On Mon, Jun 03, 2013 at 06:03:27PM -0700, Simon Horman wrote: > On Mon, Jun 03, 2013 at 12:00:49PM +0300, Dan Carpenter wrote: > > The entry struct has a 2 byte hole after ->port and another 4 byte > > hole after ->stats.outpkts. You must have CAP_NET_ADMIN in your > > namespace to hit this information leak. > > Hi Dan, > > can I verify that it is actually possible to hit this and > thus the patch is a -stable candidate? This is a static checker fix. To me it seems like it's obviously a real info leak. I'm not certain of the impact though. CLONE_NEWNET requires CAP_SYS_ADMIN but on the other hand people are making virtualization products where they give everyone their own namespace with admin privileges. regards, dan carpenter -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
