckets
# - the last index bucket contains only the 'node-98-tmp' chain
# => rename temporarily removes it from the bucket, leaving a NULL
# bucket
# behind which is dereferenced later when inserting the chain again with
# new
# name again
(
echo "*filter"
for chain in node-1 node-10 node-101 node-102 node-104 node-107
node-11 node-12 node-13 node-14 node-15 node-16 node-17 node-18
node-19 node-2 node-20 node-21 node-22 node-23 node-25 node-26 node-27
node-28 node-29 node-3 node-30 node-31 node-32 node-33 node-34 node-36
node-37 node-39 node-4 node-40 node-41 node-42 node-43 node-44 node-45
node-46 node-47 node-48 node-49 node-5 node-50 node-51 node-53 node-54
node-55 node-56 node-57 node-58 node-59 node-6 node-60 node-61 node-62
node-63 node-64 node-65 node-66 node-68 node-69 node-7 node-70 node-71
node-74 node-75 node-76 node-8 node-80 node-81 node-86 node-89 node-9
node-92 node-93 node-95 node-98-tmp; do
echo ":$chain - [0:0]"
done
echo "COMMIT"
) | $XT_MULTI iptables-legacy-restore
$XT_MULTI iptables-legacy -E node-98-tmp node-98
exit $?
---------------------------------------->8--------------------------------
[1]
http://git.netfilter.org/iptables/commit/?id=97bf4e68fc0794adba3243fd96f40f4568e7216f
-- System Information:
Debian Release: bookworm/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 5.19.0-2-cloud-amd64 (SMP w/2 CPU threads; PREEMPT)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages iptables depends on:
ii libc6 2.35-3
ii libip4tc2 1.8.8-1
ii libip6tc2 1.8.8-1
ii libmnl0 1.0.4-3
ii libnetfilter-conntrack3 1.0.9-2
ii libnfnetlink0 1.0.2-2
ii libnftnl11 1.2.3-1
ii libxtables12 1.8.8-1
ii netbase 6.3
Versions of packages iptables recommends:
pn nftables <none>
Versions of packages iptables suggests:
pn firewalld <none>
ii kmod 30+20220905-1
-- no debconf information
