CVE-2016-0728

Bug #1534887 reported by Steve Beattie on 2016-01-16
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
High
Unassigned
Precise
High
Unassigned
Trusty
High
Unassigned
Vivid
High
Unassigned
Wily
High
Unassigned
Xenial
High
Unassigned
Yakkety
High
Unassigned
linux-armadaxp (Ubuntu)
High
Unassigned
Precise
High
Unassigned
Trusty
High
Unassigned
Vivid
High
Unassigned
Wily
High
Unassigned
Xenial
High
Unassigned
Yakkety
High
Unassigned
linux-flo (Ubuntu)
High
Unassigned
Precise
High
Unassigned
Trusty
High
Unassigned
Vivid
High
Unassigned
Wily
High
Unassigned
Xenial
High
Unassigned
Yakkety
High
Unassigned
linux-goldfish (Ubuntu)
High
Unassigned
Precise
High
Unassigned
Trusty
High
Unassigned
Vivid
High
Unassigned
Wily
High
Unassigned
Xenial
High
Unassigned
Yakkety
High
Unassigned
linux-lts-quantal (Ubuntu)
High
Unassigned
Precise
High
Unassigned
Trusty
High
Unassigned
Vivid
High
Unassigned
Wily
High
Unassigned
Xenial
High
Unassigned
Yakkety
High
Unassigned
linux-lts-raring (Ubuntu)
High
Unassigned
Precise
High
Unassigned
Trusty
High
Unassigned
Vivid
High
Unassigned
Wily
High
Unassigned
Xenial
High
Unassigned
Yakkety
High
Unassigned
linux-lts-saucy (Ubuntu)
High
Unassigned
Precise
High
Unassigned
Trusty
High
Unassigned
Vivid
High
Unassigned
Wily
High
Unassigned
Xenial
High
Unassigned
Yakkety
High
Unassigned
linux-lts-trusty (Ubuntu)
High
Unassigned
Precise
High
Unassigned
Trusty
High
Unassigned
Vivid
High
Unassigned
Wily
High
Unassigned
Xenial
High
Unassigned
Yakkety
High
Unassigned
linux-lts-utopic (Ubuntu)
High
Unassigned
Precise
High
Unassigned
Trusty
High
Unassigned
Vivid
High
Unassigned
Wily
High
Unassigned
Xenial
High
Unassigned
Yakkety
High
Unassigned
linux-lts-vivid (Ubuntu)
High
Unassigned
Precise
High
Unassigned
Trusty
High
Unassigned
Vivid
High
Unassigned
Wily
High
Unassigned
Xenial
High
Unassigned
Yakkety
High
Unassigned
linux-lts-wily (Ubuntu)
High
Unassigned
Precise
High
Unassigned
Trusty
High
Unassigned
Vivid
High
Unassigned
Wily
High
Unassigned
Xenial
High
Unassigned
Yakkety
High
Unassigned
linux-lts-xenial (Ubuntu)
High
Unassigned
Precise
High
Unassigned
Trusty
High
Unassigned
Vivid
Undecided
Unassigned
Wily
High
Unassigned
Xenial
High
Unassigned
Yakkety
High
Unassigned
linux-mako (Ubuntu)
High
Unassigned
Precise
High
Unassigned
Trusty
High
Unassigned
Vivid
High
Unassigned
Wily
High
Unassigned
Xenial
High
Unassigned
Yakkety
High
Unassigned
linux-manta (Ubuntu)
High
Unassigned
Precise
High
Unassigned
Trusty
High
Unassigned
Vivid
High
Unassigned
Wily
High
Unassigned
Xenial
High
Unassigned
Yakkety
High
Unassigned
linux-raspi2 (Ubuntu)
High
Unassigned
Precise
High
Unassigned
Trusty
High
Unassigned
Vivid
High
Unassigned
Wily
High
Unassigned
Xenial
High
Unassigned
Yakkety
High
Unassigned
linux-snapdragon (Ubuntu)
High
Unassigned
Precise
High
Unassigned
Trusty
High
Unassigned
Vivid
Undecided
Unassigned
Wily
High
Unassigned
Xenial
High
Unassigned
Yakkety
High
Unassigned
linux-ti-omap4 (Ubuntu)
High
Unassigned
Precise
High
Unassigned
Trusty
High
Unassigned
Vivid
High
Unassigned
Wily
High
Unassigned
Xenial
High
Unassigned
Yakkety
High
Unassigned

Bug Description

The join_session_keyring function in security/keys/process_keys.c in the Linux kernel before 4.4.1 mishandles object references in a certain error case, which allows local users to gain privileges or cause a denial of service (integer overflow and use-after-free) via crafted keyctl commands.

Break-Fix: 3a50597de8635cd05133bd12c95681c82fe7b878 23567fd052a9abb6d67fe8e7a9ccdd9800a540f2

Steve Beattie (sbeattie) on 2016-01-16
Changed in linux-lts-trusty (Ubuntu Wily):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-trusty (Ubuntu Xenial):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-trusty (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-trusty (Ubuntu Vivid):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-wily (Ubuntu Wily):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-wily (Ubuntu Xenial):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-wily (Ubuntu Trusty):
importance: Undecided → High
Changed in linux-lts-wily (Ubuntu Vivid):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-quantal (Ubuntu Wily):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-quantal (Ubuntu Xenial):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-quantal (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-quantal (Ubuntu Vivid):
status: New → Invalid
importance: Undecided → High
Changed in linux (Ubuntu Wily):
importance: Undecided → High
Changed in linux (Ubuntu Xenial):
importance: Undecided → High
Changed in linux (Ubuntu Trusty):
importance: Undecided → High
Changed in linux (Ubuntu Vivid):
importance: Undecided → High
Changed in linux-ti-omap4 (Ubuntu Wily):
status: New → Invalid
importance: Undecided → High
Changed in linux-ti-omap4 (Ubuntu Xenial):
status: New → Invalid
importance: Undecided → High
Changed in linux-ti-omap4 (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → High
Changed in linux-ti-omap4 (Ubuntu Vivid):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-raring (Ubuntu Wily):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-raring (Ubuntu Xenial):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-raring (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-raring (Ubuntu Vivid):
status: New → Invalid
importance: Undecided → High
Changed in linux-armadaxp (Ubuntu Wily):
status: New → Invalid
importance: Undecided → High
Changed in linux-armadaxp (Ubuntu Xenial):
status: New → Invalid
importance: Undecided → High
Changed in linux-armadaxp (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → High
Changed in linux-armadaxp (Ubuntu Vivid):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-saucy (Ubuntu Wily):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-saucy (Ubuntu Xenial):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-saucy (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-saucy (Ubuntu Vivid):
status: New → Invalid
importance: Undecided → High
Changed in linux-manta (Ubuntu Wily):
importance: Undecided → High
Changed in linux-manta (Ubuntu Xenial):
importance: Undecided → High
Changed in linux-manta (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → High
Changed in linux-manta (Ubuntu Vivid):
importance: Undecided → High
Changed in linux-lts-vivid (Ubuntu Wily):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-vivid (Ubuntu Xenial):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-vivid (Ubuntu Trusty):
importance: Undecided → High
Changed in linux-lts-vivid (Ubuntu Vivid):
status: New → Invalid
importance: Undecided → High
Changed in linux-raspi2 (Ubuntu Wily):
importance: Undecided → High
Changed in linux-raspi2 (Ubuntu Xenial):
importance: Undecided → High
Changed in linux-raspi2 (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → High
Changed in linux-raspi2 (Ubuntu Vivid):
status: New → Invalid
importance: Undecided → High
Changed in linux-mako (Ubuntu Wily):
importance: Undecided → High
Changed in linux-mako (Ubuntu Xenial):
importance: Undecided → High
Changed in linux-mako (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → High
Changed in linux-mako (Ubuntu Vivid):
importance: Undecided → High
Changed in linux-lts-utopic (Ubuntu Wily):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-utopic (Ubuntu Xenial):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-utopic (Ubuntu Trusty):
importance: Undecided → High
Changed in linux-lts-utopic (Ubuntu Vivid):
status: New → Invalid
importance: Undecided → High
Changed in linux-goldfish (Ubuntu Wily):
importance: Undecided → High
Changed in linux-goldfish (Ubuntu Xenial):
importance: Undecided → High
Changed in linux-goldfish (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → High
Changed in linux-goldfish (Ubuntu Vivid):
importance: Undecided → High
Changed in linux-flo (Ubuntu Wily):
importance: Undecided → High
Changed in linux-flo (Ubuntu Xenial):
importance: Undecided → High
Changed in linux-flo (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → High
Changed in linux-flo (Ubuntu Vivid):
importance: Undecided → High
description: updated
Steve Beattie (sbeattie) on 2016-01-16
Changed in linux-lts-trusty (Ubuntu Precise):
importance: Undecided → High
Changed in linux-lts-wily (Ubuntu Precise):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-quantal (Ubuntu Precise):
status: New → Invalid
importance: Undecided → High
Changed in linux (Ubuntu Precise):
status: New → Invalid
importance: Undecided → High
Changed in linux-ti-omap4 (Ubuntu Precise):
importance: Undecided → High
Changed in linux-lts-raring (Ubuntu Precise):
status: New → Invalid
importance: Undecided → High
Changed in linux-armadaxp (Ubuntu Precise):
importance: Undecided → High
Changed in linux-lts-saucy (Ubuntu Precise):
status: New → Invalid
importance: Undecided → High
Changed in linux-manta (Ubuntu Precise):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-vivid (Ubuntu Precise):
status: New → Invalid
importance: Undecided → High
Changed in linux-raspi2 (Ubuntu Precise):
status: New → Invalid
importance: Undecided → High
Changed in linux-mako (Ubuntu Precise):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-utopic (Ubuntu Precise):
status: New → Invalid
importance: Undecided → High
Changed in linux-goldfish (Ubuntu Precise):
status: New → Invalid
importance: Undecided → High
Changed in linux-flo (Ubuntu Precise):
status: New → Invalid
importance: Undecided → High
description: updated
summary: - placeholder
+ CVE-2016-0728
Steve Beattie (sbeattie) on 2016-01-19
information type: Private Security → Public Security

This bug is missing log files that will aid in diagnosing the problem. From a terminal window please run:

apport-collect 1534887

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status: New → Incomplete
Changed in linux (Ubuntu Trusty):
status: New → Incomplete
Changed in linux (Ubuntu Vivid):
status: New → Incomplete
Changed in linux (Ubuntu Wily):
status: New → Incomplete
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 4.2.0-25.30

---------------
linux (4.2.0-25.30) wily; urgency=low

  [ Upstream Kernel Changes ]

  * KEYS: Fix keyring ref leak in join_session_keyring()
    - LP: #1534887
    - CVE-2016-0728

 -- Luis Henriques <email address hidden> Mon, 18 Jan 2016 10:30:55 +0000

Changed in linux (Ubuntu Wily):
status: Incomplete → Fix Released
status: Incomplete → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 3.19.0-47.53

---------------
linux (3.19.0-47.53) vivid; urgency=low

  [ Upstream Kernel Changes ]

  * KEYS: Fix keyring ref leak in join_session_keyring()
    - LP: #1534887
    - CVE-2016-0728

 -- Luis Henriques <email address hidden> Mon, 18 Jan 2016 10:22:21 +0000

Changed in linux (Ubuntu Vivid):
status: Incomplete → Fix Released
status: Incomplete → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 3.13.0-76.120

---------------
linux (3.13.0-76.120) trusty; urgency=low

  [ Upstream Kernel Changes ]

  * KEYS: Fix keyring ref leak in join_session_keyring()
    - LP: #1534887
    - CVE-2016-0728

 -- Luis Henriques <email address hidden> Mon, 18 Jan 2016 09:54:03 +0000

Changed in linux (Ubuntu Trusty):
status: Incomplete → Fix Released
status: Incomplete → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux-lts-wily - 4.2.0-25.30~14.04.1

---------------
linux-lts-wily (4.2.0-25.30~14.04.1) trusty; urgency=low

  [ Upstream Kernel Changes ]

  * KEYS: Fix keyring ref leak in join_session_keyring()
    - LP: #1534887
    - CVE-2016-0728

 -- Luis Henriques <email address hidden> Mon, 18 Jan 2016 13:30:42 +0000

Changed in linux-lts-wily (Ubuntu Trusty):
status: New → Fix Released
status: New → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux-lts-vivid - 3.19.0-47.53~14.04.1

---------------
linux-lts-vivid (3.19.0-47.53~14.04.1) trusty; urgency=low

  [ Upstream Kernel Changes ]

  * KEYS: Fix keyring ref leak in join_session_keyring()
    - LP: #1534887
    - CVE-2016-0728

 -- Luis Henriques <email address hidden> Mon, 18 Jan 2016 11:42:07 +0000

Changed in linux-lts-vivid (Ubuntu Trusty):
status: New → Fix Released
status: New → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux-lts-utopic - 3.16.0-59.79~14.04.1

---------------
linux-lts-utopic (3.16.0-59.79~14.04.1) trusty; urgency=low

  [ Upstream Kernel Changes ]

  * KEYS: Fix keyring ref leak in join_session_keyring()
    - LP: #1534887
    - CVE-2016-0728

 -- Luis Henriques <email address hidden> Mon, 18 Jan 2016 11:00:18 +0000

Changed in linux-lts-utopic (Ubuntu Trusty):
status: New → Fix Released
status: New → Fix Released
Changed in linux-raspi2 (Ubuntu Wily):
status: New → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux-raspi2 - 4.2.0-1020.27

---------------
linux-raspi2 (4.2.0-1020.27) wily; urgency=low

  [ Luis Henriques ]

  * rebased on Ubuntu-4.2.0-25.30

  [ Ubuntu: 4.2.0-25.30 ]

  * KEYS: Fix keyring ref leak in join_session_keyring()
    - LP: #1534887
    - CVE-2016-0728

 -- Luis Henriques <email address hidden> Mon, 18 Jan 2016 14:05:07 +0000

Changed in linux-raspi2 (Ubuntu Wily):
status: New → Fix Released
Adam Conrad (adconrad) on 2016-01-19
Changed in linux-armadaxp (Ubuntu Precise):
status: New → Invalid
Changed in linux-ti-omap4 (Ubuntu Precise):
status: New → Invalid
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux-lts-trusty - 3.13.0-76.120~precise1

---------------
linux-lts-trusty (3.13.0-76.120~precise1) precise; urgency=low

  [ Upstream Kernel Changes ]

  * KEYS: Fix keyring ref leak in join_session_keyring()
    - LP: #1534887
    - CVE-2016-0728

 -- Luis Henriques <email address hidden> Tue, 19 Jan 2016 10:49:51 +0000

Changed in linux-lts-trusty (Ubuntu Precise):
status: New → Fix Released
status: New → Fix Released
Timothy Pearson (kb9vqf) wrote :

When are the kernel 4.4 packages going to be rebuilt with the fix?

Steve Beattie (sbeattie) on 2016-01-20
tags: added: kernel-cve-tracking-bug
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 4.3.0-7.18

---------------
linux (4.3.0-7.18) xenial; urgency=low

  [ Tim Gardner ]

  * Release Tracking Bug
    - LP: #1535736

  [ Andy Whitcroft ]

  * [Config] s390x -- the kernel provides ppp-modules such as there are

  [ Upstream Kernel Changes ]

  * KEYS: Fix keyring ref leak in join_session_keyring()
    - LP: #1534887
    - CVE-2016-0728

 -- Tim Gardner <email address hidden> Mon, 11 Jan 2016 18:49:51 -0700

Changed in linux (Ubuntu Xenial):
status: Incomplete → Fix Released
Steve Beattie (sbeattie) on 2016-01-22
description: updated
Steve Beattie (sbeattie) on 2016-01-25
Changed in linux-manta (Ubuntu Vivid):
status: New → Invalid
Changed in linux-raspi2 (Ubuntu Xenial):
status: New → Invalid
Changed in linux-mako (Ubuntu Vivid):
status: New → Invalid
Changed in linux-goldfish (Ubuntu Vivid):
status: New → Invalid
Changed in linux-flo (Ubuntu Vivid):
status: New → Invalid
description: updated
Steve Beattie (sbeattie) on 2016-02-10
Changed in linux-raspi2 (Ubuntu Xenial):
status: Invalid → Fix Committed
description: updated
Steve Beattie (sbeattie) on 2016-02-11
Changed in linux-lts-xenial (Ubuntu Precise):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-xenial (Ubuntu Wily):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-xenial (Ubuntu Xenial):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-xenial (Ubuntu Trusty):
status: New → Fix Committed
importance: Undecided → High
Steve Beattie (sbeattie) on 2016-04-19
Changed in linux-manta (Ubuntu Xenial):
status: New → Invalid
Steve Beattie (sbeattie) on 2016-05-06
Changed in linux-snapdragon (Ubuntu Precise):
status: New → Invalid
importance: Undecided → High
Changed in linux-snapdragon (Ubuntu Wily):
status: New → Invalid
importance: Undecided → High
Changed in linux-snapdragon (Ubuntu Xenial):
status: New → Invalid
importance: Undecided → High
Changed in linux-snapdragon (Ubuntu Yakkety):
status: New → Invalid
importance: Undecided → High
Changed in linux-snapdragon (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → High
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers