** Description changed: The upstream stable rc git tree (http://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable- rc.git/log/?h=linux-4.6.y) currently has the following commits for netfilter that address (with unprivileged user namespaces enabled) local privilege escalation. These are the commit references in linus' tree: - f24e230d257af1ad7476c6e81a8dc3127a74204e netfilter: x_tables: don't move to non-existent next rule - 36472341017529e2b12573093cc0f68719300997 netfilter: x_tables: validate targets of jumps - 7d35812c3214afa5b37a675113555259cfd67b98 netfilter: x_tables: add and use xt_check_entry_offsets - aa412ba225dd3bc36d404c28cdc3d674850d80d0 netfilter: x_tables: kill check_entry helper - a08e4e190b866579896c09af59b3bdca821da2cd netfilter: x_tables: assert minimum target size - fc1221b3a163d1386d1052184202d5dc50d302d1 netfilter: x_tables: add compat version of xt_check_entry_offsets - 7ed2abddd20cf8f6bd27f65bd218f26fa5bf7f44 netfilter: x_tables: check standard target size too - ce683e5f9d045e5d67d1312a42b359cb2ab2a13c netfilter: x_tables: check for bogus target offset - 13631bfc604161a9d69cd68991dff8603edd66f9 netfilter: x_tables: validate all offsets and sizes in a rule - 7b7eba0f3515fca3296b8881d583f7c1042f5226 netfilter: x_tables: don't reject valid target size on some architectures + f24e230d257af1ad7476c6e81a8dc3127a74204e + netfilter: x_tables: don't move to non-existent next rule + 36472341017529e2b12573093cc0f68719300997 + netfilter: x_tables: validate targets of jumps + 7d35812c3214afa5b37a675113555259cfd67b98 + netfilter: x_tables: add and use xt_check_entry_offsets + aa412ba225dd3bc36d404c28cdc3d674850d80d0 + netfilter: x_tables: kill check_entry helper + a08e4e190b866579896c09af59b3bdca821da2cd + netfilter: x_tables: assert minimum target size + fc1221b3a163d1386d1052184202d5dc50d302d1 + netfilter: x_tables: add compat version of xt_check_entry_offsets + 7ed2abddd20cf8f6bd27f65bd218f26fa5bf7f44 + netfilter: x_tables: check standard target size too + ce683e5f9d045e5d67d1312a42b359cb2ab2a13c + netfilter: x_tables: check for bogus target offset + 13631bfc604161a9d69cd68991dff8603edd66f9 + netfilter: x_tables: validate all offsets and sizes in a rule + 7b7eba0f3515fca3296b8881d583f7c1042f5226 + netfilter: x_tables: don't reject valid target size on some architectures + 8dddd32756f6fe8e4e82a63361119b7e2384e02f + netfilter: arp_tables: simplify translate_compat_table args + 7d3f843eed29222254c9feab481f55175a1afcc9 + netfilter: ip_tables: simplify translate_compat_table args + 329a0807124f12fe1c8032f95d8a8eb47047fb0e + netfilter: ip6_tables: simplify translate_compat_table args + 0188346f21e6546498c2a0f84888797ad4063fc5 + netfilter: x_tables: xt_compat_match_from_user doesn't need a retval + 09d9686047dbbe1cf4faa558d3ecc4aae2046054 + netfilter: x_tables: do compat validation via translate_table + d7591f0c41ce3e67600a982bab6989ef0f07b3ce + netfilter: x_tables: introduce and use xt_copy_counters_from_user CRD: Public
** Description changed: The upstream stable rc git tree (http://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable- rc.git/log/?h=linux-4.6.y) currently has the following commits for netfilter that address (with unprivileged user namespaces enabled) local privilege escalation. These are the commit references in linus' tree: f24e230d257af1ad7476c6e81a8dc3127a74204e - netfilter: x_tables: don't move to non-existent next rule + netfilter: x_tables: don't move to non-existent next rule 36472341017529e2b12573093cc0f68719300997 - netfilter: x_tables: validate targets of jumps + netfilter: x_tables: validate targets of jumps 7d35812c3214afa5b37a675113555259cfd67b98 - netfilter: x_tables: add and use xt_check_entry_offsets + netfilter: x_tables: add and use xt_check_entry_offsets aa412ba225dd3bc36d404c28cdc3d674850d80d0 - netfilter: x_tables: kill check_entry helper + netfilter: x_tables: kill check_entry helper a08e4e190b866579896c09af59b3bdca821da2cd - netfilter: x_tables: assert minimum target size + netfilter: x_tables: assert minimum target size fc1221b3a163d1386d1052184202d5dc50d302d1 - netfilter: x_tables: add compat version of xt_check_entry_offsets + netfilter: x_tables: add compat version of xt_check_entry_offsets 7ed2abddd20cf8f6bd27f65bd218f26fa5bf7f44 - netfilter: x_tables: check standard target size too + netfilter: x_tables: check standard target size too ce683e5f9d045e5d67d1312a42b359cb2ab2a13c - netfilter: x_tables: check for bogus target offset + netfilter: x_tables: check for bogus target offset 13631bfc604161a9d69cd68991dff8603edd66f9 - netfilter: x_tables: validate all offsets and sizes in a rule + netfilter: x_tables: validate all offsets and sizes in a rule 7b7eba0f3515fca3296b8881d583f7c1042f5226 - netfilter: x_tables: don't reject valid target size on some architectures + netfilter: x_tables: don't reject valid target size on some architectures 8dddd32756f6fe8e4e82a63361119b7e2384e02f - netfilter: arp_tables: simplify translate_compat_table args + netfilter: arp_tables: simplify translate_compat_table args 7d3f843eed29222254c9feab481f55175a1afcc9 - netfilter: ip_tables: simplify translate_compat_table args + netfilter: ip_tables: simplify translate_compat_table args 329a0807124f12fe1c8032f95d8a8eb47047fb0e - netfilter: ip6_tables: simplify translate_compat_table args + netfilter: ip6_tables: simplify translate_compat_table args 0188346f21e6546498c2a0f84888797ad4063fc5 - netfilter: x_tables: xt_compat_match_from_user doesn't need a retval + netfilter: x_tables: xt_compat_match_from_user doesn't need a retval 09d9686047dbbe1cf4faa558d3ecc4aae2046054 - netfilter: x_tables: do compat validation via translate_table + netfilter: x_tables: do compat validation via translate_table d7591f0c41ce3e67600a982bab6989ef0f07b3ce - netfilter: x_tables: introduce and use xt_copy_counters_from_user + netfilter: x_tables: introduce and use xt_copy_counters_from_user + + They have also been backported to the 4.4 + (http://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable- + rc.git/log/?h=linux-4.4.y) and 3.14 + (http://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable- + rc.git/log/?h=linux-3.14.y) stable trees, with 3 additional prerequisite + backported commits: + + bdf533de6968e9686df777dc178486f600c6e617 + netfilter: x_tables: validate e->target_offset early + 6e94e0cfb0887e4013b3b930fa6ab1fe6bb6ba91 + netfilter: x_tables: make sure e->next_offset covers remaining blob size + 54d83fc74aa9ec72794373cb47432c5f7fb1a309 + netfilter: x_tables: fix unconditional helper CRD: Public ** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1595350 Title: Linux netfilter local privilege escalation issues To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1595350/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
