[linux] 05/11: drop bugfix/all/netfilter-xt_osf-add-missing-permission-checks.patch

Fri Feb 2 15:17:07 UTC 2018

This is an automated email from the git hooks/post-receive script.

corsac pushed a commit to branch stretch
in repository linux.

commit 8cb78fb501cbea05d2aed9819f85908e031105c3
Author: Yves-Alexis Perez <corsac at corsac.net>
Date:   Thu Feb 1 21:21:59 2018 +0100

    drop bugfix/all/netfilter-xt_osf-add-missing-permission-checks.patch
---
 debian/changelog                                   |  1 +
 ...lter-xt_osf-add-missing-permission-checks.patch | 56 ----------------------
 debian/patches/series                              |  1 -
 3 files changed, 1 insertion(+), 57 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index 68fb2b0..266331c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -861,6 +861,7 @@ linux (4.9.79-1) UNRELEASED; urgency=medium
     - bugfix/all/bluetooth-prevent-stack-info-leak-from-the-efs-element.patch
     - bugfix/all/mm-mmap.c-do-not-blow-on-prot_none-map_fixed-holes-i.patch
     - bugfix/all/netfilter-nfnetlink_cthelper-add-missing-permission-.patch
+    - bugfix/all/netfilter-xt_osf-add-missing-permission-checks.patch
   * bpf: avoid ABI change in 4.9.77.
   * Ignore ABI change for cpu_tlbstate (symbol not exported _GPL anymore)
   * sched/rt: Avoid ABI change in 4.9.66.
diff --git a/debian/patches/bugfix/all/netfilter-xt_osf-add-missing-permission-checks.patch b/debian/patches/bugfix/all/netfilter-xt_osf-add-missing-permission-checks.patch
deleted file mode 100644
index 2c02d59..0000000
--- a/debian/patches/bugfix/all/netfilter-xt_osf-add-missing-permission-checks.patch
+++ /dev/null
@@ -1,56 +0,0 @@
-From: Kevin Cernekee <cernekee at chromium.org>
-Date: Tue, 5 Dec 2017 15:42:41 -0800
-Subject: netfilter: xt_osf: Add missing permission checks
-Origin: https://git.kernel.org/linus/916a27901de01446bcf57ecca4783f6cff493309
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-17450
-
-The capability check in nfnetlink_rcv() verifies that the caller
-has CAP_NET_ADMIN in the namespace that "owns" the netlink socket.
-However, xt_osf_fingers is shared by all net namespaces on the
-system.  An unprivileged user can create user and net namespaces
-in which he holds CAP_NET_ADMIN to bypass the netlink_net_capable()
-check:
-
-    vpnns -- nfnl_osf -f /tmp/pf.os
-
-    vpnns -- nfnl_osf -f /tmp/pf.os -d
-
-These non-root operations successfully modify the systemwide OS
-fingerprint list.  Add new capable() checks so that they can't.
-
-Signed-off-by: Kevin Cernekee <cernekee at chromium.org>
-Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
----
- net/netfilter/xt_osf.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
---- a/net/netfilter/xt_osf.c
-+++ b/net/netfilter/xt_osf.c
-@@ -19,6 +19,7 @@
- #include <linux/module.h>
- #include <linux/kernel.h>
- 
-+#include <linux/capability.h>
- #include <linux/if.h>
- #include <linux/inetdevice.h>
- #include <linux/ip.h>
-@@ -69,6 +70,9 @@ static int xt_osf_add_callback(struct ne
- 	struct xt_osf_finger *kf = NULL, *sf;
- 	int err = 0;
- 
-+	if (!capable(CAP_NET_ADMIN))
-+		return -EPERM;
-+
- 	if (!osf_attrs[OSF_ATTR_FINGER])
- 		return -EINVAL;
- 
-@@ -113,6 +117,9 @@ static int xt_osf_remove_callback(struct
- 	struct xt_osf_finger *sf;
- 	int err = -ENOENT;
- 
-+	if (!capable(CAP_NET_ADMIN))
-+		return -EPERM;
-+
- 	if (!osf_attrs[OSF_ATTR_FINGER])
- 		return -EINVAL;
- 
diff --git a/debian/patches/series b/debian/patches/series
index 2369877..96fd06e 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -138,7 +138,6 @@ bugfix/all/dccp-cve-2017-8824-use-after-free-in-dccp-code.patch
 bugfix/all/media-dvb-usb-v2-lmedm04-Improve-logic-checking-of-w.patch
 bugfix/all/media-dvb-usb-v2-lmedm04-move-ts2020-attach-to-dm04_.patch
 bugfix/all/media-hdpvr-fix-an-error-handling-path-in-hdpvr_prob.patch
-bugfix/all/netfilter-xt_osf-add-missing-permission-checks.patch
 bugfix/all/nfsd-auth-Fix-gid-sorting-when-rootsquash-enabled.patch
 
 # Fix exported symbol versions

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git

