APPLIED[X/B/D]/cmnt: [PATCH 0/5][SRU][X/B/D/E] CVE-2019-1705{2, 3, 4, 5, 6}: Missing CAP_NET_RAW checks
Kleber Souza
kleber.souza at canonical.com
Wed Oct 16 10:19:32 UTC 2019
On 03.10.19 20:13, Tyler Hicks wrote:
> https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-17052.html
> https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-17053.html
> https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-17054.html
> https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-17055.html
> https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-17056.html
>
> It was discovered that a number of old and rarely used network
> protocols allow unprivileged users to create a raw socket without
> requiring CAP_NET_RAW.
>
> Clean cherry picks to all releases. Build logs are clean.
>
> I can provide pull requests for each release, if desired, but I think
> sending the patches over email may end up being easier to apply since
> all the patches can be easily git-am'ed to all of our kernels. So that
> means modifying the patches with the ack's once and then git-am'ing the
> same patches everywhere instead of adding the acks to each patch in each
> individual pull request.
>
> Tyler
>
> Ori Nimron (5):
> ax25: enforce CAP_NET_RAW for raw sockets
> ieee802154: enforce CAP_NET_RAW for raw sockets
> appletalk: enforce CAP_NET_RAW for raw sockets
> mISDN: enforce CAP_NET_RAW for raw sockets
> nfc: enforce CAP_NET_RAW for raw sockets
>
> drivers/isdn/mISDN/socket.c | 2 ++
> net/appletalk/ddp.c | 5 +++++
> net/ax25/af_ax25.c | 2 ++
> net/ieee802154/socket.c | 3 +++
> net/nfc/llcp_sock.c | 7 +++++--
> 5 files changed, 17 insertions(+), 2 deletions(-)
>
Applied to xenial and disco master-next branches.
These patches have already been applied to Bionic as part of
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1847155
("Bionic update: upstream stable patchset 2019-10-07").
Thanks,
Kleber
More information about the kernel-team
mailing list