Bug 1227376

Summary: VUL-0: CVE-2024-6284: tailscale: google/nftables: incorrect IP address encoded bytes may lead to unwanted behavior
Product: [openSUSE] openSUSE Tumbleweed Reporter: Thomas Leroy <thomas.leroy>
Component: SecurityAssignee: Alexandre Vicenzi <alexandre.vicenzi>
Status: NEW --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: security-team, smash_bz, thomas.leroy
Version: Current   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/412835/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on:    
Bug Blocks: 1227375    

Description Thomas Leroy 2024-07-04 08:11:01 UTC 
+++ This bug was initially created as a clone of Bug #1227375 +++

In  https://github.com/google/nftables  IP addresses were encoded in the wrong byte order, resulting in an nftables configuration which does not work as intended (might block or not block the desired addresses).

This issue affects:  https://pkg.go.dev/github.com/google/nftables@v0.1.0 

The bug was fixed in the next released version:  https://pkg.go.dev/github.com/google/nftables@v0.2.0

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-6284
https://www.cve.org/CVERecord?id=CVE-2024-6284
https://bugs.launchpad.net/ubuntu/+source/crowdsec-firewall-bouncer/+bug/2069596
https://github.com/crowdsecurity/cs-firewall-bouncer/issues/368
https://github.com/google/nftables/issues/225
https://bugzilla.redhat.com/show_bug.cgi?id=2295699
Comment 1 Thomas Leroy 2024-07-04 08:12:51 UTC 
If [0] is correct, openSUSE:Factory/tailscale is affected since it uses github.com/google/nftables v0.1.1-0.20230115205135-9aa6fdf5a28c

[0] https://bugzilla.suse.com/show_bug.cgi?id=1227375#c2
Comment 2 Alexandre Vicenzi 2024-07-12 08:57:38 UTC 
(In reply to Thomas Leroy from comment #1)
> If [0] is correct, openSUSE:Factory/tailscale is affected since it uses
> github.com/google/nftables v0.1.1-0.20230115205135-9aa6fdf5a28c
> 
> [0] https://bugzilla.suse.com/show_bug.cgi?id=1227375#c2

Factory Tailscale version is 1.68.2, the version of github.com/google/nftables is v0.2.1-0.20240414091927-5e242ec57806.

The package bump can be traced to 1.66 in https://github.com/tailscale/tailscale/commit/3ef7f895c88367ed9c5940bb7504b38e9258a5b4.

Version 1.66.1 was added to Factory over 2 months ago by https://build.opensuse.org/request/show/1173205.