Bugzilla – Bug 970904
VUL-0: CVE-2016-3135: kernel-source: netfilter: size overflow in x_tables
Last modified: 2018-07-03 21:11:58 UTC
rh#1317386 An integer overflow vulnerability was found in xt_alloc_table_info, which on 32-bit systems can lead to small structure allocation and a copy_from_user based heap corruption. External references: http://seclists.org/oss-sec/2016/q1/581 Proposed fix: http://marc.info/?l=netfilter-devel&m=145757136822750&w=2 CVE assignment: http://seclists.org/oss-sec/2016/q1/619 References: https://bugzilla.redhat.com/show_bug.cgi?id=1317386 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3135 http://seclists.org/oss-sec/2016/q1/619
bugbot adjusting priority
It's commit d157bd761585 ("netfilter: x_tables: check for size overflow") Not in mainline yet, only in net-next (and nf-next) git tree but the id should be preserved on merge. As far as I can see, the bug was introduced by 711bdde6a884 ("netfilter: x_tables: remove XT_TABLE_INFO_SZ and a dereference.") in 4.2-rc1. This commit hasn't been backported into our pre-4.2 branches so that only SLE12-SP2 and Factory are affected (we can put the patch into stable temporarily until stable moves to 4.6).
I checked the code again and the issue was indeed introduced by commit 711bdde6a884 in v4.2-rc1. The fix has been submitted to SLE12-SP2 and stable, other branches do not need it. Closing and reassigning back to Security Team.