Ubuntu
firewalld package

Firewall configuration can be modified by any logged in user

Bug #1617617 reported by Jeremy Bícha
264
This bug affects 2 people
Affects Status Importance Assigned to Milestone
firewalld (Debian)
Fix Released
Unknown
firewalld (Ubuntu)
Fix Released
Low
Unassigned
Xenial
Fix Released
Low
Unassigned

Bug Description

Copying from the Debian bug:

---
The following vulnerability was published for firewalld.

CVE-2016-5410[0]:
Firewall configuration can be modified by any logged in user

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2016-5410
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1360135
[2] http://seclists.org/oss-sec/2016/q3/291
[3] https://github.com/t-woerner/firewalld/commit/0371995a58ec4c777960007b7dbee93933f760cb
---

This only affects firewalld >= 0.3.12 & < 0.4.3.3 (so trusty is not affected).

CVE References

Jeremy Bícha (jbicha)
Changed in firewalld (Ubuntu Xenial):
status: New → Confirmed
Changed in firewalld (Ubuntu):
status: New → Confirmed
Revision history for this message
Jeremy Bícha (jbicha) wrote :
Revision history for this message
Jeremy Bícha (jbicha) wrote :

The only testing I did was ensure the package still builds on xenial.

Bug Watch Updater (bug-watch-updater)
Changed in firewalld (Debian):
status: Unknown → Fix Released
Revision history for this message
Jeremy Bícha (jbicha) wrote :

This bug was fixed in the package firewalld - 0.4.3.3-1

---------------
firewalld (0.4.3.3-1) unstable; urgency=medium

  * New upstream release.
    - Fixes CVE-2016-5410: Firewall configuration can be modified by any
      logged in user. (Closes: #834529)

 -- Michael Biebl <email address hidden> Sat, 27 Aug 2016 16:00:36 +0200

Changed in firewalld (Ubuntu):
status: Confirmed → Fix Released
Mathew Hodson (mhodson)
Changed in firewalld (Ubuntu):
importance: Undecided → High
Changed in firewalld (Ubuntu Xenial):
importance: Undecided → High
Changed in firewalld (Ubuntu):
importance: High → Low
Changed in firewalld (Ubuntu Xenial):
importance: High → Low
Revision history for this message
Seth Arnold (seth-arnold) wrote :

I believe this patch is incomplete; the debdiff appears to cover:

direct.addPassthrough
ipset.addEntry
ipset.removeEntry

direct.removePassthrough looks to be overlooked. (ipset.setEntries is also missing, but I think that feature may not exist in this version.)

Can you please investigate and re-generate the patch if needed?

Thanks

Revision history for this message
AsciiWolf (asciiwolf) wrote :

Any news?

Revision history for this message
AsciiWolf (asciiwolf) wrote :

Still not fixed in Xenial!

Revision history for this message
AsciiWolf (asciiwolf) wrote :

Still not fixed in Xenial.

Revision history for this message
Lucas Kocia (lkocia) wrote :

Almost the same patch as jbicha's, except with an additional line added to handle direct.removePassthrough as seth-arnold requested. ipset.setEntries does not appear to exist in this version.

Lucas Kocia (lkocia)
Changed in firewalld (Ubuntu Xenial):
status: Confirmed → Fix Released
Revision history for this message
Lucas Kocia (lkocia) wrote :

I've subscribed ubuntu_sponsors in an effort to get this fix to the next xenial SRU release. Until then you can find the patched version on my ppa:

deb http://ppa.launchpad.net/lkocia/firewalld/ubuntu xenial main
deb-src http://ppa.launchpad.net/lkocia/firewalld/ubuntu xenial main

(Add above two lines to your /etc/apt/sources.list)

Revision history for this message
Jeremy Bícha (jbicha) wrote :

Thank you for helping to make Ubuntu better!

Since this is a proposed security update, I subscribed ubuntu-security-sponsors instead of ubuntu-sponsors.

Revision history for this message
Lucas Kocia (lkocia) wrote :

Thanks Jeremy.

Is there any movement on this from ubuntu-security-sponsors for SRU? I don't see this on their open bug subscriptions etc.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

@Lucas: you marked the bug as "Fix Released", so it's not appearing on any lists.

I'll set it back to Confirmed.

Changed in firewalld (Ubuntu Xenial):
status: Fix Released → Confirmed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package firewalld - 0.4.0-1ubuntu0.1

---------------
firewalld (0.4.0-1ubuntu0.1) xenial-security; urgency=medium

  * SECURITY UPDATE: Any logged in user could modify passthrough rules
    and set ipset entries (LP: #1617617)
    - debian/patches/CVE-2016-5410.patch: Enforce appropriate PolicyKit
      authentication requirements, based on upstream 0.4.3.3 commit
    - CVE-2016-5410

 -- Lucas Kocia <email address hidden> Wed, 25 Oct 2017 21:03:52 -0400

Changed in firewalld (Ubuntu Xenial):
status: Confirmed → Fix Released
Revision history for this message
Seth Arnold (seth-arnold) wrote :

Thanks Lucas, I made some small fixes to the changelog for the -security pocket and to pick a version number that would more accurately reflect the changes (there's more examples at https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Update_the_packaging ).

The update should be on the mirrors soon.

Thanks

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.