Bugzilla – Bug 860835
VUL-0: CVE-2014-1690: kernel: netfilter: nf_nat: leakage of uninitialized buffer in IRC NAT helper
Last modified: 2015-02-19 01:47:38 UTC
OSS:11935 References: https://bugzilla.redhat.com/show_bug.cgi?id=1058748 http://comments.gmane.org/gmane.comp.security.oss.general/11935
Via OSS-sec: Linux kernel built with the NetFilter Connection Tracking(NF_CONNTRACK) support for IRC protocol(NF_NAT_IRC), is vulnerable to an information leakage flaw. It could occur when communicating over direct client-to-client IRC connection(/dcc) via a NAT-ed network. Kernel attempts to mangle IRC TCP packet's content, wherein an uninitialised 'buffer' object is copied to a socket buffer and sent over to the other end of a connection. Upstream fix: ------------- -> https://git.kernel.org/linus/2690d97ade05c5325cbf7c72b94b90d265659886 Reference: ---------- -> https://bugzilla.redhat.com/show_bug.cgi?id=1058748
bugbot adjusting priority
This doesn't apply to 11sp1 even when I used @net/netfilter/nf_nat_irc.c@net/netfilter/nf_conntrack_irc.c@g I do not think this would be any critical but could somebody more familiar with the code help me, please? Jiri? Benjamin?
The only part that is required to fix the security bug is to reinsert snprintf(buffer, ...); using the original "ip" var or the reworked one. Since the problem was introduced in v3.7, SLE11-SP* branches don't need any fixing. --- Introduced in v3.7-rc1 by 5901b6b netfilter: nf_nat: support IPv6 in IRC NAT helper Fixed in v3.13-rc8 by 2690d97 netfilter: nf_nat: fix access to uninitialized buffer in IRC NAT helper SLE11-SP1-LTSS : 2.6.32.59 SLE11-SP2-LTSS : 3.0.101 SLE11-SP3 : 3.0.101 not affected SLE12 : 3.12.18 already fixed in stable v3.12.8 by 6aeebff openSUSE-12.3 : 3.7.10 applied patches.fixes/netfilter-nf_nat-fix-access-to-uninitialized-buffer-.patch openSUSE-13.1 : 3.11.10 applied patches.fixes/netfilter-nf_nat-fix-access-to-uninitialized-buffer-.patch
sounds good, thank you for the informative post. Closing
openSUSE-SU-2014:0677-1: An update that solves 16 vulnerabilities and has 10 fixes is now available. Category: security (important) Bug References: 733022,811746,833968,837111,851426,852652,852967,858233,858638,858869,858870,858872,860835,862145,863335,864025,866102,868653,869414,869898,871148,871252,871325,873717,875690,875798 CVE References: CVE-2013-4254,CVE-2013-4579,CVE-2013-6885,CVE-2014-0101,CVE-2014-0196,CVE-2014-0691,CVE-2014-1438,CVE-2014-1444,CVE-2014-1445,CVE-2014-1446,CVE-2014-1690,CVE-2014-1737,CVE-2014-1738,CVE-2014-1874,CVE-2014-2523,CVE-2014-2672 Sources used: openSUSE 12.3 (src): kernel-docs-3.7.10-1.32.2, kernel-source-3.7.10-1.32.1, kernel-syms-3.7.10-1.32.1
openSUSE-SU-2014:0678-1: An update that solves 17 vulnerabilities and has 23 fixes is now available. Category: security (important) Bug References: 639379,812592,81660,821619,833968,842553,849334,851244,851426,852656,852967,853350,856760,857643,858638,858872,859342,860502,860835,861750,862746,863235,863335,864025,864867,865075,866075,866102,867718,868653,869414,871148,871160,871252,871325,875440,875690,875798,876531,876699 CVE References: CVE-2013-4579,CVE-2013-6885,CVE-2013-7263,CVE-2013-7264,CVE-2013-7265,CVE-2013-7281,CVE-2014-0069,CVE-2014-0101,CVE-2014-0196,CVE-2014-1438,CVE-2014-1446,CVE-2014-1690,CVE-2014-1737,CVE-2014-1738,CVE-2014-1874,CVE-2014-2523,CVE-2014-2672 Sources used: openSUSE 13.1 (src): cloop-2.639-11.7.1, crash-7.0.2-2.7.1, hdjmod-1.28-16.7.1, ipset-6.19-2.7.1, iscsitarget-1.4.20.3-13.7.1, kernel-docs-3.11.10-11.3, kernel-source-3.11.10-11.1, kernel-syms-3.11.10-11.1, ndiswrapper-1.58-7.1, openvswitch-1.11.0-0.25.1, pcfclock-0.44-258.7.1, virtualbox-4.2.18-2.12.1, xen-4.3.2_01-15.1, xtables-addons-2.3-2.7.1