Bugzilla – Bug 1073860
VUL-0: CVE-2017-17807: kernel: The KEYS subsystem omitted an access-control check when adding a key to the current task's "default request-key keyring"
Last modified: 2022-03-31 08:45:06 UTC
CVE-2017-17807 The KEYS subsystem in the Linux kernel before 4.14.6 omitted an access-control check when adding a key to the current task's "default request-key keyring" via the request_key() system call, allowing a local user to use a sequence of crafted system calls to add keys to a keyring with only Search permission (not Write permission) to that keyring, related to construct_get_dest_keyring() in security/keys/request_key.c. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-17807 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17807 https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.6 https://github.com/torvalds/linux/commit/4dca6ea1d9432052afb06baf2e3ae78188a4410b http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=4dca6ea1d9432052afb06baf2e3ae78188a4410b
The bug is not yet fixed.... ping!
In bsc#1074878, Lee Duncan backported 4dca6ea1d9 patch to SLE12-SP2, SLE12-SP3, SLE15
(In reply to Joey Lee from comment #3) > In bsc#1074878, Lee Duncan backported 4dca6ea1d9 patch to > SLE12-SP2, SLE12-SP3, SLE15 The backported patch also merged to openSUSE 42.3 and 15.0 kernel.
the other bug writes about SLE11: This patch could not be added to SLE 11 SP4 because it needed two earlier pervasive commits: > f5895943d91b KEYS: Move the flags representing required permission to linux/key.h > 9a56c2db49e7 userns: Convert security/keys to the new userns infrastructure so i would currently not consider this for backporting.
Also not fixed on: Welcome to SUSE Linux Enterprise Server 12 SP1 (probably as mentioned in #comment3)
we need fixes also for cve/linux-3.12 joey
still not fixed on SLES 11 SP4 LTSS eiter. reassdign to kernel-bugs, as joyee seems AWOL
Lee, care to backport to cve/linux-3.12 branch as well?
(In reply to Takashi Iwai from comment #9) > Lee, care to backport to cve/linux-3.12 branch as well? I do not see cve/linux-3.12 in kerncvs.suse.de? That is what I use to figure out which branches need a backport. Is that out of date?
I have pushed the patch (with some tweaks to apply) to users/lduncan/cve/linux-3.12/for-next.
I believe this is done now, though I never got an answer to my question about why cve-3.12 is not on kerncvs.suse.de
Sorry, I didn't notice that you asked me. The likely reason why cve/linux-3.12 doesn't show up in kerncvs diagram is that SLE12-SP0- and SP1-LTSS have been already discontinued (very recently). I noticed it later, too. So it's been pending for too long time. But backporting isn't useless, as we might get a special request at any time later ;) And, this raises a general question whether we still need to maintain this branch from now on. I believe that we have no consensus yet. I'll ask on kernel ML.
updated tracking based on bsc#1074878, CVE reference seems to be missing though.
We won't backport this fix to SLE11 as it requires two earlier pervasive commits. Closing.