diff --git a/kernel.spec b/kernel.spec index fdeb682..50b492b 100644 --- a/kernel.spec +++ b/kernel.spec @@ -54,7 +54,7 @@ Summary: The Linux kernel %if 0%{?released_kernel} # Do we have a -stable update to apply? -%define stable_update 5 +%define stable_update 6 # Set rpm version accordingly %if 0%{?stable_update} %define stablerev %{stable_update} @@ -636,6 +636,18 @@ Patch501: USB-core-prevent-malicious-bNumInterfaces-overflow.patch # https://marc.info/?l=linux-kernel&m=151307686618795 Patch502: Revert-exec-avoid-RLIMIT_STACK-races-with-prlimit.patch +# CVE-2017-17449 +# rhbz 1525762 1525763 +Patch503: netlink-Add-netns-check-on-taps.patch + +# CVE-2017-17450 +# rhbz 1525761 1525764 +Patch504: netfilter-xt_osf-Add-missing-permission-checks.patch + +# CVE-2017-17448 +# rhbz 1525768 1525769 +Patch505: netfilter-nfnetlink_cthelper-Add-missing-permission-.patch + # 600 - Patches for improved Bay and Cherry Trail device support # Below patches are submitted upstream, awaiting review / merging Patch601: 0001-Input-gpio_keys-Allow-suppression-of-input-events-fo.patch @@ -2214,6 +2226,12 @@ fi # # %changelog +* Thu Dec 14 2017 Jeremy Cline - 4.14.6-300 +- Linux v4.14.6 +- Security fix for CVE-2017-17449 (rhbz 1525762 1525763) +- Security fix for CVE-2017-17450 (rhbz 1525761 1525764) +- Security fix for CVE-2017-17448 (rhbz 1525768 1525769) + * Wed Dec 13 2017 Jeremy Cline - Fix CVE-2017-17558 (rhbz 1525474 1525476) - Revert exec: avoid RLIMIT_STACK races with prlimit() diff --git a/netfilter-nfnetlink_cthelper-Add-missing-permission-.patch b/netfilter-nfnetlink_cthelper-Add-missing-permission-.patch new file mode 100644 index 0000000..d7d795d --- /dev/null +++ b/netfilter-nfnetlink_cthelper-Add-missing-permission-.patch @@ -0,0 +1,78 @@ +From 56ae5f7c9230c0aa474eef638cf9bf8ae6a79ab1 Mon Sep 17 00:00:00 2001 +From: Kevin Cernekee +Date: Sun, 3 Dec 2017 12:12:45 -0800 +Subject: [PATCH] netfilter: nfnetlink_cthelper: Add missing permission + checks + +The capability check in nfnetlink_rcv() verifies that the caller +has CAP_NET_ADMIN in the namespace that "owns" the netlink socket. +However, nfnl_cthelper_list is shared by all net namespaces on the +system. An unprivileged user can create user and net namespaces +in which he holds CAP_NET_ADMIN to bypass the netlink_net_capable() +check: + + $ nfct helper list + nfct v1.4.4: netlink error: Operation not permitted + $ vpnns -- nfct helper list + { + .name = ftp, + .queuenum = 0, + .l3protonum = 2, + .l4protonum = 6, + .priv_data_len = 24, + .status = enabled, + }; + +Add capable() checks in nfnetlink_cthelper, as this is cleaner than +trying to generalize the solution. + +Signed-off-by: Kevin Cernekee +--- + net/netfilter/nfnetlink_cthelper.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/net/netfilter/nfnetlink_cthelper.c b/net/netfilter/nfnetlink_cthelper.c +index 41628b393673..d33ce6d5ebce 100644 +--- a/net/netfilter/nfnetlink_cthelper.c ++++ b/net/netfilter/nfnetlink_cthelper.c +@@ -17,6 +17,7 @@ + #include + #include + #include ++#include + #include + #include + +@@ -407,6 +408,9 @@ static int nfnl_cthelper_new(struct net *net, struct sock *nfnl, + struct nfnl_cthelper *nlcth; + int ret = 0; + ++ if (!capable(CAP_NET_ADMIN)) ++ return -EPERM; ++ + if (!tb[NFCTH_NAME] || !tb[NFCTH_TUPLE]) + return -EINVAL; + +@@ -611,6 +615,9 @@ static int nfnl_cthelper_get(struct net *net, struct sock *nfnl, + struct nfnl_cthelper *nlcth; + bool tuple_set = false; + ++ if (!capable(CAP_NET_ADMIN)) ++ return -EPERM; ++ + if (nlh->nlmsg_flags & NLM_F_DUMP) { + struct netlink_dump_control c = { + .dump = nfnl_cthelper_dump_table, +@@ -678,6 +685,9 @@ static int nfnl_cthelper_del(struct net *net, struct sock *nfnl, + struct nfnl_cthelper *nlcth, *n; + int j = 0, ret; + ++ if (!capable(CAP_NET_ADMIN)) ++ return -EPERM; ++ + if (tb[NFCTH_NAME]) + helper_name = nla_data(tb[NFCTH_NAME]); + +-- +2.14.3 + diff --git a/netfilter-xt_osf-Add-missing-permission-checks.patch b/netfilter-xt_osf-Add-missing-permission-checks.patch new file mode 100644 index 0000000..80cd608 --- /dev/null +++ b/netfilter-xt_osf-Add-missing-permission-checks.patch @@ -0,0 +1,59 @@ +From 2af0d441c8b1151a5d8bb46ec9c58ab575fe7d6f Mon Sep 17 00:00:00 2001 +From: Kevin Cernekee +Date: Tue, 5 Dec 2017 15:42:41 -0800 +Subject: [PATCH] netfilter: xt_osf: Add missing permission checks + +The capability check in nfnetlink_rcv() verifies that the caller +has CAP_NET_ADMIN in the namespace that "owns" the netlink socket. +However, xt_osf_fingers is shared by all net namespaces on the +system. An unprivileged user can create user and net namespaces +in which he holds CAP_NET_ADMIN to bypass the netlink_net_capable() +check: + + vpnns -- nfnl_osf -f /tmp/pf.os + + vpnns -- nfnl_osf -f /tmp/pf.os -d + +These non-root operations successfully modify the systemwide OS +fingerprint list. Add new capable() checks so that they can't. + +Signed-off-by: Kevin Cernekee +--- + net/netfilter/xt_osf.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/net/netfilter/xt_osf.c b/net/netfilter/xt_osf.c +index 36e14b1f061d..a34f314a8c23 100644 +--- a/net/netfilter/xt_osf.c ++++ b/net/netfilter/xt_osf.c +@@ -19,6 +19,7 @@ + #include + #include + ++#include + #include + #include + #include +@@ -70,6 +71,9 @@ static int xt_osf_add_callback(struct net *net, struct sock *ctnl, + struct xt_osf_finger *kf = NULL, *sf; + int err = 0; + ++ if (!capable(CAP_NET_ADMIN)) ++ return -EPERM; ++ + if (!osf_attrs[OSF_ATTR_FINGER]) + return -EINVAL; + +@@ -115,6 +119,9 @@ static int xt_osf_remove_callback(struct net *net, struct sock *ctnl, + struct xt_osf_finger *sf; + int err = -ENOENT; + ++ if (!capable(CAP_NET_ADMIN)) ++ return -EPERM; ++ + if (!osf_attrs[OSF_ATTR_FINGER]) + return -EINVAL; + +-- +2.14.3 + diff --git a/netlink-Add-netns-check-on-taps.patch b/netlink-Add-netns-check-on-taps.patch new file mode 100644 index 0000000..8595cf8 --- /dev/null +++ b/netlink-Add-netns-check-on-taps.patch @@ -0,0 +1,42 @@ +From 5af86b090e2f17b97c02d0bf9098f6edc3195935 Mon Sep 17 00:00:00 2001 +From: Kevin Cernekee +Date: Wed, 6 Dec 2017 12:12:27 -0800 +Subject: [PATCH] netlink: Add netns check on taps + +Currently, a nlmon link inside a child namespace can observe systemwide +netlink activity. Filter the traffic so that nlmon can only sniff +netlink messages from its own netns. + +Test case: + + vpnns -- bash -c "ip link add nlmon0 type nlmon; \ + ip link set nlmon0 up; \ + tcpdump -i nlmon0 -q -w /tmp/nlmon.pcap -U" & + sudo ip xfrm state add src 10.1.1.1 dst 10.1.1.2 proto esp \ + spi 0x1 mode transport \ + auth sha1 0x6162633132330000000000000000000000000000 \ + enc aes 0x00000000000000000000000000000000 + grep --binary abc123 /tmp/nlmon.pcap + +Signed-off-by: Kevin Cernekee +--- + net/netlink/af_netlink.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c +index 15c99dfa3d72..aac9d68b4636 100644 +--- a/net/netlink/af_netlink.c ++++ b/net/netlink/af_netlink.c +@@ -254,6 +254,9 @@ static int __netlink_deliver_tap_skb(struct sk_buff *skb, + struct sock *sk = skb->sk; + int ret = -ENOMEM; + ++ if (!net_eq(dev_net(dev), sock_net(sk))) ++ return 0; ++ + dev_hold(dev); + + if (is_vmalloc_addr(skb->head)) +-- +2.14.3 + diff --git a/sources b/sources index c3b125f..7607408 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ SHA512 (linux-4.14.tar.xz) = 77e43a02d766c3d73b7e25c4aafb2e931d6b16e870510c22cef0cdb05c3acb7952b8908ebad12b10ef982c6efbe286364b1544586e715cf38390e483927904d8 SHA512 (perf-man-4.14.tar.gz) = 76a9d8adc284cdffd4b3fbb060e7f9a14109267707ce1d03f4c3239cd70d8d164f697da3a0f90a363fbcac42a61d3c378afbcc2a86f112c501b9cb5ce74ef9f8 -SHA512 (patch-4.14.5.xz) = 45a6adcc928babe53dd55a444aaae6280f57f844508a9799aada9f70b9fd6160b92b710986810c422ec3a20740f582acb3040f6d6aa883eecb58bf4c4d5918ca +SHA512 (patch-4.14.6.xz) = c37b437f740fbb480766149ca1c6ddb5ee763b88b034b9b4eaf3ce000f299545ee19a93638d1a4161ab0c76ec73e1a53b2264b94213d53d6ad7dcda6bee45b8c