Re: CVE request: kernel: netfilter & econet infoleaks

[Eugene Teo <eugene () redhat com>]

> "Structures ipt_replace, compat_ipt_replace, and xt_get_revision are
> copied from userspace.  Fields of these structs that are
> zero-terminated strings are not checked.  When they are used as argument
> to a format string containing "%s" in request_module(), some sensitive
> information is leaked to userspace via argument of spawned modprobe
> process.
>
> The first bug was introduced before the git epoch;  the second is
> introduced by 6b7d31fc (v2.6.15-rc1);  the third is introduced by
> 6b7d31fc (v2.6.15-rc1).  To trigger the bug one should have
> CAP_NET_ADMIN."
> http://marc.info/?l=netfilter-devel&m=129978081009955&w=2

[PATCH] ipv4: netfilter: arp_tables: fix infoleak to userspace
CVE-2011-1170

> "Structures ipt_replace, compat_ipt_replace, and xt_get_revision are
> copied from userspace.  Fields of these structs that are
> zero-terminated strings are not checked.  When they are used as argument
> to a format string containing "%s" in request_module(), some sensitive
> information is leaked to userspace via argument of spawned modprobe
> process.
>
> The first and the third bugs were introduced before the git epoch; the
> second was introduced in 2722971c (v2.6.17-rc1).  To trigger the bug
> one should have CAP_NET_ADMIN."
> http://marc.info/?l=linux-kernel&m=129978077609894&w=2

[PATCH] ipv4: netfilter: ip_tables: fix infoleak to userspace
CVE-2011-1171

> "'buffer' string is copied from userspace.  It is not checked whether it is
> zero terminated.  This may lead to overflow inside of simple_strtoul().
> Changli Gao suggested to copy not more than user supplied 'size' bytes.
>
> It was introduced before the git epoch.  Files "ipt_CLUSTERIP/*" are
> root writable only by default, however, on some setups permissions might be
> relaxed to e.g. network admin user."
> http://marc.info/?l=netfilter&m=129978077509888&w=2
> http://marc.info/?l=netfilter-devel&m=130036157327564&w=2

I'm reluctant to assign a CVE name for this one. The default perms for 
this is S_IWUSR|S_IRUSR. I will let Steve decide for this one.

> "Structures ip6t_replace, compat_ip6t_replace, and xt_get_revision are
> copied from userspace.  Fields of these structs that are
> zero-terminated strings are not checked.  When they are used as argument
> to a format string containing "%s" in request_module(), some sensitive
> information is leaked to userspace via argument of spawned modprobe
> process.
>
> The first bug was introduced before the git epoch;  the second was
> introduced in 3bc3fe5e (v2.6.25-rc1);  the third is introduced by
> 6b7d31fc (v2.6.15-rc1).  To trigger the bug one should have
> CAP_NET_ADMIN."
> http://marc.info/?l=linux-kernel&m=129978086410061&w=2

[PATCH] ipv6: netfilter: ip6_tables: fix infoleak to userspace
CVE-2011-1172

> "struct aunhdr has 4 padding bytes between 'pad' and 'handle' fields on
> x86_64.  These bytes are not initialized in the variable 'ah' before
> sending 'ah' to the network.  This leads to 4 bytes kernel stack
> infoleak.
>
> This bug was introduced before the git epoch."
> http://marc.info/?l=linux-netdev&m=130036203528021&w=2

[PATCH] econet: 4 byte infoleak to the network
CVE-2011-1173

Thanks, Eugene
--
main(i) { putchar(182623909 >> (i-1) * 5&31|!!(i<7)<<6) && main(++i); }