First Last Prev Next    This bug is not in your last search results.
Bug 681181 - (CVE-2011-1171) VUL-0: CVE-2011-1171: kernel: netfilter: ip_tables: fix infoleak to userspace
(CVE-2011-1171)
VUL-0: CVE-2011-1171: kernel: netfilter: ip_tables: fix infoleak to userspace
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: General
unspecified
Other Other
: P4 - Low : Minor
: ---
Assigned To: Security Team bot
Security Team bot
maint:released:sle11-sp1:42209 maint:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2011-03-21 08:56 UTC by Ludwig Nussel
Modified: 2017-03-24 07:09 UTC (History)
3 users (show)

See Also:
Found By: Other
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
backport for sles10sp3 (1.71 KB, patch)
2011-05-05 12:04 UTC, Michal Hocko 		Details | Diff
backport for sles10sp3 (1.68 KB, patch)
2011-05-05 12:06 UTC, Michal Hocko 		Details | Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Ludwig Nussel 2011-03-21 08:56:52 UTC 
Your friendly security team received the following report via oss-security.
Please respond ASAP.
The issue is public.

CVE-2011-1171

------------------------------------------------------------------------------

From: Vasiliy Kulikov <segoon@openwall.com>

"Structures ipt_replace, compat_ipt_replace, and xt_get_revision are
copied from userspace.  Fields of these structs that are
zero-terminated strings are not checked.  When they are used as argument
to a format string containing "%s" in request_module(), some sensitive
information is leaked to userspace via argument of spawned modprobe
process.

The first and the third bugs were introduced before the git epoch; the
second was introduced in 2722971c (v2.6.17-rc1).  To trigger the bug
one should have CAP_NET_ADMIN."
http://marc.info/?l=linux-kernel&m=129978077609894&w=2

http://git.kernel.org/?p=linux/kernel/git/kaber/nf-next-2.6.git;a=commitdiff;h=78b79876761b86653df89c48a7010b5cbd41a84a
Comment 1 Michal Hocko 2011-05-05 12:04:16 UTC 
Created attachment 428177 [details]
backport for sles10sp3

Backport for SLES10-SP3-TD branch. It can be applied on top of 10sp3 branch as well, I guess
Comment 2 Michal Hocko 2011-05-05 12:06:11 UTC 
Created attachment 428181 [details]
backport for sles10sp3

Upps, missing quilt refresh, sorry.

Backport for SLES10-SP3-TD branch. It can be applied on top of 10sp3 branch as
well, I guess
Comment 3 Marcus Meissner 2011-06-26 21:31:04 UTC 
in 2.6.32.37 for sle11 sp1.
Comment 4 Marcus Meissner 2011-07-25 07:46:59 UTC 
A kernel update for SUSE Linux Enterprise 11 SP1 was just released that contains/mentions this fix. The release version is 2.6.32.43-0.4.1.
Comment 5 Swamp Workflow Management 2011-07-25 10:07:43 UTC 
Update released for: btrfs-kmp-default, btrfs-kmp-xen, cluster-network-kmp-default, cluster-network-kmp-xen, ext4dev-kmp-default, ext4dev-kmp-xen, gfs2-kmp-default, gfs2-kmp-xen, hyper-v-kmp-default, kernel-default, kernel-default-base, kernel-default-debuginfo, kernel-default-debugsource, kernel-default-devel, kernel-default-devel-debuginfo, kernel-default-extra, kernel-desktop-devel, kernel-ec2, kernel-ec2-base, kernel-ec2-debuginfo, kernel-ec2-debugsource, kernel-ec2-devel, kernel-ec2-devel-debuginfo, kernel-ec2-extra, kernel-source, kernel-source-debuginfo, kernel-source-vanilla, kernel-syms, kernel-trace, kernel-trace-base, kernel-trace-debuginfo, kernel-trace-debugsource, kernel-trace-devel, kernel-trace-devel-debuginfo, kernel-trace-extra, kernel-xen, kernel-xen-base, kernel-xen-debuginfo, kernel-xen-debugsource, kernel-xen-devel, kernel-xen-devel-debuginfo, kernel-xen-extra
Products:
SLE-DEBUGINFO 11-SP1 (x86_64)
SLE-DESKTOP 11-SP1 (x86_64)
SLE-HAE 11-SP1 (x86_64)
SLE-SERVER 11-SP1 (x86_64)
SLES4VMWARE 11-SP1 (x86_64)
Comment 6 Swamp Workflow Management 2011-07-25 10:25:54 UTC 
Update released for: btrfs-kmp-default, btrfs-kmp-ppc64, cluster-network-kmp-default, cluster-network-kmp-ppc64, ext4dev-kmp-default, ext4dev-kmp-ppc64, gfs2-kmp-default, gfs2-kmp-ppc64, kernel-default, kernel-default-base, kernel-default-debuginfo, kernel-default-debugsource, kernel-default-devel, kernel-default-extra, kernel-ppc64, kernel-ppc64-base, kernel-ppc64-debuginfo, kernel-ppc64-debugsource, kernel-ppc64-devel, kernel-ppc64-extra, kernel-source, kernel-source-debuginfo, kernel-source-vanilla, kernel-syms, kernel-trace, kernel-trace-base, kernel-trace-debuginfo, kernel-trace-debugsource, kernel-trace-devel, kernel-trace-extra
Products:
SLE-DEBUGINFO 11-SP1 (ppc64)
SLE-HAE 11-SP1 (ppc64)
SLE-SERVER 11-SP1 (ppc64)
Comment 7 Swamp Workflow Management 2011-07-25 10:35:06 UTC 
Update released for: btrfs-kmp-default, cluster-network-kmp-default, ext4dev-kmp-default, gfs2-kmp-default, kernel-default, kernel-default-base, kernel-default-debuginfo, kernel-default-debugsource, kernel-default-devel, kernel-default-devel-debuginfo, kernel-default-extra, kernel-default-man, kernel-source, kernel-source-debuginfo, kernel-source-vanilla, kernel-syms, kernel-trace, kernel-trace-base, kernel-trace-debuginfo, kernel-trace-debugsource, kernel-trace-devel, kernel-trace-devel-debuginfo, kernel-trace-extra, kernel-trace-man
Products:
SLE-DEBUGINFO 11-SP1 (s390x)
SLE-HAE 11-SP1 (s390x)
SLE-SERVER 11-SP1 (s390x)
Comment 8 Swamp Workflow Management 2011-07-25 10:44:52 UTC 
Update released for: btrfs-kmp-default, cluster-network-kmp-default, ext4dev-kmp-default, gfs2-kmp-default, kernel-default, kernel-default-base, kernel-default-debuginfo, kernel-default-debugsource, kernel-default-devel, kernel-default-devel-debuginfo, kernel-default-extra, kernel-source, kernel-source-debuginfo, kernel-source-vanilla, kernel-syms, kernel-trace, kernel-trace-base, kernel-trace-debuginfo, kernel-trace-debugsource, kernel-trace-devel, kernel-trace-devel-debuginfo, kernel-trace-extra
Products:
SLE-DEBUGINFO 11-SP1 (ia64)
SLE-HAE 11-SP1 (ia64)
SLE-SERVER 11-SP1 (ia64)
Comment 9 Swamp Workflow Management 2011-07-25 10:59:15 UTC 
Update released for: btrfs-kmp-default, btrfs-kmp-pae, btrfs-kmp-xen, cluster-network-kmp-default, cluster-network-kmp-pae, cluster-network-kmp-xen, ext4dev-kmp-default, ext4dev-kmp-pae, ext4dev-kmp-xen, gfs2-kmp-default, gfs2-kmp-pae, gfs2-kmp-xen, hyper-v-kmp-default, hyper-v-kmp-pae, kernel-default, kernel-default-base, kernel-default-devel, kernel-default-extra, kernel-desktop-devel, kernel-ec2, kernel-ec2-base, kernel-ec2-devel, kernel-ec2-extra, kernel-pae, kernel-pae-base, kernel-pae-devel, kernel-pae-extra, kernel-source, kernel-source-vanilla, kernel-syms, kernel-trace, kernel-trace-base, kernel-trace-devel, kernel-trace-extra, kernel-xen, kernel-xen-base, kernel-xen-devel, kernel-xen-extra
Products:
SLE-DEBUGINFO 11-SP1 (i386)
SLE-DESKTOP 11-SP1 (i386)
SLE-HAE 11-SP1 (i386)
SLE-SERVER 11-SP1 (i386)
SLES4VMWARE 11-SP1 (i386)
Comment 10 Swamp Workflow Management 2011-07-25 15:12:37 UTC 
Update released for: kernel-default-extra, kernel-xen-extra
Products:
SLE-SERVER 11-EXTRA (x86_64)
Comment 11 Swamp Workflow Management 2011-07-25 16:13:05 UTC 
Update released for: kernel-default-extra
Products:
SLE-SERVER 11-EXTRA (ia64)
Comment 12 Swamp Workflow Management 2011-07-25 17:13:22 UTC 
Update released for: kernel-default-extra, kernel-ppc64-extra
Products:
SLE-SERVER 11-EXTRA (ppc64)
Comment 13 Swamp Workflow Management 2011-07-25 18:14:20 UTC 
Update released for: kernel-default-extra
Products:
SLE-SERVER 11-EXTRA (s390x)
Comment 14 Swamp Workflow Management 2011-07-25 19:15:16 UTC 
Update released for: kernel-default-extra, kernel-pae-extra, kernel-xen-extra
Products:
SLE-SERVER 11-EXTRA (i386)
Comment 15 Swamp Workflow Management 2011-11-17 14:11:58 UTC 
Update released for: kernel-debug, kernel-debug-debuginfo, kernel-default, kernel-default-debuginfo, kernel-kdump, kernel-kdump-debuginfo, kernel-smp, kernel-smp-debuginfo, kernel-source, kernel-source-debuginfo, kernel-syms, kernel-xen, kernel-xen-debuginfo
Products:
SLE-SERVER 10-SP3-TERADATA (x86_64)
Comment 16 Benjamin Poirier 2011-12-05 18:41:55 UTC 
Very similar to 681180

1)
\ do_replace
        \ __do_replace
                \ try_then_request_module

goes way back, like 2.4 or earlier

2)
\ compat_do_replace
        \ __do_replace
                \ try_then_request_module

introduced in v2.6.17-rc1 by 2722971cbe831117686039d5c334f2c0f560be13

3)
\ do_ipt_get_ctl
        \ try_then_request_module

introduced in v2.6.11-rc1 by ad5188b2a68cf061b2ab9ef741cb6ab26c66e64e

---

Patch-mainline: v2.6.39-rc1
Git-commit: 78b79876761b86653df89c48a7010b5cbd41a84a
            netfilter: ip_tables: fix infoleak to userspace

SLES10 SP4
        2.6.16.60
        1) applied netfilter-ip_tables-fix-infoleak-to-userspace.patch
        2) N/A
        3) applied netfilter-ip_tables-fix-infoleak-to-userspace.patch
SLE11 SP1
        2.6.32.49
        already fixed in -stable v2.6.32.37 by
        3be5e2ffddca4470b1be87ceb2868a59a3de9206
SLE11 SP2
        3.0.12
        already fixed in mainline
openSUSE 11.3
        2.6.34.10
        already fixed in -stable v2.6.34.10 by
        1d9064bb2d8f0ea26a67b2ce74c6d1d461dcfe7d
openSUSE 11.4
        2.6.37.6
        1, 2, 3) applied netfilter-ip_tables-fix-infoleak-to-userspace.patch
openSUSE 12.1
        3.1.4
        already fixed in mainline
Comment 17 Bernhard Wiedemann 2012-01-03 17:00:26 UTC 
This is an autogenerated message for OBS integration:
This bug (681181) was mentioned in
https://build.opensuse.org/request/show/98667 11.4 / kernel-source
Comment 18 Swamp Workflow Management 2012-01-09 14:04:56 UTC 
The SWAMPID for this issue is 44839.
This issue was rated as moderate.
Please submit fixed packages until 2012-01-23.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 19 Swamp Workflow Management 2012-01-17 11:05:32 UTC 
Update released for: kernel-debug, kernel-debug-base, kernel-debug-base-debuginfo, kernel-debug-debuginfo, kernel-debug-debugsource, kernel-debug-devel, kernel-debug-devel-debuginfo, kernel-default, kernel-default-base, kernel-default-base-debuginfo, kernel-default-debuginfo, kernel-default-debugsource, kernel-default-devel, kernel-default-devel-debuginfo, kernel-desktop, kernel-desktop-base, kernel-desktop-base-debuginfo, kernel-desktop-debuginfo, kernel-desktop-debugsource, kernel-desktop-devel, kernel-desktop-devel-debuginfo, kernel-devel, kernel-docs, kernel-ec2, kernel-ec2-base, kernel-ec2-base-debuginfo, kernel-ec2-debuginfo, kernel-ec2-debugsource, kernel-ec2-devel, kernel-ec2-devel-debuginfo, kernel-ec2-extra, kernel-ec2-extra-debuginfo, kernel-pae, kernel-pae-base, kernel-pae-base-debuginfo, kernel-pae-debuginfo, kernel-pae-debugsource, kernel-pae-devel, kernel-pae-devel-debuginfo, kernel-source, kernel-source-vanilla, kernel-syms, kernel-trace, kernel-trace-base, kernel-trace-base-debuginfo, kernel-trace-debuginfo, kernel-trace-debugsource, kernel-trace-devel, kernel-trace-devel-debuginfo, kernel-vanilla, kernel-vanilla-base, kernel-vanilla-base-debuginfo, kernel-vanilla-debuginfo, kernel-vanilla-debugsource, kernel-vanilla-devel, kernel-vanilla-devel-debuginfo, kernel-vmi, kernel-vmi-base, kernel-vmi-base-debuginfo, kernel-vmi-debuginfo, kernel-vmi-debugsource, kernel-vmi-devel, kernel-vmi-devel-debuginfo, kernel-xen, kernel-xen-base, kernel-xen-base-debuginfo, kernel-xen-debuginfo, kernel-xen-debugsource, kernel-xen-devel, kernel-xen-devel-debuginfo, preload-kmp-default, preload-kmp-desktop
Products:
openSUSE 11.4 (debug, i586, x86_64)
Comment 20 Swamp Workflow Management 2012-01-23 15:17:54 UTC 
Update released for: kernel-default, kernel-default-debuginfo, kernel-iseries64, kernel-iseries64-debuginfo, kernel-kdump, kernel-kdump-debuginfo, kernel-ppc64, kernel-ppc64-debuginfo, kernel-source, kernel-source-debuginfo, kernel-syms
Products:
SLE-DEBUGINFO 10-SP4 (ppc)
SLE-SDK 10-SP4 (ppc)
SLE-SERVER 10-SP4 (ppc)
Comment 21 Swamp Workflow Management 2012-01-23 15:45:45 UTC 
Update released for: kernel-debug, kernel-debug-debuginfo, kernel-default, kernel-default-debuginfo, kernel-kdump, kernel-kdump-debuginfo, kernel-smp, kernel-smp-debuginfo, kernel-source, kernel-source-debuginfo, kernel-syms, kernel-xen, kernel-xen-debuginfo
Products:
SLE-DEBUGINFO 10-SP4 (x86_64)
SLE-DESKTOP 10-SP4 (x86_64)
SLE-SDK 10-SP4 (x86_64)
SLE-SERVER 10-SP4 (x86_64)
Comment 22 Swamp Workflow Management 2012-01-23 16:02:18 UTC 
Update released for: kernel-debug, kernel-debug-debuginfo, kernel-default, kernel-default-debuginfo, kernel-source, kernel-source-debuginfo, kernel-syms
Products:
SLE-DEBUGINFO 10-SP4 (ia64)
SLE-SDK 10-SP4 (ia64)
SLE-SERVER 10-SP4 (ia64)
Comment 23 Marcus Meissner 2012-01-23 16:39:15 UTC 
We have just released a kernel update fixing/mentioning this bug. The released kernel version is 2.6.16.60-0.93.1. (s390x: 2.6.16.60-0.95.1).
Comment 24 Swamp Workflow Management 2012-01-24 04:18:56 UTC 
Update released for: kernel-default, kernel-default-debuginfo, kernel-source, kernel-syms
Products:
SLE-DEBUGINFO 10-SP4 (s390x)
SLE-SERVER 10-SP4 (s390x)
Comment 25 Swamp Workflow Management 2012-01-24 05:28:02 UTC 
Update released for: kernel-bigsmp, kernel-bigsmp-debuginfo, kernel-debug, kernel-debug-debuginfo, kernel-default, kernel-default-debuginfo, kernel-kdump, kernel-kdump-debuginfo, kernel-kdumppae, kernel-kdumppae-debuginfo, kernel-smp, kernel-smp-debuginfo, kernel-source, kernel-source-debuginfo, kernel-syms, kernel-syms-debuginfo, kernel-vmi, kernel-vmi-debuginfo, kernel-vmipae, kernel-vmipae-debuginfo, kernel-xen, kernel-xen-debuginfo, kernel-xenpae, kernel-xenpae-debuginfo
Products:
SLE-DEBUGINFO 10-SP4 (i386)
SLE-DESKTOP 10-SP4 (i386)
SLE-SDK 10-SP4 (i386)
SLE-SERVER 10-SP4 (i386)
Comment 26 Swamp Workflow Management 2013-11-06 14:34:59 UTC 
The SWAMPID for this issue is 54954.
This issue was rated as moderate.
Please submit fixed packages until 2013-11-20.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 27 Swamp Workflow Management 2013-12-06 23:50:20 UTC 
Update released for: kernel-default, kernel-default-debuginfo, kernel-source, kernel-syms
Products:
SLE-DEBUGINFO 10-SP3 (s390x)
SLE-SERVER 10-SP3-LTSS (s390x)
Comment 28 Swamp Workflow Management 2013-12-07 00:09:52 UTC 
Update released for: kernel-debug, kernel-debug-debuginfo, kernel-default, kernel-default-debuginfo, kernel-kdump, kernel-kdump-debuginfo, kernel-smp, kernel-smp-debuginfo, kernel-source, kernel-source-debuginfo, kernel-syms, kernel-xen, kernel-xen-debuginfo
Products:
SLE-DEBUGINFO 10-SP3 (x86_64)
SLE-SERVER 10-SP3-LTSS (x86_64)
Comment 29 Swamp Workflow Management 2013-12-07 01:43:39 UTC 
Update released for: kernel-bigsmp, kernel-bigsmp-debuginfo, kernel-debug, kernel-debug-debuginfo, kernel-default, kernel-default-debuginfo, kernel-kdump, kernel-kdump-debuginfo, kernel-kdumppae, kernel-kdumppae-debuginfo, kernel-smp, kernel-smp-debuginfo, kernel-source, kernel-source-debuginfo, kernel-syms, kernel-syms-debuginfo, kernel-vmi, kernel-vmi-debuginfo, kernel-vmipae, kernel-vmipae-debuginfo, kernel-xen, kernel-xen-debuginfo, kernel-xenpae, kernel-xenpae-debuginfo
Products:
SLE-DEBUGINFO 10-SP3 (i386)
SLE-SERVER 10-SP3-LTSS (i386)
First Last Prev Next    This bug is not in your last search results.