Bugzilla – Bug 1073860
VUL-0: CVE-2017-17807: kernel: The KEYS subsystem omitted an access-control check when adding a key to the current task's "default request-key keyring"
Last modified: 2022-03-31 08:45:06 UTC
The KEYS subsystem in the Linux kernel before 4.14.6 omitted an access-control
check when adding a key to the current task's "default request-key keyring" via
the request_key() system call, allowing a local user to use a sequence of
crafted system calls to add keys to a keyring with only Search permission (not
Write permission) to that keyring, related to construct_get_dest_keyring() in
The bug is not yet fixed.... ping!
In bsc#1074878, Lee Duncan backported 4dca6ea1d9 patch to
SLE12-SP2, SLE12-SP3, SLE15
(In reply to Joey Lee from comment #3)
> In bsc#1074878, Lee Duncan backported 4dca6ea1d9 patch to
> SLE12-SP2, SLE12-SP3, SLE15
The backported patch also merged to openSUSE 42.3 and 15.0 kernel.
the other bug writes about SLE11:
This patch could not be added to SLE 11 SP4 because it needed two earlier pervasive commits:
> f5895943d91b KEYS: Move the flags representing required permission to linux/key.h
> 9a56c2db49e7 userns: Convert security/keys to the new userns infrastructure
so i would currently not consider this for backporting.
Also not fixed on:
Welcome to SUSE Linux Enterprise Server 12 SP1
(probably as mentioned in #comment3)
we need fixes also for cve/linux-3.12 joey
still not fixed on SLES 11 SP4 LTSS eiter.
reassdign to kernel-bugs, as joyee seems AWOL
Lee, care to backport to cve/linux-3.12 branch as well?
(In reply to Takashi Iwai from comment #9)
> Lee, care to backport to cve/linux-3.12 branch as well?
I do not see cve/linux-3.12 in kerncvs.suse.de? That is what I use to figure out which branches need a backport.
Is that out of date?
I have pushed the patch (with some tweaks to apply) to users/lduncan/cve/linux-3.12/for-next.
I believe this is done now, though I never got an answer to my question about why cve-3.12 is not on kerncvs.suse.de
Sorry, I didn't notice that you asked me.
The likely reason why cve/linux-3.12 doesn't show up in kerncvs diagram is that SLE12-SP0- and SP1-LTSS have been already discontinued (very recently).
I noticed it later, too. So it's been pending for too long time.
But backporting isn't useless, as we might get a special request at any time later ;)
And, this raises a general question whether we still need to maintain this branch from now on. I believe that we have no consensus yet.
I'll ask on kernel ML.
updated tracking based on bsc#1074878, CVE reference seems to be missing though.
We won't backport this fix to SLE11 as it requires two earlier pervasive commits. Closing.