diff --git a/backport-Fix-parsing-of-empty-string-arg-in-c-option.patch b/backport-Fix-parsing-of-empty-string-arg-in-c-option.patch new file mode 100644 index 0000000000000000000000000000000000000000..2168786d9176086466300fd4461ce6e36255a5f9 --- /dev/null +++ b/backport-Fix-parsing-of-empty-string-arg-in-c-option.patch @@ -0,0 +1,81 @@ +From a2911408959d7e86bc4bad4f1be2551a19ad125c Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Tue, 9 Apr 2024 13:18:12 +0200 +Subject: xshared: Fix parsing of empty string arg in '-c' option + +Calling iptables with '-c ""' resulted in a call to strchr() with an +invalid pointer as 'optarg + 1' points to past the buffer. The most +simple fix is to drop the offset: The global optstring part specifies a +single colon after 'c', so getopt() enforces a valid pointer in optarg. +If it contains a comma at first position, packet counter value parsing +will fail so all cases are covered. + +Reported-by: gorbanev.es@gmail.com +Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1741 +Fixes: 60a6073690a45 ("Make --set-counters (-c) accept comma separated counters") +Signed-off-by: Phil Sutter + +Conflict:iptables/xshared.c => iptables/ip6tables.c,iptables/iptables.c,iptables/xtables.c;Because the higher version has do_parse as a public function and resolves by calling do_parse +Reference:https://git.netfilter.org/iptables/commit/?id=a2911408959d7e86bc4bad4f1be2551a19ad125c +--- + extensions/iptables.t | 5 +++++ + iptables/ip6tables.c | 2 +- + iptables/iptables.c | 2 +- + iptables/xtables.c | 2 +- + 4 files changed, 8 insertions(+), 3 deletions(-) + +diff --git a/extensions/iptables.t b/extensions/iptables.t +index b4b6d67..5d6d3d1 100644 +--- a/extensions/iptables.t ++++ b/extensions/iptables.t +@@ -4,3 +4,8 @@ + -i eth+ -o alongifacename+;=;OK + ! -i eth0;=;OK + ! -o eth+;=;OK ++-c "";;FAIL ++-c ,3;;FAIL ++-c 3,;;FAIL ++-c ,;;FAIL ++-c 2,3 -j ACCEPT;-j ACCEPT;OK +diff --git a/iptables/ip6tables.c b/iptables/ip6tables.c +index 9ada9d7..c271442 100644 +--- a/iptables/ip6tables.c ++++ b/iptables/ip6tables.c +@@ -1425,7 +1425,7 @@ int do_command6(int argc, char *argv[], char **table, + set_option(&cs.options, OPT_COUNTERS, &cs.fw6.ipv6.invflags, + cs.invert); + pcnt = optarg; +- bcnt = strchr(pcnt + 1, ','); ++ bcnt = strchr(pcnt, ','); + if (bcnt) + bcnt++; + if (!bcnt && xs_has_arg(argc, argv)) +diff --git a/iptables/iptables.c b/iptables/iptables.c +index 4a3c7ef..9a61f8b 100644 +--- a/iptables/iptables.c ++++ b/iptables/iptables.c +@@ -1416,7 +1416,7 @@ int do_command4(int argc, char *argv[], char **table, + set_option(&cs.options, OPT_COUNTERS, &cs.fw.ip.invflags, + cs.invert); + pcnt = optarg; +- bcnt = strchr(pcnt + 1, ','); ++ bcnt = strchr(pcnt, ','); + if (bcnt) + bcnt++; + if (!bcnt && xs_has_arg(argc, argv)) +diff --git a/iptables/xtables.c b/iptables/xtables.c +index a16bba7..dd3410d 100644 +--- a/iptables/xtables.c ++++ b/iptables/xtables.c +@@ -812,7 +812,7 @@ void do_parse(struct nft_handle *h, int argc, char *argv[], + set_option(&cs->options, OPT_COUNTERS, &args->invflags, + cs->invert); + args->pcnt = optarg; +- args->bcnt = strchr(args->pcnt + 1, ','); ++ args->bcnt = strchr(args->pcnt, ','); + if (args->bcnt) + args->bcnt++; + if (!args->bcnt && xs_has_arg(argc, argv)) +-- +2.33.0 + diff --git a/backport-libxtables-Fix-memleak-of-matches-udata.patch b/backport-libxtables-Fix-memleak-of-matches-udata.patch new file mode 100644 index 0000000000000000000000000000000000000000..8ef2779b7336ecc3e8bba3cdcf4537ea21b3ffda --- /dev/null +++ b/backport-libxtables-Fix-memleak-of-matches-udata.patch @@ -0,0 +1,37 @@ +From e7366db80740d34d2fe4ba8d12ef86a423e66280 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Wed, 31 Jan 2024 14:58:17 +0100 +Subject: libxtables: Fix memleak of matches' udata + +If the extension specifies a non-zero udata_size, field 'udata' points +to an allocated buffer which needs to be freed upon extension deinit. + +Interestingly, this bug was identified by ASAN and missed by valgrind. + +Fixes: 2dba676b68ef8 ("extensions: support for per-extension instance "global" variable space") +Signed-off-by: Phil Sutter + +Conflict:NA +Reference:https://git.netfilter.org/iptables/commit/?id=e7366db80740d34d2fe4ba8d12ef86a423e66280 +--- + libxtables/xtables.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/libxtables/xtables.c b/libxtables/xtables.c +index b4339e8d..856bfae8 100644 +--- a/libxtables/xtables.c ++++ b/libxtables/xtables.c +@@ -1420,6 +1420,10 @@ void xtables_rule_matches_free(struct xtables_rule_match **matches) + free(matchp->match->m); + matchp->match->m = NULL; + } ++ if (matchp->match->udata_size) { ++ free(matchp->match->udata); ++ matchp->match->udata = NULL; ++ } + if (matchp->match == matchp->match->next) { + free(matchp->match); + matchp->match = NULL; +-- +cgit v1.2.3 + diff --git a/iptables.spec b/iptables.spec index c5df3af18f5b2928904d015ae6981c24bbe5f964..27760e6b4cfad26f72aa8eb69f81be1af23cd53f 100644 --- a/iptables.spec +++ b/iptables.spec @@ -2,7 +2,7 @@ %global legacy_actions %{_libexecdir}/initscripts/legacy-actions Name: iptables Version: 1.8.7 -Release: 16 +Release: 17 Summary: IP packet filter administration utilities License: GPL-2.0-only and Artistic-2.0 URL: https://www.netfilter.org/ @@ -46,6 +46,8 @@ Patch28: backport-Fix-for-non-CIDR-compatible-hostmasks.patch Patch29: backport-Prevent-XTOPT_PUT-with-XTTYPE_HOSTMASK.patch Patch30: backport-libiptc-Fix-for-segfault-when-renaming-a-chain.patch Patch31: backport-libiptc-Fix-for-another-segfault-due-to-chain-index-NULL-pointer.patch +Patch32: backport-libxtables-Fix-memleak-of-matches-udata.patch +Patch33: backport-Fix-parsing-of-empty-string-arg-in-c-option.patch BuildRequires: bison flex gcc kernel-headers libpcap-devel libselinux-devel systemd BuildRequires: libmnl-devel libnetfilter_conntrack-devel libnfnetlink-devel libnftnl-devel @@ -354,6 +356,13 @@ fi %{_mandir}/man8/xtables-legacy* %changelog +* Tue Jun 25 2024 yanglu - 1.8.7-17 +- Type:bugfix +- CVE:NA +- SUG:NA +- DESC:libxtables:Fix memleak of matches' udata + Fix parsing of empty string arg in '-c' option + * Fri Jun 14 2024 xinghe - 1.8.7-16 - Type:bugfix - CVE:NA