!10 fix CVE-2019-11360

Merge pull request !10 from Vchanger/master
2020-04-16 11:40:56 +08:00 · 2020-04-16 11:40:56 +08:00 · 450380b2a7
commit 450380b2a7
parent 82f68d5a8e 8f794e0664
2 changed files with 121 additions and 1 deletions
--- a/CVE-2019-11360.patch
+++ b/CVE-2019-11360.patch
@ -0,0 +1,113 @@
+From da800103668f256f11d88851fa9ea9faf298b760 Mon Sep 17 00:00:00 2001
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Mon, 22 Apr 2019 23:17:27 +0200
+Subject: [PATCH] xshared: check for maximum buffer length in
+ add_param_to_argv()
+
+Bail out if we go over the boundary, based on patch from Sebastian.
+
+Reported-by: Sebastian Neef <contact@0day.work>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+---
+ iptables/xshared.c | 46 ++++++++++++++++++++++++++++------------------
+ 1 file changed, 28 insertions(+), 18 deletions(-)
+
+diff --git a/iptables/xshared.c b/iptables/xshared.c
+index b16f5fa..b0ca8e6 100644
+--- a/iptables/xshared.c
+++ b/iptables/xshared.c
+@@ -433,10 +433,24 @@ void save_argv(void)
+ 	}
+ }
+ 
+struct xt_param_buf {
+	char	buffer[1024];
+	int 	len;
+};
+
+static void add_param(struct xt_param_buf *param, const char *curchar)
+{
+	param->buffer[param->len++] = *curchar;
+	if (param->len >= sizeof(param->buffer))
+		xtables_error(PARAMETER_PROBLEM,
+			      "Parameter too long!");
+}
+
+ void add_param_to_argv(char *parsestart, int line)
+ {
+-	int quote_open = 0, escaped = 0, param_len = 0;
+-	char param_buffer[1024], *curchar;
+	int quote_open = 0, escaped = 0;
+	struct xt_param_buf param = {};
+	char *curchar;
+ 
+ 	/* After fighting with strtok enough, here's now
+ 	 * a 'real' parser. According to Rusty I'm now no
+@@ -445,7 +459,7 @@ void add_param_to_argv(char *parsestart, int line)
+ 	for (curchar = parsestart; *curchar; curchar++) {
+ 		if (quote_open) {
+ 			if (escaped) {
+-				param_buffer[param_len++] = *curchar;
+				add_param(&param, curchar);
+ 				escaped = 0;
+ 				continue;
+ 			} else if (*curchar == '\\') {
+@@ -455,7 +469,7 @@ void add_param_to_argv(char *parsestart, int line)
+ 				quote_open = 0;
+ 				*curchar = '"';
+ 			} else {
+-				param_buffer[param_len++] = *curchar;
+				add_param(&param, curchar);
+ 				continue;
+ 			}
+ 		} else {
+@@ -471,36 +485,32 @@ void add_param_to_argv(char *parsestart, int line)
+ 		case ' ':
+ 		case '\t':
+ 		case '\n':
+-			if (!param_len) {
+			if (!param.len) {
+ 				/* two spaces? */
+ 				continue;
+ 			}
+ 			break;
+ 		default:
+ 			/* regular character, copy to buffer */
+-			param_buffer[param_len++] = *curchar;
+-
+-			if (param_len >= sizeof(param_buffer))
+-				xtables_error(PARAMETER_PROBLEM,
+-					      "Parameter too long!");
+			add_param(&param, curchar);
+ 			continue;
+ 		}
+ 
+-		param_buffer[param_len] = '\0';
+		param.buffer[param.len] = '\0';
+ 
+ 		/* check if table name specified */
+-		if ((param_buffer[0] == '-' &&
+-		     param_buffer[1] != '-' &&
+-		     strchr(param_buffer, 't')) ||
+-		    (!strncmp(param_buffer, "--t", 3) &&
+-		     !strncmp(param_buffer, "--table", strlen(param_buffer)))) {
+		if ((param.buffer[0] == '-' &&
+		     param.buffer[1] != '-' &&
+		     strchr(param.buffer, 't')) ||
+		    (!strncmp(param.buffer, "--t", 3) &&
+		     !strncmp(param.buffer, "--table", strlen(param.buffer)))) {
+ 			xtables_error(PARAMETER_PROBLEM,
+ 				      "The -t option (seen in line %u) cannot be used in %s.\n",
+ 				      line, xt_params->program_name);
+ 		}
+ 
+-		add_argv(param_buffer, 0);
+-		param_len = 0;
+		add_argv(param.buffer, 0);
+		param.len = 0;
+ 	}
+ }
+ 
+-- 
+1.8.3.1
+
--- a/iptables.spec
+++ b/iptables.spec
@ -2,7 +2,7 @@
 %global legacy_actions %{_libexecdir}/initscripts/legacy-actions
 Name:		  iptables
 Version:	  1.8.1
-Release:	  4
+Release:	  5
 Summary:	  IP packet filter administration utilities
 License:	  GPLv2 and Artistic Licence 2.0 and ISC
 URL:		  https://www.netfilter.org/
@ -14,6 +14,7 @@ Source4:          sysconfig_iptables
 Source5:          sysconfig_ip6tables

 Patch1:           iptables-apply-Use-mktemp-instead-of-tempfile.patch 
+Patch2:           CVE-2019-11360.patch

 BuildRequires:    bison flex gcc kernel-headers libpcap-devel libselinux-devel systemd git
 BuildRequires:    libmnl-devel libnetfilter_conntrack-devel libnfnetlink-devel libnftnl-devel
@ -248,6 +249,12 @@ fi
 %{_mandir}/*

 %changelog
+* Thu Apr 16 2020 chenzhen <chenzhen44@huawei.com> - 1.8.1-5
+- Type:cves
+- ID:CVE-2019-11360
+- SUG:restart
+- DESC:fix CVE-2019-11360
+
 * Sat Jan 18 2020 openEuler Buildteam <buildteam@openeuler.org> - 1.8.1-4
 - add executable permissions to iptables.init