Bug 681180 – VUL-0: CVE-2011-1170: kernel: netfilter: arp_tables: fix infoleak to userspace

Bug 681180 - (CVE-2011-1170) VUL-0: CVE-2011-1170: kernel: netfilter: arp_tables: fix infoleak to userspace

(CVE-2011-1170)
Summary:	VUL-0: CVE-2011-1170: kernel: netfilter: arp_tables: fix infoleak to userspace

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	General
Version:	unspecified
Hardware:	Other Other

Priority:	P4 - Low Severity: Minor
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:
Whiteboard:	maint:released:sle11-sp1:42209 maint:...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2011-03-21 08:55 UTC by Ludwig Nussel
Modified:	2017-03-24 07:08 UTC (History)
CC List:	4 users (show)

See Also:
Found By:	Other
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
backport for sles10sp3 (1.76 KB, patch) 2011-05-05 11:56 UTC, Michal Hocko	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Ludwig Nussel 2011-03-21 08:55:49 UTC

Your friendly security team received the following report via oss-security.
Please respond ASAP.
The issue is public.

CVE-2011-1170

------------------------------------------------------------------------------

From: Vasiliy Kulikov <segoon@openwall.com>

"Structures ipt_replace, compat_ipt_replace, and xt_get_revision are
copied from userspace.  Fields of these structs that are
zero-terminated strings are not checked.  When they are used as argument
to a format string containing "%s" in request_module(), some sensitive
information is leaked to userspace via argument of spawned modprobe
process.

The first bug was introduced before the git epoch;  the second is
introduced by 6b7d31fc (v2.6.15-rc1);  the third is introduced by
6b7d31fc (v2.6.15-rc1).  To trigger the bug one should have
CAP_NET_ADMIN."
http://marc.info/?l=netfilter-devel&m=129978081009955&w=2

http://git.kernel.org/?p=linux/kernel/git/kaber/nf-next-2.6.git;a=commitdiff;h=42eab94fff18cb1091d3501cd284d6bd6cc9c143

Comment 1 Michal Hocko 2011-05-05 11:56:42 UTC

Created attachment 428173 [details]
backport for sles10sp3

I have a request for this patch backport for SLES10-SP3-TD branch.
The patch should just apply cleanly to 10sp3 branch as well.

Comment 2 Marcus Meissner 2011-06-26 21:28:35 UTC

in 2.6.32.37 for sle11 sp1.

Comment 3 Marcus Meissner 2011-07-25 07:47:08 UTC

A kernel update for SUSE Linux Enterprise 11 SP1 was just released that contains/mentions this fix. The release version is 2.6.32.43-0.4.1.

Comment 4 Swamp Workflow Management 2011-07-25 10:07:45 UTC

Update released for: btrfs-kmp-default, btrfs-kmp-xen, cluster-network-kmp-default, cluster-network-kmp-xen, ext4dev-kmp-default, ext4dev-kmp-xen, gfs2-kmp-default, gfs2-kmp-xen, hyper-v-kmp-default, kernel-default, kernel-default-base, kernel-default-debuginfo, kernel-default-debugsource, kernel-default-devel, kernel-default-devel-debuginfo, kernel-default-extra, kernel-desktop-devel, kernel-ec2, kernel-ec2-base, kernel-ec2-debuginfo, kernel-ec2-debugsource, kernel-ec2-devel, kernel-ec2-devel-debuginfo, kernel-ec2-extra, kernel-source, kernel-source-debuginfo, kernel-source-vanilla, kernel-syms, kernel-trace, kernel-trace-base, kernel-trace-debuginfo, kernel-trace-debugsource, kernel-trace-devel, kernel-trace-devel-debuginfo, kernel-trace-extra, kernel-xen, kernel-xen-base, kernel-xen-debuginfo, kernel-xen-debugsource, kernel-xen-devel, kernel-xen-devel-debuginfo, kernel-xen-extra
Products:
SLE-DEBUGINFO 11-SP1 (x86_64)
SLE-DESKTOP 11-SP1 (x86_64)
SLE-HAE 11-SP1 (x86_64)
SLE-SERVER 11-SP1 (x86_64)
SLES4VMWARE 11-SP1 (x86_64)

Comment 5 Swamp Workflow Management 2011-07-25 10:25:59 UTC

Update released for: btrfs-kmp-default, btrfs-kmp-ppc64, cluster-network-kmp-default, cluster-network-kmp-ppc64, ext4dev-kmp-default, ext4dev-kmp-ppc64, gfs2-kmp-default, gfs2-kmp-ppc64, kernel-default, kernel-default-base, kernel-default-debuginfo, kernel-default-debugsource, kernel-default-devel, kernel-default-extra, kernel-ppc64, kernel-ppc64-base, kernel-ppc64-debuginfo, kernel-ppc64-debugsource, kernel-ppc64-devel, kernel-ppc64-extra, kernel-source, kernel-source-debuginfo, kernel-source-vanilla, kernel-syms, kernel-trace, kernel-trace-base, kernel-trace-debuginfo, kernel-trace-debugsource, kernel-trace-devel, kernel-trace-extra
Products:
SLE-DEBUGINFO 11-SP1 (ppc64)
SLE-HAE 11-SP1 (ppc64)
SLE-SERVER 11-SP1 (ppc64)

Comment 6 Swamp Workflow Management 2011-07-25 10:35:17 UTC

Update released for: btrfs-kmp-default, cluster-network-kmp-default, ext4dev-kmp-default, gfs2-kmp-default, kernel-default, kernel-default-base, kernel-default-debuginfo, kernel-default-debugsource, kernel-default-devel, kernel-default-devel-debuginfo, kernel-default-extra, kernel-default-man, kernel-source, kernel-source-debuginfo, kernel-source-vanilla, kernel-syms, kernel-trace, kernel-trace-base, kernel-trace-debuginfo, kernel-trace-debugsource, kernel-trace-devel, kernel-trace-devel-debuginfo, kernel-trace-extra, kernel-trace-man
Products:
SLE-DEBUGINFO 11-SP1 (s390x)
SLE-HAE 11-SP1 (s390x)
SLE-SERVER 11-SP1 (s390x)

Comment 7 Swamp Workflow Management 2011-07-25 10:44:58 UTC

Update released for: btrfs-kmp-default, cluster-network-kmp-default, ext4dev-kmp-default, gfs2-kmp-default, kernel-default, kernel-default-base, kernel-default-debuginfo, kernel-default-debugsource, kernel-default-devel, kernel-default-devel-debuginfo, kernel-default-extra, kernel-source, kernel-source-debuginfo, kernel-source-vanilla, kernel-syms, kernel-trace, kernel-trace-base, kernel-trace-debuginfo, kernel-trace-debugsource, kernel-trace-devel, kernel-trace-devel-debuginfo, kernel-trace-extra
Products:
SLE-DEBUGINFO 11-SP1 (ia64)
SLE-HAE 11-SP1 (ia64)
SLE-SERVER 11-SP1 (ia64)

Comment 8 Swamp Workflow Management 2011-07-25 10:59:19 UTC

Update released for: btrfs-kmp-default, btrfs-kmp-pae, btrfs-kmp-xen, cluster-network-kmp-default, cluster-network-kmp-pae, cluster-network-kmp-xen, ext4dev-kmp-default, ext4dev-kmp-pae, ext4dev-kmp-xen, gfs2-kmp-default, gfs2-kmp-pae, gfs2-kmp-xen, hyper-v-kmp-default, hyper-v-kmp-pae, kernel-default, kernel-default-base, kernel-default-devel, kernel-default-extra, kernel-desktop-devel, kernel-ec2, kernel-ec2-base, kernel-ec2-devel, kernel-ec2-extra, kernel-pae, kernel-pae-base, kernel-pae-devel, kernel-pae-extra, kernel-source, kernel-source-vanilla, kernel-syms, kernel-trace, kernel-trace-base, kernel-trace-devel, kernel-trace-extra, kernel-xen, kernel-xen-base, kernel-xen-devel, kernel-xen-extra
Products:
SLE-DEBUGINFO 11-SP1 (i386)
SLE-DESKTOP 11-SP1 (i386)
SLE-HAE 11-SP1 (i386)
SLE-SERVER 11-SP1 (i386)
SLES4VMWARE 11-SP1 (i386)

Comment 9 Swamp Workflow Management 2011-07-25 15:12:43 UTC

Update released for: kernel-default-extra, kernel-xen-extra
Products:
SLE-SERVER 11-EXTRA (x86_64)

Comment 10 Swamp Workflow Management 2011-07-25 16:13:10 UTC

Update released for: kernel-default-extra
Products:
SLE-SERVER 11-EXTRA (ia64)

Comment 11 Swamp Workflow Management 2011-07-25 17:13:27 UTC

Update released for: kernel-default-extra, kernel-ppc64-extra
Products:
SLE-SERVER 11-EXTRA (ppc64)

Comment 12 Swamp Workflow Management 2011-07-25 18:14:26 UTC

Update released for: kernel-default-extra
Products:
SLE-SERVER 11-EXTRA (s390x)

Comment 13 Swamp Workflow Management 2011-07-25 19:15:22 UTC

Update released for: kernel-default-extra, kernel-pae-extra, kernel-xen-extra
Products:
SLE-SERVER 11-EXTRA (i386)

Comment 14 Swamp Workflow Management 2011-11-17 14:11:55 UTC

Update released for: kernel-debug, kernel-debug-debuginfo, kernel-default, kernel-default-debuginfo, kernel-kdump, kernel-kdump-debuginfo, kernel-smp, kernel-smp-debuginfo, kernel-source, kernel-source-debuginfo, kernel-syms, kernel-xen, kernel-xen-debuginfo
Products:
SLE-SERVER 10-SP3-TERADATA (x86_64)

Comment 15 Benjamin Poirier 2011-12-05 00:14:18 UTC

This CVE entry consists of three similar vulnerabilities in arp_tables:

1)
\ do_replace
        \ __do_replace
                \ try_then_request_module

Probably introduced in v2.5.7-pre2 (along with arp_tables itself)

2)
\ compat_do_replace
        \ __do_replace
                \ try_then_request_module

Introduced in v2.6.25-rc1 by d6a2ba07c31b0497fc82a8c175400ea8747da2ef
Note that this is not the same as what the upstream commit log says.

3)
\ do_arpt_get_ctl
        \ try_then_request_module

Introduced in v2.6.15-rc1 by 6b7d31fcdda5938e5d3f1f8b0922cc25aa200dfc

---

Patch-mainline: v2.6.39-rc1
Git-commit: 42eab94fff18cb1091d3501cd284d6bd6cc9c143
            netfilter: arp_tables: fix infoleak to userspace

SLES10 SP4
        2.6.16.60
        1) applied netfilter-arp_tables-fix-infoleak-to-userspace.patch
        2) N/A
        3) applied netfilter-arp_tables-fix-infoleak-to-userspace.patch
SLE11 SP1
        2.6.32.49
        already fixed in -stable v2.6.32.37 by
        bf9717776581e3000f899fd0172d1eb448ab2679
SLE11 SP2
        3.0.12
        already fixed in mainline
openSUSE 11.3
        2.6.34.10
        already fixed in -stable v2.6.34.10 by
        f1f486501fa9b401c762b2355a238cf9e7f18385
openSUSE 11.4
        2.6.37.6
        1, 2, 3) applied netfilter-arp_tables-fix-infoleak-to-userspace.patch
openSUSE 12.1
        3.1.4
        already fixed in mainline

Comment 16 Bernhard Wiedemann 2012-01-03 17:00:20 UTC

This is an autogenerated message for OBS integration:
This bug (681180) was mentioned in
https://build.opensuse.org/request/show/98667 11.4 / kernel-source

Comment 17 Swamp Workflow Management 2012-01-09 14:04:39 UTC

The SWAMPID for this issue is 44839.
This issue was rated as moderate.
Please submit fixed packages until 2012-01-23.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.

Comment 18 Swamp Workflow Management 2012-01-17 11:04:53 UTC

Update released for: kernel-debug, kernel-debug-base, kernel-debug-base-debuginfo, kernel-debug-debuginfo, kernel-debug-debugsource, kernel-debug-devel, kernel-debug-devel-debuginfo, kernel-default, kernel-default-base, kernel-default-base-debuginfo, kernel-default-debuginfo, kernel-default-debugsource, kernel-default-devel, kernel-default-devel-debuginfo, kernel-desktop, kernel-desktop-base, kernel-desktop-base-debuginfo, kernel-desktop-debuginfo, kernel-desktop-debugsource, kernel-desktop-devel, kernel-desktop-devel-debuginfo, kernel-devel, kernel-docs, kernel-ec2, kernel-ec2-base, kernel-ec2-base-debuginfo, kernel-ec2-debuginfo, kernel-ec2-debugsource, kernel-ec2-devel, kernel-ec2-devel-debuginfo, kernel-ec2-extra, kernel-ec2-extra-debuginfo, kernel-pae, kernel-pae-base, kernel-pae-base-debuginfo, kernel-pae-debuginfo, kernel-pae-debugsource, kernel-pae-devel, kernel-pae-devel-debuginfo, kernel-source, kernel-source-vanilla, kernel-syms, kernel-trace, kernel-trace-base, kernel-trace-base-debuginfo, kernel-trace-debuginfo, kernel-trace-debugsource, kernel-trace-devel, kernel-trace-devel-debuginfo, kernel-vanilla, kernel-vanilla-base, kernel-vanilla-base-debuginfo, kernel-vanilla-debuginfo, kernel-vanilla-debugsource, kernel-vanilla-devel, kernel-vanilla-devel-debuginfo, kernel-vmi, kernel-vmi-base, kernel-vmi-base-debuginfo, kernel-vmi-debuginfo, kernel-vmi-debugsource, kernel-vmi-devel, kernel-vmi-devel-debuginfo, kernel-xen, kernel-xen-base, kernel-xen-base-debuginfo, kernel-xen-debuginfo, kernel-xen-debugsource, kernel-xen-devel, kernel-xen-devel-debuginfo, preload-kmp-default, preload-kmp-desktop
Products:
openSUSE 11.4 (debug, i586, x86_64)

Comment 19 Swamp Workflow Management 2012-01-23 15:17:36 UTC

Update released for: kernel-default, kernel-default-debuginfo, kernel-iseries64, kernel-iseries64-debuginfo, kernel-kdump, kernel-kdump-debuginfo, kernel-ppc64, kernel-ppc64-debuginfo, kernel-source, kernel-source-debuginfo, kernel-syms
Products:
SLE-DEBUGINFO 10-SP4 (ppc)
SLE-SDK 10-SP4 (ppc)
SLE-SERVER 10-SP4 (ppc)

Comment 20 Swamp Workflow Management 2012-01-23 15:47:26 UTC

Update released for: kernel-debug, kernel-debug-debuginfo, kernel-default, kernel-default-debuginfo, kernel-kdump, kernel-kdump-debuginfo, kernel-smp, kernel-smp-debuginfo, kernel-source, kernel-source-debuginfo, kernel-syms, kernel-xen, kernel-xen-debuginfo
Products:
SLE-DEBUGINFO 10-SP4 (x86_64)
SLE-DESKTOP 10-SP4 (x86_64)
SLE-SDK 10-SP4 (x86_64)
SLE-SERVER 10-SP4 (x86_64)

Comment 21 Swamp Workflow Management 2012-01-23 16:03:40 UTC

Update released for: kernel-debug, kernel-debug-debuginfo, kernel-default, kernel-default-debuginfo, kernel-source, kernel-source-debuginfo, kernel-syms
Products:
SLE-DEBUGINFO 10-SP4 (ia64)
SLE-SDK 10-SP4 (ia64)
SLE-SERVER 10-SP4 (ia64)

Comment 22 Marcus Meissner 2012-01-23 16:39:22 UTC

We have just released a kernel update fixing/mentioning this bug. The released kernel version is 2.6.16.60-0.93.1. (s390x: 2.6.16.60-0.95.1).

Comment 23 Swamp Workflow Management 2012-01-24 04:19:18 UTC

Update released for: kernel-default, kernel-default-debuginfo, kernel-source, kernel-syms
Products:
SLE-DEBUGINFO 10-SP4 (s390x)
SLE-SERVER 10-SP4 (s390x)

Comment 24 Swamp Workflow Management 2012-01-24 05:29:23 UTC

Update released for: kernel-bigsmp, kernel-bigsmp-debuginfo, kernel-debug, kernel-debug-debuginfo, kernel-default, kernel-default-debuginfo, kernel-kdump, kernel-kdump-debuginfo, kernel-kdumppae, kernel-kdumppae-debuginfo, kernel-smp, kernel-smp-debuginfo, kernel-source, kernel-source-debuginfo, kernel-syms, kernel-syms-debuginfo, kernel-vmi, kernel-vmi-debuginfo, kernel-vmipae, kernel-vmipae-debuginfo, kernel-xen, kernel-xen-debuginfo, kernel-xenpae, kernel-xenpae-debuginfo
Products:
SLE-DEBUGINFO 10-SP4 (i386)
SLE-DESKTOP 10-SP4 (i386)
SLE-SDK 10-SP4 (i386)
SLE-SERVER 10-SP4 (i386)

Comment 25 Swamp Workflow Management 2013-11-06 14:24:31 UTC

The SWAMPID for this issue is 54954.
This issue was rated as moderate.
Please submit fixed packages until 2013-11-20.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.

Comment 26 Swamp Workflow Management 2013-12-06 23:49:31 UTC

Update released for: kernel-default, kernel-default-debuginfo, kernel-source, kernel-syms
Products:
SLE-DEBUGINFO 10-SP3 (s390x)
SLE-SERVER 10-SP3-LTSS (s390x)

Comment 27 Swamp Workflow Management 2013-12-07 00:09:30 UTC

Update released for: kernel-debug, kernel-debug-debuginfo, kernel-default, kernel-default-debuginfo, kernel-kdump, kernel-kdump-debuginfo, kernel-smp, kernel-smp-debuginfo, kernel-source, kernel-source-debuginfo, kernel-syms, kernel-xen, kernel-xen-debuginfo
Products:
SLE-DEBUGINFO 10-SP3 (x86_64)
SLE-SERVER 10-SP3-LTSS (x86_64)

Comment 28 Swamp Workflow Management 2013-12-07 01:43:27 UTC

Update released for: kernel-bigsmp, kernel-bigsmp-debuginfo, kernel-debug, kernel-debug-debuginfo, kernel-default, kernel-default-debuginfo, kernel-kdump, kernel-kdump-debuginfo, kernel-kdumppae, kernel-kdumppae-debuginfo, kernel-smp, kernel-smp-debuginfo, kernel-source, kernel-source-debuginfo, kernel-syms, kernel-syms-debuginfo, kernel-vmi, kernel-vmi-debuginfo, kernel-vmipae, kernel-vmipae-debuginfo, kernel-xen, kernel-xen-debuginfo, kernel-xenpae, kernel-xenpae-debuginfo
Products:
SLE-DEBUGINFO 10-SP3 (i386)
SLE-SERVER 10-SP3-LTSS (i386)