Bug 1073860 (CVE-2017-17807)

Summary: VUL-0: CVE-2017-17807: kernel: The KEYS subsystem omitted an access-control check when adding a key to the current task's "default request-key keyring"
Product: [Novell Products] SUSE Security Incidents Reporter: Johannes Segitz <jsegitz>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: gabriele.sonnu, jlee, lduncan, meissner, rfrohl, slemke, smash_bz, tiwai
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/197018/
Whiteboard: CVSSv2:SUSE:CVE-2017-17807:3.3:(AV:L/AC:M/Au:N/C:P/I:N/A:P) CVSSv3:SUSE:CVE-2017-17807:5.1:(AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L) maint:planned:update
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Johannes Segitz 2017-12-21 11:55:38 UTC

The KEYS subsystem in the Linux kernel before 4.14.6 omitted an access-control
check when adding a key to the current task's "default request-key keyring" via
the request_key() system call, allowing a local user to use a sequence of
crafted system calls to add keys to a keyring with only Search permission (not
Write permission) to that keyring, related to construct_get_dest_keyring() in

Comment 2 Marcus Meissner 2018-09-03 08:01:52 UTC
The bug is not yet fixed.... ping!
Comment 3 Joey Lee 2018-09-07 10:31:35 UTC
In bsc#1074878, Lee Duncan backported 4dca6ea1d9 patch to 
       SLE12-SP2, SLE12-SP3, SLE15
Comment 4 Joey Lee 2018-09-07 10:41:03 UTC
(In reply to Joey Lee from comment #3)
> In bsc#1074878, Lee Duncan backported 4dca6ea1d9 patch to 
>        SLE12-SP2, SLE12-SP3, SLE15

The backported patch also merged to openSUSE 42.3 and 15.0 kernel.
Comment 5 Marcus Meissner 2018-09-07 11:50:32 UTC
the other bug writes about SLE11:

This patch could not be added to SLE 11 SP4 because it needed two earlier pervasive commits:

> f5895943d91b KEYS: Move the flags representing required permission to linux/key.h
> 9a56c2db49e7 userns: Convert security/keys to the new userns infrastructure

so i would currently not consider this for backporting.
Comment 6 Sergio Rafael Lemke 2018-09-27 09:48:23 UTC
Also not fixed on:
Welcome to SUSE Linux Enterprise Server 12 SP1

(probably as mentioned in #comment3)
Comment 7 Marcus Meissner 2018-10-09 09:26:41 UTC
we need fixes also for cve/linux-3.12 joey
Comment 8 Marcus Meissner 2020-06-04 07:02:22 UTC
still not fixed on SLES 11 SP4 LTSS eiter.

reassdign to kernel-bugs, as joyee seems AWOL
Comment 9 Takashi Iwai 2020-06-04 07:11:13 UTC
Lee, care to backport to cve/linux-3.12 branch as well?
Comment 10 Lee Duncan 2020-06-05 18:51:06 UTC
(In reply to Takashi Iwai from comment #9)
> Lee, care to backport to cve/linux-3.12 branch as well?

I do not see cve/linux-3.12 in kerncvs.suse.de? That is what I use to figure out which branches need a backport.

Is that out of date?
Comment 11 Lee Duncan 2020-06-06 01:06:59 UTC
I have pushed the patch (with some tweaks to apply) to users/lduncan/cve/linux-3.12/for-next.
Comment 12 Lee Duncan 2020-06-08 18:42:08 UTC
I believe this is done now, though I never got an answer to my question about why cve-3.12 is not on kerncvs.suse.de
Comment 13 Takashi Iwai 2020-06-08 20:23:36 UTC
Sorry, I didn't notice that you asked me.

The likely reason why cve/linux-3.12 doesn't show up in kerncvs diagram is that SLE12-SP0- and SP1-LTSS have been already discontinued (very recently).
I noticed it later, too.  So it's been pending for too long time.

But backporting isn't useless, as we might get a special request at any time later ;)

And, this raises a general question whether we still need to maintain this branch from now on.  I believe that we have no consensus yet.
I'll ask on kernel ML.
Comment 14 Robert Frohl 2021-11-02 10:36:33 UTC
updated tracking based on bsc#1074878, CVE reference seems to be missing though.
Comment 15 Gabriele Sonnu 2022-03-31 08:45:06 UTC
We won't backport this fix to SLE11 as it requires two earlier pervasive commits. Closing.