APPLIED: [SRU][J/F/B][PATCH] Fix CVE-2022-2663 (netfilter: nf_conntrack_irc: Fix forged IP logic)
Stefan Bader
stefan.bader at canonical.com
Wed Nov 9 11:07:07 UTC 2022
On 18.10.22 21:41, John Cabaj wrote:
> [Impact]
>
> * nf_conntrac_irc can incorrectly match messages and can allow firewall bypass. Impacts Jammy, Focal, and Bionic.
>
> [Fix]
>
> * Fixing netfilter IP logic so destination is based off proper direction, in this case referencing NAT host. Also detect port 0 as forged.
>
> [Test Plan]
>
> * Compile and boot test.
>
> [Where problems could occur]
>
> * Erroneous usage of dcc_port 0 for anything other than a signal flag.
>
> David Leadbeater (1):
> netfilter: nf_conntrack_irc: Fix forged IP logic
>
> net/netfilter/nf_conntrack_irc.c | 5 +++--
> 1 file changed, 3 insertions(+), 2 deletions(-)
>
Applied to jammy,focal,bionic:linux/master-next. Thanks.
-Stefan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20221109/cefd984b/attachment.sig>
More information about the kernel-team
mailing list