|
Bugzilla – Full Text Bug Listing |
| Summary: | VUL-0: CVE-2017-17807: kernel: The KEYS subsystem omitted an access-control check when adding a key to the current task's "default request-key keyring" | ||
|---|---|---|---|
| Product: | [Novell Products] SUSE Security Incidents | Reporter: | Johannes Segitz <jsegitz> |
| Component: | Incidents | Assignee: | Security Team bot <security-team> |
| Status: | RESOLVED FIXED | QA Contact: | Security Team bot <security-team> |
| Severity: | Normal | ||
| Priority: | P3 - Medium | CC: | gabriele.sonnu, jlee, lduncan, meissner, rfrohl, slemke, smash_bz, tiwai |
| Version: | unspecified | ||
| Target Milestone: | --- | ||
| Hardware: | Other | ||
| OS: | Other | ||
| URL: | https://smash.suse.de/issue/197018/ | ||
| Whiteboard: | CVSSv2:SUSE:CVE-2017-17807:3.3:(AV:L/AC:M/Au:N/C:P/I:N/A:P) CVSSv3:SUSE:CVE-2017-17807:5.1:(AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L) maint:planned:update | ||
| Found By: | Security Response Team | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
|
Description
Johannes Segitz
2017-12-21 11:55:38 UTC
The bug is not yet fixed.... ping! In bsc#1074878, Lee Duncan backported 4dca6ea1d9 patch to SLE12-SP2, SLE12-SP3, SLE15 (In reply to Joey Lee from comment #3) > In bsc#1074878, Lee Duncan backported 4dca6ea1d9 patch to > SLE12-SP2, SLE12-SP3, SLE15 The backported patch also merged to openSUSE 42.3 and 15.0 kernel. the other bug writes about SLE11:
This patch could not be added to SLE 11 SP4 because it needed two earlier pervasive commits:
> f5895943d91b KEYS: Move the flags representing required permission to linux/key.h
> 9a56c2db49e7 userns: Convert security/keys to the new userns infrastructure
so i would currently not consider this for backporting.
Also not fixed on: Welcome to SUSE Linux Enterprise Server 12 SP1 (probably as mentioned in #comment3) we need fixes also for cve/linux-3.12 joey still not fixed on SLES 11 SP4 LTSS eiter. reassdign to kernel-bugs, as joyee seems AWOL Lee, care to backport to cve/linux-3.12 branch as well? (In reply to Takashi Iwai from comment #9) > Lee, care to backport to cve/linux-3.12 branch as well? I do not see cve/linux-3.12 in kerncvs.suse.de? That is what I use to figure out which branches need a backport. Is that out of date? I have pushed the patch (with some tweaks to apply) to users/lduncan/cve/linux-3.12/for-next. I believe this is done now, though I never got an answer to my question about why cve-3.12 is not on kerncvs.suse.de Sorry, I didn't notice that you asked me. The likely reason why cve/linux-3.12 doesn't show up in kerncvs diagram is that SLE12-SP0- and SP1-LTSS have been already discontinued (very recently). I noticed it later, too. So it's been pending for too long time. But backporting isn't useless, as we might get a special request at any time later ;) And, this raises a general question whether we still need to maintain this branch from now on. I believe that we have no consensus yet. I'll ask on kernel ML. updated tracking based on bsc#1074878, CVE reference seems to be missing though. We won't backport this fix to SLE11 as it requires two earlier pervasive commits. Closing. |