ACK: [Jammy,OEM-5.17,OEM-6.0,OEM-6.1,Lunar 0/3] CVE-2023-4015
Tim Gardner
tim.gardner at canonical.com
Thu Aug 3 18:48:53 UTC 2023
On 8/3/23 12:30 PM, Thadeu Lima de Souza Cascardo wrote:
> [Impact]
> Unprivileged users may use nftables to cause a use-after-free, potentially
> leading to privilege escalation.
>
> [Backport]
> This requires CVE-2023-3610 mitigations to be applied on 5.15 and later.
>
> It also requires CVE-2023-3390 mitigations to be applied on OEM-5.17 and
> OEM-6.0.
>
> A pre-requisite commit was necessary and a follow-up for it were also
> applied.
>
> CVE-2023-3610 fix, pre-req and follow-up were already applied on oem-6.1,
> thus skipped there.
>
> [Potential regression]
> nftables users may find regressions.
>
> Pablo Neira Ayuso (3):
> netfilter: nf_tables: add NFT_TRANS_PREPARE_ERROR to deal with bound
> set/chain
> netfilter: nf_tables: skip immediate deactivate in _PREPARE_ERROR
> netfilter: nf_tables: unbind non-anonymous set if rule construction
> fails
>
> include/net/netfilter/nf_tables.h | 2 ++
> net/netfilter/nf_tables_api.c | 47 ++++++++++++++++++++++++++-----
> net/netfilter/nft_immediate.c | 28 ++++++++++++------
> 3 files changed, 62 insertions(+), 15 deletions(-)
>
Acked-by: Tim Gardner <tim.gardner at canonical.com>
--
-----------
Tim Gardner
Canonical, Inc
More information about the kernel-team
mailing list