Description: netfilter IPT_SO_SET_REPLACE memory corruption References: https://code.google.com/p/google-security-research/issues/detail?id=758 https://patchwork.ozlabs.org/patch/595575/ https://patchwork.ozlabs.org/patch/599721/ http://marc.info/?l=netfilter-devel&m=145757134822741&w=2 https://git.kernel.org/cgit/linux/kernel/git/davem/net.git/commit?id=bdf533de6968e9686df777dc178486f600c6e617 https://git.kernel.org/cgit/linux/kernel/git/davem/net.git/commit?id=6e94e0cfb0887e4013b3b930fa6ab1fe6bb6ba91 Notes: carnil> Can be triggered by an unprivileged user on PF_INET sockets when carnil> unprivileged user namespaces are available (CONFIG_USER_NS=y) bwh> The upstream fixes (in davem/net.git) are the last two listed above Bugs: upstream: released (4.6-rc2) [bdf533de6968e9686df777dc178486f600c6e617, 6e94e0cfb0887e4013b3b930fa6ab1fe6bb6ba91] 3.16-upstream-stable: released (3.16.35) [netfilter-x_tables-validate-e-target_offset-early.patch, netfilter-x_tables-make-sure-e-next_offset-covers-remaining-blob.patch] 3.2-upstream-stable: released (3.2.80) [netfilter-x_tables-validate-e-target_offset-early.patch, netfilter-x_tables-make-sure-e-next_offset-covers-remaining-blob.patch] sid: released (4.5.1-1) [bugfix/all/netfilter-x_tables-validate-e-target_offset-early.patch, bugfix/all/netfilter-x_tables-make-sure-e-next_offset-covers-re.patch] 3.16-jessie-security: released (3.16.7-ckt25-2+deb8u1) [bugfix/all/netfilter-x_tables-validate-e-target_offset-early.patch, bugfix/all/netfilter-x_tables-make-sure-e-next_offset-covers-remaining-blob.patch] 3.2-wheezy-security: released (3.2.81-1)