Bug 860835 (CVE-2014-1690)

Summary: VUL-0: CVE-2014-1690: kernel: netfilter: nf_nat: leakage of uninitialized buffer in IRC NAT helper
Product: [Novell Products] SUSE Security Incidents Reporter: Sebastian Krahmer <krahmer>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: bpoirier, jbohac, jsegitz, mhocko, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Comment 1 Sebastian Krahmer 2014-01-29 07:29:24 UTC
Via OSS-sec:

Linux kernel built with the NetFilter Connection Tracking(NF_CONNTRACK)
support for IRC protocol(NF_NAT_IRC), is vulnerable to an information leakage
flaw. It could occur when communicating over direct client-to-client IRC
connection(/dcc) via a NAT-ed network. Kernel attempts to mangle IRC TCP
packet's content, wherein an uninitialised 'buffer' object is copied to a
socket buffer and sent over to the other end of a connection.

Upstream fix:
  -> https://git.kernel.org/linus/2690d97ade05c5325cbf7c72b94b90d265659886

  -> https://bugzilla.redhat.com/show_bug.cgi?id=1058748
Comment 2 Swamp Workflow Management 2014-01-29 23:00:12 UTC
bugbot adjusting priority
Comment 3 Michal Hocko 2014-05-06 08:32:44 UTC
This doesn't apply to 11sp1 even when I used @net/netfilter/nf_nat_irc.c@net/netfilter/nf_conntrack_irc.c@g

I do not think this would be any critical but could somebody more familiar with the code help me, please? Jiri? Benjamin?
Comment 4 Benjamin Poirier 2014-05-08 00:15:29 UTC
The only part that is required to fix the security bug is to reinsert
snprintf(buffer, ...);
using the original "ip" var or the reworked one.

Since the problem was introduced in v3.7, SLE11-SP* branches don't need any


Introduced in v3.7-rc1 by
5901b6b netfilter: nf_nat: support IPv6 in IRC NAT helper
Fixed in v3.13-rc8 by
2690d97 netfilter: nf_nat: fix access to uninitialized buffer in IRC NAT helper

SLE11-SP2-LTSS : 3.0.101
SLE11-SP3 : 3.0.101
	not affected
SLE12 : 3.12.18
	already fixed in stable v3.12.8 by 6aeebff
openSUSE-12.3 : 3.7.10
openSUSE-13.1 : 3.11.10
Comment 5 Johannes Segitz 2014-05-08 14:33:52 UTC
sounds good, thank you for the informative post. Closing
Comment 6 Swamp Workflow Management 2014-05-19 12:07:38 UTC
openSUSE-SU-2014:0677-1: An update that solves 16 vulnerabilities and has 10 fixes is now available.

Category: security (important)
Bug References: 733022,811746,833968,837111,851426,852652,852967,858233,858638,858869,858870,858872,860835,862145,863335,864025,866102,868653,869414,869898,871148,871252,871325,873717,875690,875798
CVE References: CVE-2013-4254,CVE-2013-4579,CVE-2013-6885,CVE-2014-0101,CVE-2014-0196,CVE-2014-0691,CVE-2014-1438,CVE-2014-1444,CVE-2014-1445,CVE-2014-1446,CVE-2014-1690,CVE-2014-1737,CVE-2014-1738,CVE-2014-1874,CVE-2014-2523,CVE-2014-2672
Sources used:
openSUSE 12.3 (src):    kernel-docs-3.7.10-1.32.2, kernel-source-3.7.10-1.32.1, kernel-syms-3.7.10-1.32.1
Comment 7 Swamp Workflow Management 2014-05-19 12:15:49 UTC
openSUSE-SU-2014:0678-1: An update that solves 17 vulnerabilities and has 23 fixes is now available.

Category: security (important)
Bug References: 639379,812592,81660,821619,833968,842553,849334,851244,851426,852656,852967,853350,856760,857643,858638,858872,859342,860502,860835,861750,862746,863235,863335,864025,864867,865075,866075,866102,867718,868653,869414,871148,871160,871252,871325,875440,875690,875798,876531,876699
CVE References: CVE-2013-4579,CVE-2013-6885,CVE-2013-7263,CVE-2013-7264,CVE-2013-7265,CVE-2013-7281,CVE-2014-0069,CVE-2014-0101,CVE-2014-0196,CVE-2014-1438,CVE-2014-1446,CVE-2014-1690,CVE-2014-1737,CVE-2014-1738,CVE-2014-1874,CVE-2014-2523,CVE-2014-2672
Sources used:
openSUSE 13.1 (src):    cloop-2.639-11.7.1, crash-7.0.2-2.7.1, hdjmod-1.28-16.7.1, ipset-6.19-2.7.1, iscsitarget-, kernel-docs-3.11.10-11.3, kernel-source-3.11.10-11.1, kernel-syms-3.11.10-11.1, ndiswrapper-1.58-7.1, openvswitch-1.11.0-0.25.1, pcfclock-0.44-258.7.1, virtualbox-4.2.18-2.12.1, xen-4.3.2_01-15.1, xtables-addons-2.3-2.7.1