ACK: [SRU Jammy/OEM-5.17/Kinetic/OEM-6.0/Lunar 0/1] CVE-2023-3610

Stefan Bader stefan.bader at canonical.com
Thu Aug 3 09:18:58 UTC 2023 

On 22.07.23 22:43, Cengiz Can wrote:
> [Impact]
> A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables
> component can be exploited to achieve local privilege escalation. Flaw in the
> error handling of bound chains causes a use-after-free in the abort path of
> NFT_MSG_NEWRULE. The vulnerability requires CAP_NET_ADMIN to be triggered. We
> recommend upgrading past commit 4bedf9eee016286c835e3d8fa981ddece5338795.
> 
> [Fix]
> Commits picked from either stable or upstream. The ones that are marked as
> backports only differ in contexts, specifically in nf_tables.h.
> 
> [Test case]
> Tested with test suites that ship with following repositories:
> 
> - git://git.netfilter.org/iptables
> - git://git.netfilter.org/nftables
> 
> Test results:
> 
> - iptables/tests/run_tests.sh produced exact same results with or without the
> patch.
> - nftables/tests/shell/run_tests.sh produced similar results with or without the
> patch. (kinetic produces 1 fewer Failure with the patch).
> 
> [Potential regression]
> All users who use netfilter rules might be affected.
> 
> Pablo Neira Ayuso (1):
>    netfilter: nf_tables: fix chain binding transaction logic
> 
>   include/net/netfilter/nf_tables.h | 21 +++++++-
>   net/netfilter/nf_tables_api.c     | 86 +++++++++++++++++++-----------
>   net/netfilter/nft_immediate.c     | 87 +++++++++++++++++++++++++++----
>   3 files changed, 153 insertions(+), 41 deletions(-)
> 

Acked-by: Stefan Bader <stefan.bader at canonical.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xE8675DEECBEECEA3.asc
Type: application/pgp-keys
Size: 44613 bytes
Desc: OpenPGP public key
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20230803/27d63add/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20230803/27d63add/attachment-0001.sig>

More information about the kernel-team mailing list