1 |
commit: 30b1ce27e3082d81d6c4c5f488c1ec452f01bbab |
2 |
Author: Patrick McLean <patrick.mclean <AT> sony <DOT> com> |
3 |
AuthorDate: Thu Jan 20 19:11:25 2022 +0000 |
4 |
Commit: Patrick McLean <chutzpah <AT> gentoo <DOT> org> |
5 |
CommitDate: Thu Jan 20 19:12:26 2022 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=30b1ce27 |
7 |
|
8 |
net-firewall/iptables: revbump upstream double-free (bug #831626) |
9 |
|
10 |
Closes: https://bugs.gentoo.org/831626 |
11 |
Copyright: Sony Interactive Entertainment Inc. |
12 |
Package-Manager: Portage-3.0.30, Repoman-3.0.3 |
13 |
Signed-off-by: Patrick McLean <chutzpah <AT> gentoo.org> |
14 |
|
15 |
.../files/iptables-1.8.7-cache-double-free.patch | 61 +++++++ |
16 |
net-firewall/iptables/iptables-1.8.7-r1.ebuild | 183 +++++++++++++++++++++ |
17 |
2 files changed, 244 insertions(+) |
18 |
|
19 |
diff --git a/net-firewall/iptables/files/iptables-1.8.7-cache-double-free.patch b/net-firewall/iptables/files/iptables-1.8.7-cache-double-free.patch |
20 |
new file mode 100644 |
21 |
index 000000000000..fc88636d2944 |
22 |
--- /dev/null |
23 |
+++ b/net-firewall/iptables/files/iptables-1.8.7-cache-double-free.patch |
24 |
@@ -0,0 +1,61 @@ |
25 |
+commit 4318961230bce82958df82b57f1796143bf2f421 |
26 |
+Author: Phil Sutter <phil@×××.cc> |
27 |
+Date: Tue Sep 21 11:39:45 2021 +0200 |
28 |
+ |
29 |
+ nft: cache: Avoid double free of unrecognized base-chains |
30 |
+ |
31 |
+ On error, nft_cache_add_chain() frees the allocated nft_chain object |
32 |
+ along with the nftnl_chain it points at. Fix nftnl_chain_list_cb() to |
33 |
+ not free the nftnl_chain again in that case. |
34 |
+ |
35 |
+ Fixes: 176c92c26bfc9 ("nft: Introduce a dedicated base chain array") |
36 |
+ Signed-off-by: Phil Sutter <phil@×××.cc> |
37 |
+ |
38 |
+diff --git a/iptables/nft-cache.c b/iptables/nft-cache.c |
39 |
+index 2c88301c..9a03bbfb 100644 |
40 |
+--- a/iptables/nft-cache.c |
41 |
++++ b/iptables/nft-cache.c |
42 |
+@@ -314,9 +314,7 @@ static int nftnl_chain_list_cb(const struct nlmsghdr *nlh, void *data) |
43 |
+ goto out; |
44 |
+ } |
45 |
+ |
46 |
+- if (nft_cache_add_chain(h, t, c)) |
47 |
+- goto out; |
48 |
+- |
49 |
++ nft_cache_add_chain(h, t, c); |
50 |
+ return MNL_CB_OK; |
51 |
+ out: |
52 |
+ nftnl_chain_free(c); |
53 |
+diff --git a/iptables/tests/shell/testcases/chain/0004extra-base_0 b/iptables/tests/shell/testcases/chain/0004extra-base_0 |
54 |
+new file mode 100755 |
55 |
+index 00000000..1b85b060 |
56 |
+--- /dev/null |
57 |
++++ b/iptables/tests/shell/testcases/chain/0004extra-base_0 |
58 |
+@@ -0,0 +1,27 @@ |
59 |
++#!/bin/bash |
60 |
++ |
61 |
++case $XT_MULTI in |
62 |
++*xtables-nft-multi) |
63 |
++ ;; |
64 |
++*) |
65 |
++ echo skip $XT_MULTI |
66 |
++ exit 0 |
67 |
++ ;; |
68 |
++esac |
69 |
++ |
70 |
++set -e |
71 |
++ |
72 |
++nft -f - <<EOF |
73 |
++table ip filter { |
74 |
++ chain INPUT { |
75 |
++ type filter hook input priority filter |
76 |
++ counter packets 218 bytes 91375 accept |
77 |
++ } |
78 |
++ |
79 |
++ chain x { |
80 |
++ type filter hook input priority filter |
81 |
++ } |
82 |
++} |
83 |
++EOF |
84 |
++ |
85 |
++$XT_MULTI iptables -L |
86 |
|
87 |
diff --git a/net-firewall/iptables/iptables-1.8.7-r1.ebuild b/net-firewall/iptables/iptables-1.8.7-r1.ebuild |
88 |
new file mode 100644 |
89 |
index 000000000000..f748bdb9f289 |
90 |
--- /dev/null |
91 |
+++ b/net-firewall/iptables/iptables-1.8.7-r1.ebuild |
92 |
@@ -0,0 +1,183 @@ |
93 |
+# Copyright 1999-2022 Gentoo Authors |
94 |
+# Distributed under the terms of the GNU General Public License v2 |
95 |
+ |
96 |
+EAPI=7 |
97 |
+ |
98 |
+inherit systemd toolchain-funcs autotools flag-o-matic usr-ldscript |
99 |
+ |
100 |
+DESCRIPTION="Linux kernel (2.4+) firewall, NAT and packet mangling tools" |
101 |
+HOMEPAGE="https://www.netfilter.org/projects/iptables/" |
102 |
+SRC_URI="https://www.netfilter.org/projects/iptables/files/${P}.tar.bz2" |
103 |
+ |
104 |
+LICENSE="GPL-2" |
105 |
+# Subslot reflects PV when libxtables and/or libip*tc was changed |
106 |
+# the last time. |
107 |
+SLOT="0/1.8.3" |
108 |
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86" |
109 |
+IUSE="conntrack ipv6 netlink nftables pcap static-libs" |
110 |
+ |
111 |
+BUILD_DEPEND=" |
112 |
+ >=app-eselect/eselect-iptables-20200508 |
113 |
+" |
114 |
+COMMON_DEPEND=" |
115 |
+ conntrack? ( >=net-libs/libnetfilter_conntrack-1.0.6 ) |
116 |
+ netlink? ( net-libs/libnfnetlink ) |
117 |
+ nftables? ( |
118 |
+ >=net-libs/libmnl-1.0:0= |
119 |
+ >=net-libs/libnftnl-1.1.6:0= |
120 |
+ ) |
121 |
+ pcap? ( net-libs/libpcap ) |
122 |
+" |
123 |
+DEPEND="${COMMON_DEPEND} |
124 |
+ virtual/os-headers |
125 |
+ >=sys-kernel/linux-headers-4.4:0 |
126 |
+" |
127 |
+BDEPEND="${BUILD_DEPEND} |
128 |
+ app-eselect/eselect-iptables |
129 |
+ virtual/pkgconfig |
130 |
+ nftables? ( |
131 |
+ sys-devel/flex |
132 |
+ virtual/yacc |
133 |
+ ) |
134 |
+" |
135 |
+RDEPEND="${COMMON_DEPEND} |
136 |
+ ${BUILD_DEPEND} |
137 |
+ nftables? ( net-misc/ethertypes ) |
138 |
+ !<net-firewall/ebtables-2.0.11-r1 |
139 |
+ !<net-firewall/arptables-0.0.5-r1 |
140 |
+" |
141 |
+ |
142 |
+PATCHES=( |
143 |
+ "${FILESDIR}/iptables-1.8.4-no-symlinks.patch" |
144 |
+ "${FILESDIR}/iptables-1.8.2-link.patch" |
145 |
+ # https://bugs.gentoo.org/831626 |
146 |
+ "${FILESDIR}/iptables-1.8.7-cache-double-free.patch" |
147 |
+) |
148 |
+ |
149 |
+src_prepare() { |
150 |
+ # use the saner headers from the kernel |
151 |
+ rm include/linux/{kernel,types}.h || die |
152 |
+ |
153 |
+ default |
154 |
+ eautoreconf |
155 |
+} |
156 |
+ |
157 |
+src_configure() { |
158 |
+ # Some libs use $(AR) rather than libtool to build #444282 |
159 |
+ tc-export AR |
160 |
+ |
161 |
+ # Hack around struct mismatches between userland & kernel for some ABIs. #472388 |
162 |
+ use amd64 && [[ ${ABI} == "x32" ]] && append-flags -fpack-struct |
163 |
+ |
164 |
+ sed -i \ |
165 |
+ -e "/nfnetlink=[01]/s:=[01]:=$(usex netlink 1 0):" \ |
166 |
+ -e "/nfconntrack=[01]/s:=[01]:=$(usex conntrack 1 0):" \ |
167 |
+ configure || die |
168 |
+ |
169 |
+ local myeconfargs=( |
170 |
+ --sbindir="${EPREFIX}/sbin" |
171 |
+ --libexecdir="${EPREFIX}/$(get_libdir)" |
172 |
+ --enable-devel |
173 |
+ --enable-shared |
174 |
+ $(use_enable nftables) |
175 |
+ $(use_enable pcap bpf-compiler) |
176 |
+ $(use_enable pcap nfsynproxy) |
177 |
+ $(use_enable static-libs static) |
178 |
+ $(use_enable ipv6) |
179 |
+ ) |
180 |
+ econf "${myeconfargs[@]}" |
181 |
+} |
182 |
+ |
183 |
+src_compile() { |
184 |
+ emake V=1 |
185 |
+} |
186 |
+ |
187 |
+src_install() { |
188 |
+ default |
189 |
+ dodoc INCOMPATIBILITIES iptables/iptables.xslt |
190 |
+ |
191 |
+ # all the iptables binaries are in /sbin, so might as well |
192 |
+ # put these small files in with them |
193 |
+ into / |
194 |
+ dosbin iptables/iptables-apply |
195 |
+ dosym iptables-apply /sbin/ip6tables-apply |
196 |
+ doman iptables/iptables-apply.8 |
197 |
+ |
198 |
+ insinto /usr/include |
199 |
+ doins include/iptables.h $(use ipv6 && echo include/ip6tables.h) |
200 |
+ insinto /usr/include/iptables |
201 |
+ doins include/iptables/internal.h |
202 |
+ |
203 |
+ keepdir /var/lib/iptables |
204 |
+ newinitd "${FILESDIR}"/${PN}-r2.init iptables |
205 |
+ newconfd "${FILESDIR}"/${PN}-r1.confd iptables |
206 |
+ if use ipv6 ; then |
207 |
+ keepdir /var/lib/ip6tables |
208 |
+ dosym iptables /etc/init.d/ip6tables |
209 |
+ newconfd "${FILESDIR}"/ip6tables-r1.confd ip6tables |
210 |
+ fi |
211 |
+ |
212 |
+ if use nftables; then |
213 |
+ # Bug 647458 |
214 |
+ rm "${ED}"/etc/ethertypes || die |
215 |
+ |
216 |
+ # Bugs 660886 and 669894 |
217 |
+ rm "${ED}"/sbin/{arptables,ebtables}{,-{save,restore}} || die |
218 |
+ fi |
219 |
+ |
220 |
+ systemd_dounit "${FILESDIR}"/systemd/iptables-{re,}store.service |
221 |
+ if use ipv6 ; then |
222 |
+ systemd_dounit "${FILESDIR}"/systemd/ip6tables-{re,}store.service |
223 |
+ fi |
224 |
+ |
225 |
+ # Move important libs to /lib #332175 |
226 |
+ gen_usr_ldscript -a ip{4,6}tc xtables |
227 |
+ |
228 |
+ find "${ED}" -type f -name "*.la" -delete || die |
229 |
+} |
230 |
+ |
231 |
+pkg_postinst() { |
232 |
+ local default_iptables="xtables-legacy-multi" |
233 |
+ if ! eselect iptables show &>/dev/null; then |
234 |
+ elog "Current iptables implementation is unset, setting to ${default_iptables}" |
235 |
+ eselect iptables set "${default_iptables}" |
236 |
+ fi |
237 |
+ |
238 |
+ if use nftables; then |
239 |
+ local tables |
240 |
+ for tables in {arp,eb}tables; do |
241 |
+ if ! eselect ${tables} show &>/dev/null; then |
242 |
+ elog "Current ${tables} implementation is unset, setting to ${default_iptables}" |
243 |
+ eselect ${tables} set xtables-nft-multi |
244 |
+ fi |
245 |
+ done |
246 |
+ fi |
247 |
+ |
248 |
+ eselect iptables show |
249 |
+} |
250 |
+ |
251 |
+pkg_prerm() { |
252 |
+ if [[ -z ${REPLACED_BY_VERSION} ]]; then |
253 |
+ elog "Unsetting iptables symlinks before removal" |
254 |
+ eselect iptables unset |
255 |
+ fi |
256 |
+ |
257 |
+ if ! has_version 'net-firewall/ebtables'; then |
258 |
+ elog "Unsetting ebtables symlinks before removal" |
259 |
+ eselect ebtables unset |
260 |
+ elif [[ -z ${REPLACED_BY_VERSION} ]]; then |
261 |
+ elog "Resetting ebtables symlinks to ebtables-legacy" |
262 |
+ eselect ebtables set ebtables-legacy |
263 |
+ fi |
264 |
+ |
265 |
+ if ! has_version 'net-firewall/arptables'; then |
266 |
+ elog "Unsetting arptables symlinks before removal" |
267 |
+ eselect arptables unset |
268 |
+ elif [[ -z ${REPLACED_BY_VERSION} ]]; then |
269 |
+ elog "Resetting arptables symlinks to arptables-legacy" |
270 |
+ eselect arptables set arptables-legacy |
271 |
+ fi |
272 |
+ |
273 |
+ # the eselect module failing should not be fatal |
274 |
+ return 0 |
275 |
+} |