-stable review patch. If anyone has any objections, please let us know.
------------------
From: Patrick McHardy <[email protected]>
The 32bit compatibility layer has no CAP_NET_ADMIN check in
compat_do_ipt_get_ctl, which for example allows to list the current
iptables rules even without having that capability (the non-compat
version requires it). Other capabilities might be required to exploit
the bug (eg. CAP_NET_RAW to get the nfnetlink socket?), so a plain user
can't exploit it, but a setup actually using the posix capability system
might very well hit such a constellation of granted capabilities.
Signed-off-by: Björn Steinbrink <[email protected]>
Signed-off-by: Patrick McHardy <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Chris Wright <[email protected]>
---
commit 4410392a8258fd972fc08a336278b14c82b2774f
tree 567261d003b2a8fb08c2d89d0d708dd06f357f49
parent b4d854665eafe32b48e0eecadb91a73f6eea0055
author Patrick McHardy <[email protected]> Fri, 17 Nov 2006 06:22:07 +0100
committer Patrick McHardy <[email protected]> Fri, 17 Nov 2006 06:22:07 +0100
net/ipv4/netfilter/ip_tables.c | 3 +++
1 file changed, 3 insertions(+)
--- linux-2.6.18.4.orig/net/ipv4/netfilter/ip_tables.c
+++ linux-2.6.18.4/net/ipv4/netfilter/ip_tables.c
@@ -1994,6 +1994,9 @@ compat_do_ipt_get_ctl(struct sock *sk, i
{
int ret;
+ if (!capable(CAP_NET_ADMIN))
+ return -EPERM;
+
switch (cmd) {
case IPT_SO_GET_INFO:
ret = get_info(user, len, 1);
--
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[Index of Archives]
[Kernel Newbies]
[Netfilter]
[Bugtraq]
[Photo]
[Stuff]
[Gimp]
[Yosemite News]
[MIPS Linux]
[ARM Linux]
[Linux Security]
[Linux RAID]
[Video 4 Linux]
[Linux for the blind]
[Linux Resources]
