retired/CVE-2017-6951


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

Description: NULL pointer dereference in keyring_search_aux when type is "dead"
References:
 https://www.spinics.net/lists/keyrings/msg01845.html
 https://www.spinics.net/lists/keyrings/msg01846.html
 https://www.spinics.net/lists/keyrings/msg01849.html
 https://www.spinics.net/lists/keyrings/msg01882.html
Notes:
 carnil> Problem is said to not affect newer kernel, but
 carnil> the fixing commit needs to be found still which
 carnil> resolves the issue.
 bwh> I found it.
 carnil> There is c1644fe041ebaf6519f6809146a77c3ead9193af which changes
 carnil> name of the dead type to ".dead" to prevent user access.
 carnil> the equivalent commit for 4.9 is b2dd90e812f3f733b55f0bf4487032e53b487665
 carnil> which landed in 4.9.25
Bugs:
upstream: released (3.18-rc1) [c06cfb08b88dfbe13be44a69ae2fdc3a7c902d81]
4.9-upstream-stable: N/A "Fixed before branch point"
3.16-upstream-stable: released (3.16.43) [c53ee259ad3da891e191dee7af119af340f9c01b]
3.2-upstream-stable: released (3.2.88) [e2b41f761b086da2ec43b1cfea14ca0681cd08b0]
sid: released (4.0.2-1)
3.16-jessie-security: released (3.16.43-1)
3.2-wheezy-security: released (3.2.88-1)