Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 572384 (CVE-2016-0728)

Summary: <sys-kernel/gentoo-sources-{3.12.52-r1,3.14.58-r1,3.18.25-r1,4.1.15-r1}: possible local privilege escalation due to keyring facility (CVE-2016-0728)
Product: Gentoo Security Reporter: Marius Brehler <marius.brehler+gentoo>
Component: KernelAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: adrian, aidecoe, alexander, andrzej.pauli, ap, c.affolter, cyberbat83, erik.dobak, gandalf42, gentoo, j6yNRdsH5Fc3, jwbraun, kensington, kernel, m+gentoo-bugs, michael.scholl, mike, morlix, pacho, toto
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-0728
Whiteboard: B1 [noglsa]
Package list:
Runtime testing required: ---

Description Marius Brehler 2016-01-19 20:21:28 UTC
A 0-day local privilege escalation vulnerability has been identified by the perception point research team. I has been reported that a vulnerability in the keyring facility possibly leads to a local privilege escalation. For details please see the links below.


CVE:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-0728

Report:
http://perception-point.io/2016/01/14/analysis-and-exploitation-of-a-linux-kernel-vulnerability-cve-2016-0728/

Red Hat Bug:
https://bugzilla.redhat.com/show_bug.cgi?id=1297475

Reproducible: Always
Comment 1 Marius Brehler 2016-01-20 11:23:00 UTC
As documented in the notes of the Debian security tracker [1], the URL to the commit fixing the issue, as well as the information that the vulnerability was introduced with v3.8-rc1. Thus all versions of sys-kernel/gentoo-sources  currently marked as stable are affected.


Upstream commit: https://git.kernel.org/linus/23567fd052a9abb6d67fe8e7a9ccdd9800a540f2
Introduced in https://git.kernel.org/linus/3a50597de8635cd05133bd12c95681c82fe7b878 (v3.8-rc1)

[1] https://security-tracker.debian.org/tracker/CVE-2016-0728
Comment 2 Adrian 2016-01-21 23:06:06 UTC
Two days and still no update? :/
Comment 3 Osiris 2016-01-21 23:08:29 UTC
My kernels just the way I like 'em: exploitable!
Comment 5 Osiris 2016-01-22 00:30:45 UTC
(In reply to Mike Pagano from comment #4)
> https://gitweb.gentoo.org/repo/gentoo.git/log/sys-kernel/gentoo-sources

So the latest stable (4.1.12) is still vulnerable?
Comment 6 Mike Pagano gentoo-dev 2016-01-22 02:13:36 UTC
(In reply to Osiris from comment #5)
> (In reply to Mike Pagano from comment #4)
> > https://gitweb.gentoo.org/repo/gentoo.git/log/sys-kernel/gentoo-sources
> 
> So the latest stable (4.1.12) is still vulnerable?

Yep.
Comment 7 Mike Nerone 2016-01-22 02:36:58 UTC
I'm sorry, it seemed like you said that as if it's ok. Could you clarify the plan?
Comment 8 Kristian Fiskerstrand gentoo-dev Security 2016-01-22 09:55:53 UTC
Arches, please stabilize

=gentoo-sources/gentoo-sources-3.12.52-r1
Stable targets: alpha amd64 arm hppa ia64 ppc ppc64 sparc x86

=gentoo-sources/gentoo-sources-3.14.58-r1
Stable target: alpha amd64 arm hppa ia64 sparc x86

=gentoo-sources/gentoo-sources-3.18.25-r1
Stable targets: alpha amd64 arm hppa ia64 sparc x86

=gentoo-sources/gentoo-sources-4.1.15-r1
Stable targets: alpha amd64 ia64 ppc ppc64 sparc x86
Comment 9 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2016-01-22 23:20:18 UTC
amd64 stable
Comment 10 Agostino Sarubbo gentoo-dev 2016-01-24 12:00:06 UTC
Because of our policy (kernel side) I marked stable some ebuilds.

The complete status of the gentoo-sources:

3.4 series: not vulnerable
3.10 series: marked stable 3.10.95 which contains the fix (https://cdn.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.10.95)
3.12 series: marked stable 3.12.52-r1
3.14 series: marked stable 3.14.58-r1 except ppc/ppc64 which don't have a stable keyword on this series
3.18 series marked stable by Mikle. There aren't others 3.18 ebuilds with stable keywords.
4.0 series no fixed ebuild to be marked stable because is not anymore supported upstream
4.1 marked stable 4.1.15-r1 which contains the fix.


WHAT IS STILL MISSING:
arm needs to test 4.1.15-r1


NOTES:
ppc/ppc64 does not really want to do 3.14
I don't see other stable ebuilds for 3.18, so I'm supposing we want to keep only amd64 as stable for this series.
Comment 11 Jeroen Roovers gentoo-dev 2016-01-24 12:21:31 UTC
(In reply to Agostino Sarubbo from comment #10)
> Because of our policy (kernel side) I marked stable some ebuilds.

So even kernel versions are now deemed "stable" while completely untested.
Comment 12 Agostino Sarubbo gentoo-dev 2016-01-24 15:06:31 UTC
(In reply to Jeroen Roovers from comment #11)
> (In reply to Agostino Sarubbo from comment #10)
> > Because of our policy (kernel side) I marked stable some ebuilds.
> 
> So even kernel versions are now deemed "stable" while completely untested.

We don't need useless comments. Check the git log:

commit 5144328e22cb546ebaf02b025aeacea9676f918a
Author: Mike Pagano <mpagano@gentoo.org>
Date:   Wed Oct 28 20:04:40 2015 -0400

    sys-kernel/gentoo-sources: Auto stabiize per policy and remove old, unsupported 3.12.X versions

commit 6a2ceeb4b2368290fa4cf8c9ea5553ee3638b95c
Author: Mike Pagano <mpagano@gentoo.org>
Date:   Wed Oct 28 19:54:01 2015 -0400

    sys-kernel/gentoo-sources: Auto stablize per policy and remove old, unsupported 3.14.X versions

ommit 5b87fd0881b4278b04c454cc6728c829fbd985e6
Author: Mike Pagano <mpagano@gentoo.org>
Date:   Wed Oct 28 19:50:13 2015 -0400

    sys-kernel/gentoo-sources: Auto stabilize per policy. Clean up of old 3.10.X kernels.

commit 6758f52aab10201d6d2f9cb96f612b14b09fb989
Author: Mike Pagano <mpagano@gentoo.org>
Date:   Mon Oct 26 08:05:53 2015 -0400

    sys-kernel/gentoo-sources: Auto stabilize 4.0.9 as per policy. Bug #564166



If you have something to discuss about the policy, that's not the right place..
Comment 13 Pacho Ramos gentoo-dev 2016-01-26 11:43:44 UTC
I am unsure if maybe 4.1.16 would be a better candidate as it looks to cover CVE-2015-7550 per:
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.1.16

Thanks
Comment 14 Jeroen Roovers gentoo-dev 2016-01-27 17:43:51 UTC
I guess this is useless, but I am going to ask anyway: Why are arch teams still CC'd?
Comment 15 Mike Pagano gentoo-dev 2016-01-27 18:09:21 UTC
(In reply to Jeroen Roovers from comment #14)
> I guess this is useless, but I am going to ask anyway: Why are arch teams
> still CC'd?

3.18 needs stabilizing. Only amd64 has done it.
Comment 16 Jeroen Roovers gentoo-dev 2016-01-28 01:25:12 UTC
(In reply to Mike Pagano from comment #15)
> (In reply to Jeroen Roovers from comment #14)
> > I guess this is useless, but I am going to ask anyway: Why are arch teams
> > still CC'd?
> 
> 3.18 needs stabilizing. Only amd64 has done it.

Add another useless comment: even with the backported patch that resolves this security bug, the automated stabilisation monkey business was not enough?

Speaking for HPPA, no kernel/glibc combination is good enough right now, so 3.18 is right out. If you reaqlly want 3.18, then you will have to start accepting architecture specific patches again.
Comment 17 Jeroen Roovers gentoo-dev 2016-01-28 01:26:48 UTC
Either that or we call it the security theatre Ago's made it into and call it quits for arch teams.
Comment 18 Mike Pagano gentoo-dev 2016-01-28 01:36:18 UTC
(In reply to Jeroen Roovers from comment #16)
> (In reply to Mike Pagano from comment #15)
> > (In reply to Jeroen Roovers from comment #14)
> > > I guess this is useless, but I am going to ask anyway: Why are arch teams
> > > still CC'd?
> > 
> > 3.18 needs stabilizing. Only amd64 has done it.
> 
> Add another useless comment: even with the backported patch that resolves
> this security bug, the automated stabilisation monkey business was not
> enough?
> 
> Speaking for HPPA, no kernel/glibc combination is good enough right now, so
> 3.18 is right out. If you reaqlly want 3.18, then you will have to start
> accepting architecture specific patches again.


I don't know, maybe you're a good guy in real life. I'd like to give you the benefit of the doubt. But my interactions with you make me want to do less and less around here.

Close it, keep it open, I honestly care less and less these days.  

I have no strength nor care left to argue.
Comment 19 Jeroen Roovers gentoo-dev 2016-01-28 13:44:56 UTC
(In reply to Mike Pagano from comment #18)
> I don't know, maybe you're a good guy in real life. I'd like to give you the
> benefit of the doubt. But my interactions with you make me want to do less
> and less around here.
> 
> Close it, keep it open, I honestly care less and less these days.  
> 
> I have no strength nor care left to argue.

I'm sorry to hear that.
Comment 20 Dyweni 2016-01-28 22:37:40 UTC
It's been almost 10 days since the vulnerability has been reported.  The amd64 arch has been stabilized within 3-4 days.

--> What's it going to take to get the x86 arch stabilized? <--
Comment 21 Agostino Sarubbo gentoo-dev 2016-01-31 14:51:51 UTC
alpha/arm/ia64/ppc/ppc64/sparc/x86 have now 4.1.15-r1 stable.

@mpagano. I don't see stable keyword for 3.18 series, so for now I guess is ok leave only amd64/x86 as stable. We will accept future stablereq for this series.
You can cleanup now.
Comment 22 Tobias Klausmann gentoo-dev 2016-02-04 16:35:07 UTC
alpha@ out as per c#21
Comment 23 Agostino Sarubbo gentoo-dev 2016-03-15 17:47:28 UTC
(In reply to Tobias Klausmann from comment #22)
> alpha@ out as per c#21

other arches too.
Comment 24 Jeroen Roovers gentoo-dev 2016-11-02 14:52:23 UTC
Stable for HPPA (4.1.35).
Comment 25 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-11-26 01:23:39 UTC
Cleanup on affected sources complete.  Kernel so no GLSA.