blob: 78f544487795a46469ece68e5681d2df7dc69492 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
|
Description:
The nfnetlink_rcv_batch function in net/netfilter/nfnetlink.c in the Linux kernel before 4.5 does
not check whether a batch message's length field is large enough, which allows local users to
obtain sensitive information from kernel memory or cause a denial of service (infinite loop or
out-of-bounds read) by leveraging the CAP_NET_ADMIN capability.
References:
http://source.android.com/security/bulletin/2016-11-01.html
Notes:
carnil> Introduced in 3.19-rc5 with 9ea2aa8b7dba9e99544c4187cc298face254569f but needs double
carnil> check if backported.
bwh> It was backported to 3.16-stable as commit d922a1cee45e (among other
bwh> stable branches)
Bugs:
upstream: released (4.5-rc6) [c58d6c93680f28ac58984af61d0a7ebf4319c241]
3.16-upstream-stable: released (3.16.40) [netfilter-nfnetlink-correctly-validate-length-of-batch-messages.patch]
3.2-upstream-stable: N/A "Vulnerable code not present"
sid: released (4.5.1-1)
3.16-jessie-security: released (3.16.39-1) [bugfix/all/netfilter-nfnetlink-correctly-validate-length-of-bat.patch]
3.2-wheezy-security: N/A "Vulnerable code not present"
|
