[PATCH 0/5][SRU][X/B/D/E] CVE-2019-1705{2, 3, 4, 5, 6}: Missing CAP_NET_RAW checks
Tyler Hicks
tyhicks at canonical.com
Thu Oct 3 18:13:13 UTC 2019
https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-17052.html
https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-17053.html
https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-17054.html
https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-17055.html
https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-17056.html
It was discovered that a number of old and rarely used network
protocols allow unprivileged users to create a raw socket without
requiring CAP_NET_RAW.
Clean cherry picks to all releases. Build logs are clean.
I can provide pull requests for each release, if desired, but I think
sending the patches over email may end up being easier to apply since
all the patches can be easily git-am'ed to all of our kernels. So that
means modifying the patches with the ack's once and then git-am'ing the
same patches everywhere instead of adding the acks to each patch in each
individual pull request.
Tyler
Ori Nimron (5):
ax25: enforce CAP_NET_RAW for raw sockets
ieee802154: enforce CAP_NET_RAW for raw sockets
appletalk: enforce CAP_NET_RAW for raw sockets
mISDN: enforce CAP_NET_RAW for raw sockets
nfc: enforce CAP_NET_RAW for raw sockets
drivers/isdn/mISDN/socket.c | 2 ++
net/appletalk/ddp.c | 5 +++++
net/ax25/af_ax25.c | 2 ++
net/ieee802154/socket.c | 3 +++
net/nfc/llcp_sock.c | 7 +++++--
5 files changed, 17 insertions(+), 2 deletions(-)
--
2.17.1
More information about the kernel-team
mailing list