Muaj qhov tsis muaj zog tau pom lawm nyob rau hauv Netfilter subsystem (CVE-2023-6817), uas, hauv kev xav, tuaj yeem siv los ntawm tus neeg siv hauv zos kom nce lawv cov cai ntawm lub system. Lub hauv paus ntawm qhov teeb meem yog nyob rau hauv qhov tsis muaj zog use-after-free (use-after-free) hauv nf_tables module, uas yog lub luag haujlwm rau nftables packet filter functionality.
Kom txhob raug tseem ceeb txij li thaum lub kernel version Linux 5.6. Kho npaj siab hauv kev tso tawm kev sim ntawm lub kernel Linux 6.7-rc5 thiab tau koom ua ke rau hauv cov ceg ruaj khov tam sim no 5.10.204, 5.15.143, 6.1.68 thiab 6.6.7.
Qhov teeb meem no yog tshwm sim los ntawm kab laum hauv nft_pipapo_walk function, uas tsis tuaj yeem kuaj xyuas cov duplicates thaum rov ua dua los ntawm PIPAPO (Pile Packet Policies) cov ntsiab lus. Qhov no ua rau muaj ob lub cim xeeb dawb. Kev tawm tsam zoo yuav tsum tau nkag mus rau nftables, uas tuaj yeem tau txais nrog CAP_NET_ADMIN cov cai hauv txhua lub npe neeg siv lossis lub npe network. Cov cai no tuaj yeem muab, piv txwv li, hauv cov thawv cais. Txhawm rau sim koj cov kab ke, luam tawm siv prototype.
Tau qhov twg los: linux.org.ru ua
