netfilter newset OOB write

Bug #1976363 reported by Thadeu Lima de Souza Cascardo
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

[Impact]
An unprivileged user could write out-of-bounds by using nftables under a network namespace.

[Test case]
Test the PoC available at https://seclists.org/oss-sec/2022/q2/164.

[Potential regression]
nftables could be affected.

CVE References

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 5.15.0-37.39

---------------
linux (5.15.0-37.39) jammy; urgency=medium

  * netfilter newset OOB write (LP: #1976363)
    - netfilter: nf_tables: sanitize nft_set_desc_concat_parse()

  * CVE-2022-1966
    - netfilter: nf_tables: disallow non-stateful expression in sets earlier

 -- Thadeu Lima de Souza Cascardo <email address hidden> Wed, 01 Jun 2022 14:49:43 -0300

Changed in linux (Ubuntu):
status: New → Fix Released
Revision history for this message
Thadeu Lima de Souza Cascardo (cascardo) wrote :

This is CVE-2022-1972.

information type: Private Security → Public Security
description: updated
summary: - upcoming update - nf oob
+ netfilter newset OOB write
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux-azure-5.15/5.15.0-1013.16~20.04.1 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-focal' to 'verification-done-focal'. If the problem still exists, change the tag 'verification-needed-focal' to 'verification-failed-focal'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-focal
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux-nvidia/5.15.0-1003.3 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-jammy' to 'verification-done-jammy'. If the problem still exists, change the tag 'verification-needed-jammy' to 'verification-failed-jammy'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-jammy
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers