Bug 1094186 (CVE-2017-18270)

Summary:	VUL-1: CVE-2017-18270: kernel: improper keyrings creation
Product:	[Novell Products] SUSE Security Incidents	Reporter:	Alexander Bergmann <abergmann>
Component:	Incidents	Assignee:	Joey Lee <jlee>
Status:	RESOLVED FIXED	QA Contact:	Security Team bot <security-team>
Severity:	Normal
Priority:	P4 - Low	CC:	abergmann, atoptsoglou, ematsumiya, jlee, meissner, mhocko, smash_bz, tiwai
Version:	unspecified	Flags:	ematsumiya: needinfo? (jlee)
Target Milestone:	---
Hardware:	Other
OS:	Other
URL:	https://smash.suse.de/issue/206151/
Whiteboard:	CVSSv3:RedHat:CVE-2017-18270:4.4:(AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L) CVSSv3:SUSE:CVE-2017-18270:4.4:(AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L) CVSSv2:NVD:CVE-2017-18270:3.6:(AV:L/AC:L/Au:N/C:N/I:P/A:P) CVSSv3:NVD:CVE-2017-18270:7.1:(AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H)
Found By:	Security Response Team	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---

Description Alexander Bergmann 2018-05-22 11:10:13 UTC

rh#1580979

In the Linux kernel before 4.13.5, a local user could create keyrings for other
users via keyctl commands, setting unwanted defaults or causing a denial of
service.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1580979
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-18270
http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-18270.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18270
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=237bbd29f7a049d310d907f4b2716a7feef9abf3
https://github.com/torvalds/linux/commit/237bbd29f7a049d310d907f4b2716a7feef9abf3

Comment 1 Alexander Bergmann 2018-05-22 11:10:53 UTC

Already fixed.

https://github.com/openSUSE/kernel/commit/539255aea88e47932a98ba7656775cbca4f3d27c

Comment 2 Marcus Meissner 2018-05-22 16:25:38 UTC

patches.kernel.org/4.4.90-012-KEYS-prevent-creating-a-different-user-s-keyri.patch

Comment 3 Marcus Meissner 2018-05-22 16:26:26 UTC

it is fixed in 4.4.90, so sle12 sp2 and sp3.

it is not fixed in the older codestreams

Comment 4 Takashi Iwai 2018-05-23 09:03:58 UTC

SLE11-SP4 already contains it, too (via bsc#1065999), but not in other branches.

Joey, care to check this?

Comment 5 Takashi Iwai 2018-05-23 09:05:56 UTC

(In reply to Takashi Iwai from comment #4)
> SLE11-SP4 already contains it, too (via bsc#1065999), but not in other
> branches.

Just to make clear: SLE12-SP2/SP3, SLE15, TW and SLE11-SP4 are already covered.
The rest (cve/linux-3.12, and older ones) are missing.

Comment 6 Joey Lee 2018-11-01 10:30:40 UTC

(In reply to Takashi Iwai from comment #5)
> (In reply to Takashi Iwai from comment #4)
> > SLE11-SP4 already contains it, too (via bsc#1065999), but not in other
> > branches.
> 
> Just to make clear: SLE12-SP2/SP3, SLE15, TW and SLE11-SP4 are already
> covered.
> The rest (cve/linux-3.12, and older ones) are missing.

Backported patch is merged to cve/linux-3.12:

commit 4eae973ae49fa5f377bb99415704116ed846ecaf
Author: Lee, Chun-Yi <jlee@suse.com>
Date:   Fri Sep 14 18:10:54 2018 +0800

    KEYS: prevent creating a different user's keyrings
    (bnc#1065999).

Comment 7 Joey Lee 2018-11-06 10:31:44 UTC

(In reply to Joey Lee from comment #6)
> (In reply to Takashi Iwai from comment #5)
> > (In reply to Takashi Iwai from comment #4)
> > > SLE11-SP4 already contains it, too (via bsc#1065999), but not in other
> > > branches.
> > 
> > Just to make clear: SLE12-SP2/SP3, SLE15, TW and SLE11-SP4 are already
> > covered.
> > The rest (cve/linux-3.12, and older ones) are missing.
> 
> Backported patch is merged to cve/linux-3.12:
> 
> commit 4eae973ae49fa5f377bb99415704116ed846ecaf
> Author: Lee, Chun-Yi <jlee@suse.com>
> Date:   Fri Sep 14 18:10:54 2018 +0800
> 
>     KEYS: prevent creating a different user's keyrings
>     (bnc#1065999).

I have backported this patch to SLE11-SP3-LTSS. Waiting merged.

Comment 8 Enzo Matsumiya 2019-01-11 19:47:17 UTC

(In reply to Takashi Iwai from comment #5)
> The rest (cve/linux-3.12, and older ones) are missing.

Any updates for SLE11-SP1-LTSS? Customer from bug 1119974 is requesting it. Thanks in advance.

Comment 10 Swamp Workflow Management 2019-01-29 17:40:25 UTC

SUSE-SU-2019:13937-1: An update that solves 12 vulnerabilities and has 18 fixes is now available.

Category: security (important)
Bug References: 1031240,1039803,1066674,1071021,1094186,1094825,1104070,1104366,1104367,1107189,1108498,1109200,1113201,1113751,1113769,1114920,1115007,1115038,1116412,1116841,1117515,1118152,1118319,1119255,1119714,1120743,905299,936875,968018,990682
CVE References: CVE-2017-1000407,CVE-2017-16533,CVE-2017-7273,CVE-2018-18281,CVE-2018-18386,CVE-2018-18710,CVE-2018-19407,CVE-2018-19824,CVE-2018-19985,CVE-2018-20169,CVE-2018-9516,CVE-2018-9568
Sources used:
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    kernel-bigsmp-3.0.101-0.47.106.59.1, kernel-default-3.0.101-0.47.106.59.1, kernel-ec2-3.0.101-0.47.106.59.1, kernel-pae-3.0.101-0.47.106.59.1, kernel-source-3.0.101-0.47.106.59.1, kernel-syms-3.0.101-0.47.106.59.1, kernel-trace-3.0.101-0.47.106.59.1, kernel-xen-3.0.101-0.47.106.59.1
SUSE Linux Enterprise Server 11-EXTRA (src):    kernel-bigsmp-3.0.101-0.47.106.59.1, kernel-default-3.0.101-0.47.106.59.1, kernel-pae-3.0.101-0.47.106.59.1, kernel-ppc64-3.0.101-0.47.106.59.1, kernel-trace-3.0.101-0.47.106.59.1, kernel-xen-3.0.101-0.47.106.59.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    kernel-default-3.0.101-0.47.106.59.1, kernel-ec2-3.0.101-0.47.106.59.1, kernel-pae-3.0.101-0.47.106.59.1, kernel-source-3.0.101-0.47.106.59.1, kernel-syms-3.0.101-0.47.106.59.1, kernel-trace-3.0.101-0.47.106.59.1, kernel-xen-3.0.101-0.47.106.59.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    kernel-bigsmp-3.0.101-0.47.106.59.1, kernel-default-3.0.101-0.47.106.59.1, kernel-ec2-3.0.101-0.47.106.59.1, kernel-pae-3.0.101-0.47.106.59.1, kernel-trace-3.0.101-0.47.106.59.1, kernel-xen-3.0.101-0.47.106.59.1

Comment 11 Michal Hocko 2019-07-11 07:27:26 UTC

(In reply to Takashi Iwai from comment #4)
> SLE11-SP4 already contains it, too (via bsc#1065999), but not in other
> branches.
> 
> Joey, care to check this?

Joey, please make sure that you annotate the patch with the CVE in all branches so this fix doesn't slip through cracks for other branches that might need it.

Comment 12 Alexandros Toptsoglou 2020-01-16 17:07:47 UTC

(In reply to Michal Hocko from comment #11)
> (In reply to Takashi Iwai from comment #4)
> > SLE11-SP4 already contains it, too (via bsc#1065999), but not in other
> > branches.
> > 
> > Joey, care to check this?
> 
> Joey, please make sure that you annotate the patch with the CVE in all
> branches so this fix doesn't slip through cracks for other branches that
> might need it.

Hi Michal, 

AFAICS all branches should be fixed by now. Otherwise, feel free to reopen the bug.