Bugzilla – Bug 962075
VUL-0: CVE-2016-0728: kernel: Use-after-free vulnerability in keyring facility
Last modified: 2019-07-15 09:06:26 UTC
Created attachment 661901 [details] Patch for CVE-2016-0728 Perception Point research team reported to RH: Use-after-free vulnerability in keyring facility, possibly leading to local privilege escalation, was found. Function join_session_keyring in security/keys/process_keys.c holds a reference to the requested keyring, but if that keyring is the same as the one being currently used by the process, the kernel wouldn't decrease keyring->usage before returning to userspace. The usage field can be possibly overflowed causing use-after-free on the keyring object. Introduced by: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=3a50597de8635cd05133bd12c95681c82fe7b878 RH suspects that Perception Point research team is preparing a blog post to be published on the embargo lift date, possibly with a (fully?) working exploit disclosure. CRD: 2016-01-19
bugbot adjusting priority
Public http://perception-point.io/2016/01/14/analysis-and-exploitation-of-a-linux-kernel-vulnerability-cve-2016-0728/
Created attachment 662323 [details] poc
Ok, it's public now and I'm getting pinged from community folks. To which branches has it been pushed so I can pull it into our repo and get maintenance updates started?
(In reply to Jeff Mahoney from comment #30) > Ok, it's public now and I'm getting pinged from community folks. To which > branches has it been pushed so I can pull it into our repo and get > maintenance updates started? I pushed patch to users/jlee/openSUSE-42.1/for-next. And, I am working on stable branch
(In reply to Joey Lee from comment #31) > (In reply to Jeff Mahoney from comment #30) > > Ok, it's public now and I'm getting pinged from community folks. To which > > branches has it been pushed so I can pull it into our repo and get > > maintenance updates started? > > I pushed patch to users/jlee/openSUSE-42.1/for-next. > > And, I am working on stable branch Also push to users/jlee/stable/for-next and users/jlee/master/for-next
I updated all three SLE12 branches.
we also need it in 13.1 and 13.2 branches. (13.1 is migrating to evergreen support, but we should do one last update for the kernel there I guess.)
(In reply to Marcus Meissner from comment #34) > we also need it in 13.1 and 13.2 branches. > > (13.1 is migrating to evergreen support, but we should do one last update > for the kernel there I guess.) Yes, that's the agreement between Jeff and me. For the record, a 3.12 kernel (based on SLE12-SP1) for 13.1 with the fix is available in OBS project home:mkubecek:evergreen-13.1
I merged master to stable, now you can drop stable/for-next. Thanks.
I pushed patch to my branch: users/jlee/openSUSE-13.1/for-next users/jlee/openSUSE-13.2/for-next
Affected are SLE 12 and SLE 12 SP1. SLE 11 and older are not affected. A kernel update for SLE 12 SP1 is expected today, the update for SLE 12 should be available tomorrow
This is an autogenerated message for OBS integration: This bug (962075) was mentioned in https://build.opensuse.org/request/show/355040 13.1 / kernel-source
SUSE-SU-2016:0186-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 962075 CVE References: CVE-2016-0728 Sources used: SUSE Linux Enterprise Workstation Extension 12-SP1 (src): kernel-default-3.12.51-60.25.1 SUSE Linux Enterprise Software Development Kit 12-SP1 (src): kernel-docs-3.12.51-60.25.2, kernel-obs-build-3.12.51-60.25.1 SUSE Linux Enterprise Server 12-SP1 (src): kernel-default-3.12.51-60.25.1, kernel-source-3.12.51-60.25.1, kernel-syms-3.12.51-60.25.1, kernel-xen-3.12.51-60.25.1 SUSE Linux Enterprise Module for Public Cloud 12 (src): kernel-ec2-3.12.51-60.25.1 SUSE Linux Enterprise Live Patching 12 (src): kgraft-patch-SLE12-SP1_Update_2-1-2.2 SUSE Linux Enterprise Desktop 12-SP1 (src): kernel-default-3.12.51-60.25.1, kernel-source-3.12.51-60.25.1, kernel-syms-3.12.51-60.25.1, kernel-xen-3.12.51-60.25.1
This is an autogenerated message for OBS integration: This bug (962075) was mentioned in https://build.opensuse.org/request/show/355080 42.1 / kernel-source
(In reply to Johannes Segitz from comment #38) > Affected are SLE 12 and SLE 12 SP1. SLE 11 and older are not affected. > A kernel update for SLE 12 SP1 is expected today, the update for SLE 12 > should be available tomorrow Hi Johannes, Do you have an idea where the patch will be available for SLES ES and RES Product ? Thanks, Regards,
SUSE-SU-2016:0205-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 962075 CVE References: CVE-2016-0728 Sources used: SUSE Linux Enterprise Workstation Extension 12 (src): kernel-default-3.12.51-52.39.1 SUSE Linux Enterprise Software Development Kit 12 (src): kernel-docs-3.12.51-52.39.3, kernel-obs-build-3.12.51-52.39.1 SUSE Linux Enterprise Server 12 (src): kernel-default-3.12.51-52.39.1, kernel-source-3.12.51-52.39.1, kernel-syms-3.12.51-52.39.1, kernel-xen-3.12.51-52.39.1 SUSE Linux Enterprise Module for Public Cloud 12 (src): kernel-ec2-3.12.51-52.39.1 SUSE Linux Enterprise Live Patching 12 (src): kgraft-patch-SLE12_Update_11-1-2.3 SUSE Linux Enterprise Desktop 12 (src): kernel-default-3.12.51-52.39.1, kernel-source-3.12.51-52.39.1, kernel-syms-3.12.51-52.39.1, kernel-xen-3.12.51-52.39.1
Is there any update on when this should be available for OpenSUSE 13.2 systems?
our qa team is testing the opensuse updates they can be accessed via http://download.opensuse.org/update/13.2-test/ already. (replace 13.2 by 13.1 and leap/42.1 for 13.1 and leap)
openSUSE-SU-2016:0280-1: An update that solves 10 vulnerabilities and has 18 fixes is now available. Category: security (important) Bug References: 865096,865259,913996,950178,950998,952621,954324,954532,954647,955422,956708,957152,957988,957990,958439,958463,958504,958510,958886,958951,959190,959399,960021,960710,961263,961509,962075,962597 CVE References: CVE-2015-7550,CVE-2015-8539,CVE-2015-8543,CVE-2015-8550,CVE-2015-8551,CVE-2015-8552,CVE-2015-8569,CVE-2015-8575,CVE-2015-8767,CVE-2016-0728 Sources used: openSUSE Leap 42.1 (src): kernel-debug-4.1.15-8.1, kernel-default-4.1.15-8.1, kernel-docs-4.1.15-8.3, kernel-ec2-4.1.15-8.1, kernel-obs-build-4.1.15-8.2, kernel-obs-qa-4.1.15-8.1, kernel-obs-qa-xen-4.1.15-8.1, kernel-pae-4.1.15-8.1, kernel-pv-4.1.15-8.1, kernel-source-4.1.15-8.1, kernel-syms-4.1.15-8.1, kernel-vanilla-4.1.15-8.1, kernel-xen-4.1.15-8.1
openSUSE-SU-2016:0301-1: An update that solves 57 vulnerabilities and has 21 fixes is now available. Category: security (important) Bug References: 814440,851610,869564,873385,906545,907818,909077,909477,911326,912202,915517,915577,917830,918333,919007,919018,919463,919596,921313,921949,922583,922936,922944,926238,926240,927780,927786,928130,929525,930399,931988,932348,933896,933904,933907,933934,935542,935705,936502,936831,937032,937033,937969,938706,940338,944296,945825,947155,949936,950998,951194,951440,951627,952384,952579,952976,953052,953527,954138,954404,955224,955354,955422,956708,956934,957988,957990,958504,958510,958886,958951,959190,959399,959568,960839,961509,961739,962075 CVE References: CVE-2014-2568,CVE-2014-8133,CVE-2014-8989,CVE-2014-9090,CVE-2014-9419,CVE-2014-9529,CVE-2014-9683,CVE-2014-9715,CVE-2014-9728,CVE-2014-9729,CVE-2014-9730,CVE-2014-9731,CVE-2015-0272,CVE-2015-0777,CVE-2015-1420,CVE-2015-1421,CVE-2015-2041,CVE-2015-2042,CVE-2015-2150,CVE-2015-2666,CVE-2015-2830,CVE-2015-2922,CVE-2015-2925,CVE-2015-3212,CVE-2015-3339,CVE-2015-3636,CVE-2015-4001,CVE-2015-4002,CVE-2015-4003,CVE-2015-4004,CVE-2015-4036,CVE-2015-4167,CVE-2015-4692,CVE-2015-4700,CVE-2015-5157,CVE-2015-5283,CVE-2015-5307,CVE-2015-5364,CVE-2015-5366,CVE-2015-5707,CVE-2015-6937,CVE-2015-7550,CVE-2015-7799,CVE-2015-7833,CVE-2015-7872,CVE-2015-7885,CVE-2015-7990,CVE-2015-8104,CVE-2015-8215,CVE-2015-8543,CVE-2015-8550,CVE-2015-8551,CVE-2015-8552,CVE-2015-8569,CVE-2015-8575,CVE-2015-8767,CVE-2016-0728 Sources used: openSUSE 13.1 (src): cloop-2.639-11.22.2, crash-7.0.2-2.22.2, hdjmod-1.28-16.22.2, ipset-6.21.1-2.26.2, iscsitarget-1.4.20.3-13.22.2, kernel-debug-3.11.10-32.1, kernel-default-3.11.10-32.1, kernel-desktop-3.11.10-32.1, kernel-docs-3.11.10-32.3, kernel-ec2-3.11.10-32.1, kernel-pae-3.11.10-32.1, kernel-source-3.11.10-32.1, kernel-syms-3.11.10-32.1, kernel-trace-3.11.10-32.1, kernel-vanilla-3.11.10-32.1, kernel-xen-3.11.10-32.1, ndiswrapper-1.58-22.1, pcfclock-0.44-258.22.1, vhba-kmp-20130607-2.23.1, virtualbox-4.2.36-2.55.1, xen-4.3.4_10-56.1, xtables-addons-2.3-2.22.1
The RPM's changelog on these seems not to have been updated. E.g. for 13.1: rpm -q --changelog -p kernel-default-3.11.10-32.1.x86_64.rpm | head -2 * Thu Mar 05 2015 oneukum@suse.de - HID: usbhid: enable always-poll quirk for Elan Touchscreen 0103 rpm -q --changelog -p kernel-default-3.11.10-29.1.x86_64.rpm | head -2 * Thu Mar 05 2015 oneukum@suse.de - HID: usbhid: enable always-poll quirk for Elan Touchscreen 0103 I'd expect something more recent on the -32 version.
This is a known issue, see the thread at http://lists.opensuse.org/opensuse-kernel/2016-02/msg00000.html
openSUSE-SU-2016:0318-1: An update that solves 19 vulnerabilities and has 18 fixes is now available. Category: security (important) Bug References: 814440,906545,912202,921949,937969,937970,938706,944296,945825,949936,950998,951627,951638,952384,952579,952976,953527,954138,954404,955224,955354,955422,956708,956934,957988,957990,958504,958510,958886,958951,959190,959399,959568,960839,961509,961739,962075 CVE References: CVE-2014-8989,CVE-2014-9529,CVE-2015-5157,CVE-2015-5307,CVE-2015-6937,CVE-2015-7550,CVE-2015-7799,CVE-2015-7885,CVE-2015-7990,CVE-2015-8104,CVE-2015-8215,CVE-2015-8543,CVE-2015-8550,CVE-2015-8551,CVE-2015-8552,CVE-2015-8569,CVE-2015-8575,CVE-2015-8767,CVE-2016-0728 Sources used: openSUSE 13.2 (src): bbswitch-0.8-3.15.1, cloop-2.639-14.15.1, crash-7.0.8-15.1, hdjmod-1.28-18.16.1, ipset-6.23-15.1, kernel-debug-3.16.7-32.1, kernel-default-3.16.7-32.1, kernel-desktop-3.16.7-32.1, kernel-docs-3.16.7-32.2, kernel-ec2-3.16.7-32.1, kernel-obs-build-3.16.7-32.2, kernel-obs-qa-3.16.7-32.1, kernel-obs-qa-xen-3.16.7-32.1, kernel-pae-3.16.7-32.1, kernel-source-3.16.7-32.1, kernel-syms-3.16.7-32.1, kernel-vanilla-3.16.7-32.1, kernel-xen-3.16.7-32.1, pcfclock-0.44-260.15.1, vhba-kmp-20140629-2.15.1, virtualbox-4.3.34-37.1, xen-4.4.3_08-38.1, xtables-addons-2.6-15.1
all released