Hi! > * New CVEs > > CVE-2021-39636: "no details" > > CVSS v3 score is not provided > > There is no vulnerability details yet. However, there is five patches > are addressed so the bug is in the netfilter module. > > f32815d ("xtables: add xt_match, xt_target and data copy_to_user > functions"): merged in 4.11-rc1 > f77bc5b ("iptables: use match, target and data copy_to_user helpers"): > merged in 4.11-rc1 > e47ddb2 ("ip6tables: use match, target and data copy_to_user > helpers"): merged in 4.11-rc1 > ec23189 ("xtables: extend matches and targets with .usersize"): merged > in 4.11-rc1 > 1e98ffe ("netfilter: x_tables: fix pointer leaks to userspace"): > merged in 4.16-rc1. This fixes commit ec23189 ("xtables: extend > matches and targets with .usersize") that was merged in 4.11-rc1. > > Fixed status > > mainline: [f32815d21d4d8287336fb9cef4d2d9e0866214c2, > f77bc5b23fb1af51fc0faa8a479dea8969eb5079, > e47ddb2c4691fd2bd8d25745ecb6848408899757, > ec23189049651b16dc2ffab35a4371dc1f491aca, > 1e98ffea5a8935ec040ab72299e349cb44b8defd] > stable/4.14: [f32815d21d4d8287336fb9cef4d2d9e0866214c2, > f77bc5b23fb1af51fc0faa8a479dea8969eb5079, > e47ddb2c4691fd2bd8d25745ecb6848408899757, > ec23189049651b16dc2ffab35a4371dc1f491aca, > ad10785a706e63ff155fc97860cdcc5e3bc5992d] Hmm. Fun. 1e98ffea5a8935ec040ab72299e349cb44b8defd may have a clue: This leads to kernel pointer leaks if a match/target is set and then read back to userspace. So that sounds like KASLR workaround? iptables are normally limited to priviledged users, and KASLR is just a technology to make exploitation hard. I don't think we care too much here. > CVE-2018-25020: bpf: fix truncated jump targets on heavy expansions > > CVSS v3 score is not provided > > Fixed status > > The BPF subsystem in the kernel through 4.17-rc7 has overflow bug. > > mainline: [050fad7c4534c13c8eb1d9c2ba66012e014773cb] Fun. JITs are hard to get right. I guess "avoid BPF" and "certainly don't allow unpriviledged access to BPF" is good advice. Best regards, Pavel -- DENX Software Engineering GmbH, Managing Director: Wolfgang Denk HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany