disable generic tracking for known protocols in kernel-netfilter-conntrack in Jolla1 CVE-2014-8160 remote

Tracked by Jolla

asked 2017-07-25 16:53:17 +0200

this post is marked as community wiki

This post is a wiki. Anyone with karma >75 is welcome to improve it.

updated 2017-11-29 18:25:50 +0200

lpr gravatar image

net/netfilter/nf_conntrack_proto_generic.c in the Linux kernel before 3.18 generates incorrect conntrack entries during handling of certain iptables rule sets for the SCTP, DCCP, GRE, and UDP-Lite protocols, which allows remote attackers to bypass intended access restrictions via packets with disallowed port numbers.

This was fixed for JollaC / aquafish in SFOS 2.0.4 but jolla1 is still vulnerable in SFOS 2.1.3.7 .

Patch and kernel-3.2-Patch are identical, so kernel-3.4-adaptation-sbj should see the same fix.

File affected: kernel-adaptation-sbj-3.4.108.20161101.1/net/netfilter/nf_conntrack_proto_generic.c lines 15-19

edit retag flag offensive close delete

Comments

1

@jovirkku this should have a "tracked by jolla" label

lpr ( 2017-09-19 09:42:48 +0200 )edit