Merged update from upstream sources

This is an automated DistroBaker update from upstream sources.
If you do not know what this is about or would like to opt out,
contact the OSCI team.

Source: https://src.fedoraproject.org/rpms/iptables.git#648ffbc31613acd9f9015892c0820df9be00cb89
This commit is contained in:
DistroBaker 2021-01-28 14:21:56 +00:00
parent 78e6451c8f
commit b95090f5f5
3 changed files with 61 additions and 2 deletions

View File

@ -0,0 +1,51 @@
From 30c1d443896311e69762d6b51b63908ec602574f Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Thu, 28 Jan 2021 01:09:56 +0100
Subject: [PATCH] ebtables: Exit gracefully on invalid table names
Users are able to cause program abort by passing a table name that
doesn't exist:
| # ebtables-nft -t dummy -P INPUT ACCEPT
| ebtables: nft-cache.c:455: fetch_chain_cache: Assertion `t' failed.
| Aborted
Avoid this by checking table existence just like iptables-nft does upon
parsing '-t' optarg. Since the list of tables is known and fixed,
checking the given name's length is pointless. So just drop that check
in return.
With this patch in place, output looks much better:
| # ebtables-nft -t dummy -P INPUT ACCEPT
| ebtables v1.8.7 (nf_tables): table 'dummy' does not exist
| Perhaps iptables or your kernel needs to be upgraded.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Phil Sutter <psutter@redhat.com>
---
iptables/xtables-eb.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/iptables/xtables-eb.c b/iptables/xtables-eb.c
index cfa9317c78e94..5bb34d6d292a9 100644
--- a/iptables/xtables-eb.c
+++ b/iptables/xtables-eb.c
@@ -914,10 +914,10 @@ print_zero:
xtables_error(PARAMETER_PROBLEM,
"The -t option (seen in line %u) cannot be used in %s.\n",
line, xt_params->program_name);
- if (strlen(optarg) > EBT_TABLE_MAXNAMELEN - 1)
- xtables_error(PARAMETER_PROBLEM,
- "Table name length cannot exceed %d characters",
- EBT_TABLE_MAXNAMELEN - 1);
+ if (!nft_table_builtin_find(h, optarg))
+ xtables_error(VERSION_PROBLEM,
+ "table '%s' does not exist",
+ optarg);
*table = optarg;
table_set = true;
break;
--
2.28.0

View File

@ -19,7 +19,7 @@ Name: iptables
Summary: Tools for managing Linux kernel packet filtering capabilities
URL: http://www.netfilter.org/projects/iptables
Version: 1.8.7
Release: 1%{?dist}
Release: 3%{?dist}
Source: %{url}/files/%{name}-%{version}.tar.bz2
Source1: iptables.init
Source2: iptables-config
@ -32,6 +32,8 @@ Source7: %{url}/files/%{name}-%{version_old}.tar.bz2
Source8: 0002-extensions-format-security-fixes-in-libip-6-t_icmp.patch
%endif
Patch1: 0001-ebtables-Exit-gracefully-on-invalid-table-names.patch
# pf.os: ISC license
# iptables-apply: Artistic Licence 2.0
License: GPLv2 and Artistic Licence 2.0 and ISC
@ -443,6 +445,12 @@ fi
%changelog
* Thu Jan 28 2021 Phil Sutter <psutter@redhat.com> - 1.8.7-3
- ebtables: Exit gracefully on invalid table names
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.7-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Sat Jan 16 2021 Kevin Fenzi <kevin@scrye.com> - 1.8.7-1
- Update to 1.8.7. Fixes rhbz#1916948

View File

@ -21,7 +21,7 @@
roles:
- role: standard-test-rhts
tests:
- backport-iptables-add-libxt-cgroup-frontend
# - backport-iptables-add-libxt-cgroup-frontend
- initscript-sanity
- ip6tables-do-not-accept-dst-or-src-direction-on-ip6sets
- ip6tables-service-does-not-allow-dhcpv6-client-by