diff --git a/CVE-2019-11360.patch b/CVE-2019-11360.patch new file mode 100644 index 0000000000000000000000000000000000000000..782cde8d37a6341ba55c746336486dee0de38dd9 --- /dev/null +++ b/CVE-2019-11360.patch @@ -0,0 +1,113 @@ +From da800103668f256f11d88851fa9ea9faf298b760 Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso +Date: Mon, 22 Apr 2019 23:17:27 +0200 +Subject: [PATCH] xshared: check for maximum buffer length in + add_param_to_argv() + +Bail out if we go over the boundary, based on patch from Sebastian. + +Reported-by: Sebastian Neef +Signed-off-by: Pablo Neira Ayuso +--- + iptables/xshared.c | 46 ++++++++++++++++++++++++++++------------------ + 1 file changed, 28 insertions(+), 18 deletions(-) + +diff --git a/iptables/xshared.c b/iptables/xshared.c +index b16f5fa..b0ca8e6 100644 +--- a/iptables/xshared.c ++++ b/iptables/xshared.c +@@ -433,10 +433,24 @@ void save_argv(void) + } + } + ++struct xt_param_buf { ++ char buffer[1024]; ++ int len; ++}; ++ ++static void add_param(struct xt_param_buf *param, const char *curchar) ++{ ++ param->buffer[param->len++] = *curchar; ++ if (param->len >= sizeof(param->buffer)) ++ xtables_error(PARAMETER_PROBLEM, ++ "Parameter too long!"); ++} ++ + void add_param_to_argv(char *parsestart, int line) + { +- int quote_open = 0, escaped = 0, param_len = 0; +- char param_buffer[1024], *curchar; ++ int quote_open = 0, escaped = 0; ++ struct xt_param_buf param = {}; ++ char *curchar; + + /* After fighting with strtok enough, here's now + * a 'real' parser. According to Rusty I'm now no +@@ -445,7 +459,7 @@ void add_param_to_argv(char *parsestart, int line) + for (curchar = parsestart; *curchar; curchar++) { + if (quote_open) { + if (escaped) { +- param_buffer[param_len++] = *curchar; ++ add_param(¶m, curchar); + escaped = 0; + continue; + } else if (*curchar == '\\') { +@@ -455,7 +469,7 @@ void add_param_to_argv(char *parsestart, int line) + quote_open = 0; + *curchar = '"'; + } else { +- param_buffer[param_len++] = *curchar; ++ add_param(¶m, curchar); + continue; + } + } else { +@@ -471,36 +485,32 @@ void add_param_to_argv(char *parsestart, int line) + case ' ': + case '\t': + case '\n': +- if (!param_len) { ++ if (!param.len) { + /* two spaces? */ + continue; + } + break; + default: + /* regular character, copy to buffer */ +- param_buffer[param_len++] = *curchar; +- +- if (param_len >= sizeof(param_buffer)) +- xtables_error(PARAMETER_PROBLEM, +- "Parameter too long!"); ++ add_param(¶m, curchar); + continue; + } + +- param_buffer[param_len] = '\0'; ++ param.buffer[param.len] = '\0'; + + /* check if table name specified */ +- if ((param_buffer[0] == '-' && +- param_buffer[1] != '-' && +- strchr(param_buffer, 't')) || +- (!strncmp(param_buffer, "--t", 3) && +- !strncmp(param_buffer, "--table", strlen(param_buffer)))) { ++ if ((param.buffer[0] == '-' && ++ param.buffer[1] != '-' && ++ strchr(param.buffer, 't')) || ++ (!strncmp(param.buffer, "--t", 3) && ++ !strncmp(param.buffer, "--table", strlen(param.buffer)))) { + xtables_error(PARAMETER_PROBLEM, + "The -t option (seen in line %u) cannot be used in %s.\n", + line, xt_params->program_name); + } + +- add_argv(param_buffer, 0); +- param_len = 0; ++ add_argv(param.buffer, 0); ++ param.len = 0; + } + } + +-- +1.8.3.1 + diff --git a/iptables.spec b/iptables.spec index 154257f17deb7a21086114615352a00a53c1d3f9..795e8e1bbe2c3b76ee762be3c830302b887ab607 100644 --- a/iptables.spec +++ b/iptables.spec @@ -2,7 +2,7 @@ %global legacy_actions %{_libexecdir}/initscripts/legacy-actions Name: iptables Version: 1.8.1 -Release: 4 +Release: 5 Summary: IP packet filter administration utilities License: GPLv2 and Artistic Licence 2.0 and ISC URL: https://www.netfilter.org/ @@ -14,6 +14,7 @@ Source4: sysconfig_iptables Source5: sysconfig_ip6tables Patch1: iptables-apply-Use-mktemp-instead-of-tempfile.patch +Patch2: CVE-2019-11360.patch BuildRequires: bison flex gcc kernel-headers libpcap-devel libselinux-devel systemd git BuildRequires: libmnl-devel libnetfilter_conntrack-devel libnfnetlink-devel libnftnl-devel @@ -248,6 +249,12 @@ fi %{_mandir}/* %changelog +* Thu Apr 16 2020 chenzhen - 1.8.1-5 +- Type:cves +- ID:CVE-2019-11360 +- SUG:restart +- DESC:fix CVE-2019-11360 + * Sat Jan 18 2020 openEuler Buildteam - 1.8.1-4 - add executable permissions to iptables.init