iptables: upgrade 1.8.2 -> 1.8.3

Remove upstreamed patches and manually package symlinks which aren't handled by do_split_package. Changelog: http://git.netfilter.org/iptables/log/?qt=range&q=v1.8.3...v1.8.2 (From OE-Core rev: 845af88f86f143ca0b119f0489397cd505571cae) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2026-05-30 00:20:08 +00:00 · 2019-07-22 08:22:56 +08:00
parent c46f497dbb
commit f7e07e4acd
3 changed files with 9 additions and 182 deletions
@@ -1,61 +0,0 @@
 From 907e429d7548157016cd51aba4adc5d0c7d9f816 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Adam=20Go=C5=82=C4=99biowski?= <adamg@pld-linux.org>
 Date: Wed, 14 Nov 2018 07:35:28 +0100
 Subject: extensions: format-security fixes in libip[6]t_icmp
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 commit 61d6c3834de3 ("xtables: add 'printf' attribute to xlate_add")
 introduced support for gcc feature to check format string against passed
 argument.  This commit adds missing bits to extenstions's libipt_icmp.c
 and libip6t_icmp6.c that were causing build to fail.
 Fixes: 61d6c3834de3 ("xtables: add 'printf' attribute to xlate_add")
 Signed-off-by: Adam Gołębiowski <adamg@pld-linux.org>
 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
 Upstream-Status: Backport
 ---
 extensions/libip6t_icmp6.c | 4 ++--
 extensions/libipt_icmp.c   | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)
 diff --git a/extensions/libip6t_icmp6.c b/extensions/libip6t_icmp6.c
 index 45a71875..cc7bfaeb 100644
 --- a/extensions/libip6t_icmp6.c
 +++ b/extensions/libip6t_icmp6.c
@@ -230,7 +230,7 @@ static unsigned int type_xlate_print(struct xt_xlate *xl, unsigned int icmptype,
 	type_name = icmp6_type_xlate(icmptype);
 	if (type_name) {
 -		xt_xlate_add(xl, type_name);
 +		xt_xlate_add(xl, "%s", type_name);
 	} else {
 		for (i = 0; i < ARRAY_SIZE(icmpv6_codes); ++i)
 			if (icmpv6_codes[i].type == icmptype &&
@@ -239,7 +239,7 @@ static unsigned int type_xlate_print(struct xt_xlate *xl, unsigned int icmptype,
 				break;
 		if (i != ARRAY_SIZE(icmpv6_codes))
 -			xt_xlate_add(xl, icmpv6_codes[i].name);
 +			xt_xlate_add(xl, "%s", icmpv6_codes[i].name);
 		else
 			return 0;
 	}
 diff --git a/extensions/libipt_icmp.c b/extensions/libipt_icmp.c
 index 54189976..e76257c5 100644
 --- a/extensions/libipt_icmp.c
 +++ b/extensions/libipt_icmp.c
@@ -236,7 +236,7 @@ static unsigned int type_xlate_print(struct xt_xlate *xl, unsigned int icmptype,
 			if (icmp_codes[i].type == icmptype &&
 			    icmp_codes[i].code_min == code_min &&
 			    icmp_codes[i].code_max == code_max) {
 -				xt_xlate_add(xl, icmp_codes[i].name);
 +				xt_xlate_add(xl, "%s", icmp_codes[i].name);
 				return 1;
 			}
 	}
 -- 
 cgit v1.2.1
@@ -1,117 +0,0 @@
 From 2ae1099a42e6a0f06de305ca13a842ac83d4683e Mon Sep 17 00:00:00 2001
 From: Pablo Neira Ayuso <pablo@netfilter.org>
 Date: Mon, 22 Apr 2019 23:17:27 +0200
 Subject: [PATCH] xshared: check for maximum buffer length in
 add_param_to_argv()
 Bail out if we go over the boundary, based on patch from Sebastian.
 Reported-by: Sebastian Neef <contact@0day.work>
 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
 Upstream-Status: Backport
 CVE: CVE-2019-11360
 Signed-off-by: Li Zhou <li.zhou@windriver.com>
 ---
 iptables/xshared.c | 46 ++++++++++++++++++++++++++++------------------
 1 file changed, 28 insertions(+), 18 deletions(-)
 diff --git a/iptables/xshared.c b/iptables/xshared.c
 index fb186fb1..36a2ec5f 100644
 --- a/iptables/xshared.c
 +++ b/iptables/xshared.c
@@ -433,10 +433,24 @@ void save_argv(void)
 	}
 }
 +struct xt_param_buf {
 +	char	buffer[1024];
 +	int 	len;
 +};
 +
 +static void add_param(struct xt_param_buf *param, const char *curchar)
 +{
 +	param->buffer[param->len++] = *curchar;
 +	if (param->len >= sizeof(param->buffer))
 +		xtables_error(PARAMETER_PROBLEM,
 +			      "Parameter too long!");
 +}
 +
 void add_param_to_argv(char *parsestart, int line)
 {
 -	int quote_open = 0, escaped = 0, param_len = 0;
 -	char param_buffer[1024], *curchar;
 +	int quote_open = 0, escaped = 0;
 +	struct xt_param_buf param = {};
 +	char *curchar;
 	/* After fighting with strtok enough, here's now
 	 * a 'real' parser. According to Rusty I'm now no
@@ -445,7 +459,7 @@ void add_param_to_argv(char *parsestart, int line)
 	for (curchar = parsestart; *curchar; curchar++) {
 		if (quote_open) {
 			if (escaped) {
 -				param_buffer[param_len++] = *curchar;
 +				add_param(&param, curchar);
 				escaped = 0;
 				continue;
 			} else if (*curchar == '\\') {
@@ -455,7 +469,7 @@ void add_param_to_argv(char *parsestart, int line)
 				quote_open = 0;
 				*curchar = '"';
 			} else {
 -				param_buffer[param_len++] = *curchar;
 +				add_param(&param, curchar);
 				continue;
 			}
 		} else {
@@ -471,36 +485,32 @@ void add_param_to_argv(char *parsestart, int line)
 		case ' ':
 		case '\t':
 		case '\n':
 -			if (!param_len) {
 +			if (!param.len) {
 				/* two spaces? */
 				continue;
 			}
 			break;
 		default:
 			/* regular character, copy to buffer */
 -			param_buffer[param_len++] = *curchar;
 -
 -			if (param_len >= sizeof(param_buffer))
 -				xtables_error(PARAMETER_PROBLEM,
 -					      "Parameter too long!");
 +			add_param(&param, curchar);
 			continue;
 		}
 -		param_buffer[param_len] = '\0';
 +		param.buffer[param.len] = '\0';
 		/* check if table name specified */
 -		if ((param_buffer[0] == '-' &&
 -		     param_buffer[1] != '-' &&
 -		     strchr(param_buffer, 't')) ||
 -		    (!strncmp(param_buffer, "--t", 3) &&
 -		     !strncmp(param_buffer, "--table", strlen(param_buffer)))) {
 +		if ((param.buffer[0] == '-' &&
 +		     param.buffer[1] != '-' &&
 +		     strchr(param.buffer, 't')) ||
 +		    (!strncmp(param.buffer, "--t", 3) &&
 +		     !strncmp(param.buffer, "--table", strlen(param.buffer)))) {
 			xtables_error(PARAMETER_PROBLEM,
 				      "The -t option (seen in line %u) cannot be used in %s.\n",
 				      line, xt_params->program_name);
 		}
 -		add_argv(param_buffer, 0);
 -		param_len = 0;
 +		add_argv(param.buffer, 0);
 +		param.len = 0;
 	}
 }
 -- 
 2.17.1
@@ -10,12 +10,10 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263\
 SRC_URI = "http://netfilter.org/projects/iptables/files/iptables-${PV}.tar.bz2 \
           file://0001-configure-Add-option-to-enable-disable-libnfnetlink.patch \
           file://0002-configure.ac-only-check-conntrack-when-libnfnetlink-enabled.patch \
           file://0003-extensions-format-security-fixes-in-libipt_icmp.patch  \
           file://CVE-2019-11360.patch \
 "
-SRC_URI[md5sum] = "944558e88ddcc3b9b0d9550070fa3599"
+SRC_URI[md5sum] = "29de711d15c040c402cf3038c69ff513"
-SRC_URI[sha256sum] = "a3778b50ed1a3256f9ca975de82c2204e508001fc2471238c8c97f3d1c4c12af"
+SRC_URI[sha256sum] = "a23cac034181206b4545f4e7e730e76e08b5f3dd78771ba9645a6756de9cdd80"
 inherit autotools pkgconfig
@@ -49,6 +47,13 @@ python populate_packages_prepend() {
 FILES_${PN} += "${datadir}/xtables"
 # Include the symlinks as well in respective packages
 FILES_${PN}-module-xt-conntrack += "${libdir}/xtables/libxt_state.so"
 FILES_${PN}-module-xt-ct += "${libdir}/xtables/libxt_NOTRACK.so"
 INSANE_SKIP_${PN}-module-xt-conntrack = "dev-so"
 INSANE_SKIP_${PN}-module-xt-ct = "dev-so"
 ALLOW_EMPTY_${PN}-modules = "1"
 RDEPENDS_${PN} = "${PN}-module-xt-standard"