CVE-2016-9604

Metadata

medium
unknown
linux, linux-ti-omap4, linux-linaro-omap, linux-linaro-shared, linux-linaro-vexpress, linux-qcm-msm, linux-armadaxp, linux-lts-quantal, linux-lts-raring, linux-lts-saucy, linux-lts-trusty, linux-goldfish, linux-grouper, linux-maguro, linux-mako, linux-manta, linux-flo, linux-raspi2, linux-lts-utopic, linux-lts-vivid, linux-lts-wily, linux-lts-xenial, linux-snapdragon, linux-aws, linux-hwe, linux-hwe-edge, linux-gke, linux-azure, linux-gcp, linux-kvm, linux-euclid, linux-oem, linux-krillin, linux-vegetahd
CVE-2016-9604
cve.mitre.org, git.kernel.org, ubuntu.com, ubuntu.com, ubuntu.com, ubuntu.com, ubuntu.com, ubuntu.com
2016-12-31
2017-11-17 20:26
CVE-2016-9604 linux
2017-11-06 22:06
2017-10-30 19:28
2017-10-30 18:01
2017-10-23 14:22
2017-10-19 20:25
2017-10-17 20:42
2017-09-21 21:35
2017-09-19 12:18
2017-09-19 02:11
2017-09-18 17:25
2017-09-14 00:44
2017-09-08 17:54
2017-09-05 22:31
2017-09-05 21:23
2017-09-01 18:24
2017-08-31 19:25
2017-08-29 19:46
2017-08-24 23:41
2017-08-22 20:40
2017-08-17 23:47
2017-08-16 18:32
2017-08-03 17:32
2017-07-24 17:11
2017-07-21 13:09
2017-07-21 12:16
2017-07-20 21:32
2017-07-19 19:32
2017-07-14 22:19
2017-07-10 16:23
2017-07-06 07:32
2017-07-05 17:34
2017-06-30 21:34
2017-06-22 10:06
2017-06-22 01:26
2017-06-15 02:34
2017-06-14 09:22
2017-06-12 21:27
2017-06-12 18:22
2017-06-09 21:20
2017-06-07 08:08
2017-06-02 15:05
2017-05-30 21:08
2017-05-25 18:12
2017-05-24 20:07
2017-05-22 21:08
2017-05-18 21:14
2017-05-17 15:06
2017-05-13 00:27
2017-05-10 23:51
2017-05-07 16:15
2017-05-06 02:19
2017-04-26 18:30
2017-04-24 19:13
2017-04-21 22:03

Description

Keyrings whose name begin with a '.' are special internal keyrings and so userspace isn't allowed to create keyrings by this name to prevent shadowing. However, the patch that added the guard didn't fix KEYCTL_JOIN_SESSION_KEYRING. Not only can that create dot-named keyrings, it can also subscribe to them as a session keyring if they grant SEARCH permission to the user. This, for example, allows a root process to set .builtin_trusted_keys as its session keyring, at which point it has full access because now the possessor permissions are added. This permits root to add extra public keys, thereby bypassing module verification.

Am I vulnerable?

The constraints below list the versions that this vulnerability is patched in, and versions that are unaffected. If a patch is ready but unrealeased, then it is pending.

Or, you can just let us figure it out for you! Appcanary continously monitor your installed packages, and tell you if any of them are vulnerable.

Sign up for monitoring

Affected package information

Release Package Patched in
precise/esm linux-lts-trusty 3.13.0-132.181~precise1
product linux-krillin None
linux-vegetahd None
trusty linux 3.13.0-132.181
linux-lts-xenial 4.4.0-79.100~14.04.1
upstream linux 4.11~rc8
linux-armadaxp 4.11~rc8
linux-aws 4.11~rc8
linux-azure 4.11~rc8
linux-euclid 4.11~rc8
linux-flo 4.11~rc8
linux-gcp 4.11~rc8
linux-gke 4.11~rc8
linux-goldfish 4.11~rc8
linux-grouper 4.11~rc8
linux-hwe 4.11~rc8
linux-hwe-edge 4.11~rc8
linux-kvm 4.11~rc8
linux-linaro-omap 4.11~rc8
linux-linaro-shared 4.11~rc8
linux-linaro-vexpress 4.11~rc8
linux-lts-quantal 4.11~rc8
linux-lts-raring 4.11~rc8
linux-lts-saucy 4.11~rc8
linux-lts-trusty 4.11~rc8
linux-lts-utopic 4.11~rc8
linux-lts-vivid 4.11~rc8
linux-lts-wily 4.11~rc8
linux-lts-xenial 4.11~rc8
linux-maguro 4.11~rc8
linux-mako 4.11~rc8
linux-manta 4.11~rc8
linux-oem 4.11~rc8
linux-qcm-msm 4.11~rc8
linux-raspi2 4.11~rc8
linux-snapdragon 4.11~rc8
linux-ti-omap4 4.11~rc8
xenial linux 4.4.0-79.100
linux-aws 4.4.0-1018.27
linux-gke 4.4.0-1014.14
linux-hwe 4.10.0-27.30~16.04.2
linux-hwe-edge 4.10.0-22.24~16.04.1
linux-oem 4.13.0-1008.9  pending
linux-raspi2 4.4.0-1057.64
linux-snapdragon 4.4.0-1059.63
yakkety linux-snapdragon 4.4.0-1059.63
zesty linux 4.10.0-22.24
linux-raspi2 4.10.0-1006.8
linux-snapdragon 4.4.0-1059.63

Unaffected

Release Package Reason
precise linux ignored
linux-ti-omap4 ignored
linux-linaro-omap ignored
linux-linaro-shared ignored
linux-linaro-vexpress ignored
linux-qcm-msm ignored
linux-armadaxp ignored
linux-lts-quantal ignored
linux-lts-raring ignored
linux-lts-saucy ignored
linux-lts-trusty ignored
linux-goldfish DNE
linux-grouper DNE
linux-maguro DNE
linux-mako DNE
linux-manta DNE
linux-flo DNE
linux-raspi2 DNE
linux-lts-utopic DNE
linux-lts-vivid DNE
linux-lts-wily DNE
linux-lts-xenial DNE
linux-snapdragon DNE
linux-aws DNE
linux-hwe DNE
linux-hwe-edge DNE
linux-gke DNE
precise/esm linux ignored
linux-ti-omap4 DNE
linux-linaro-omap DNE
linux-linaro-shared DNE
linux-linaro-vexpress DNE
linux-qcm-msm DNE
linux-armadaxp DNE
linux-lts-quantal DNE
linux-lts-raring DNE
linux-lts-saucy DNE
linux-goldfish DNE
linux-grouper DNE
linux-maguro DNE
linux-mako DNE
linux-manta DNE
linux-flo DNE
linux-raspi2 DNE
linux-lts-utopic DNE
linux-lts-vivid DNE
linux-lts-wily DNE
linux-lts-xenial DNE
linux-snapdragon DNE
linux-aws DNE
linux-hwe DNE
linux-hwe-edge DNE
linux-gke DNE
linux-azure DNE
linux-gcp DNE
linux-kvm DNE
linux-euclid DNE
linux-oem DNE
vivid/ubuntu-core linux ignored
linux-ti-omap4 DNE
linux-linaro-omap DNE
linux-linaro-shared DNE
linux-linaro-vexpress DNE
linux-qcm-msm DNE
linux-armadaxp DNE
linux-lts-quantal DNE
linux-lts-raring DNE
linux-lts-saucy DNE
linux-lts-trusty DNE
linux-goldfish DNE
linux-grouper DNE
linux-maguro DNE
linux-mako DNE
linux-manta DNE
linux-flo DNE
linux-raspi2 ignored
linux-lts-utopic DNE
linux-lts-vivid DNE
linux-lts-wily DNE
linux-lts-xenial DNE
linux-snapdragon DNE
linux-aws DNE
linux-hwe DNE
linux-hwe-edge DNE
linux-gke DNE
linux-azure DNE
linux-gcp DNE
linux-kvm DNE
linux-euclid DNE
vivid/stable-phone-overlay linux DNE
linux-ti-omap4 DNE
linux-linaro-omap DNE
linux-linaro-shared DNE
linux-linaro-vexpress DNE
linux-qcm-msm DNE
linux-armadaxp DNE
linux-lts-quantal DNE
linux-lts-raring DNE
linux-lts-saucy DNE
linux-lts-trusty DNE
linux-goldfish DNE
linux-grouper DNE
linux-maguro DNE
linux-mako ignored
linux-manta DNE
linux-flo ignored
linux-raspi2 DNE
linux-lts-utopic DNE
linux-lts-vivid DNE
linux-lts-wily DNE
linux-lts-xenial DNE
linux-snapdragon DNE
linux-aws DNE
linux-hwe DNE
linux-hwe-edge DNE
linux-gke DNE
linux-azure DNE
yakkety linux ignored
linux-ti-omap4 DNE
linux-linaro-omap DNE
linux-linaro-shared DNE
linux-linaro-vexpress DNE
linux-qcm-msm DNE
linux-armadaxp DNE
linux-lts-quantal DNE
linux-lts-raring DNE
linux-lts-saucy DNE
linux-lts-trusty DNE
linux-goldfish ignored
linux-grouper DNE
linux-maguro DNE
linux-mako ignored
linux-manta DNE
linux-flo ignored
linux-raspi2 ignored
linux-lts-utopic DNE
linux-lts-vivid DNE
linux-lts-wily DNE
linux-lts-xenial DNE
linux-aws DNE
linux-hwe DNE
linux-hwe-edge DNE
linux-gke DNE
linux-azure DNE
linux-gcp DNE
artful linux not-affected
linux-ti-omap4 DNE
linux-linaro-omap DNE
linux-linaro-shared DNE
linux-linaro-vexpress DNE
linux-qcm-msm DNE
linux-armadaxp DNE
linux-lts-quantal DNE
linux-lts-raring DNE
linux-lts-saucy DNE
linux-lts-trusty DNE
linux-goldfish DNE
linux-grouper DNE
linux-maguro DNE
linux-mako DNE
linux-manta DNE
linux-flo DNE
linux-raspi2 not-affected
linux-lts-utopic DNE
linux-lts-vivid DNE
linux-lts-wily DNE
linux-lts-xenial DNE
linux-snapdragon not-affected
linux-aws DNE
linux-hwe DNE
linux-hwe-edge DNE
linux-gke DNE
linux-azure DNE
linux-gcp DNE
linux-kvm DNE
linux-euclid DNE
linux-oem DNE
devel linux not-affected
linux-ti-omap4 DNE
linux-linaro-omap DNE
linux-linaro-shared DNE
linux-linaro-vexpress DNE
linux-qcm-msm DNE
linux-armadaxp DNE
linux-lts-quantal DNE
linux-lts-raring DNE
linux-lts-saucy DNE
linux-lts-trusty DNE
linux-goldfish DNE
linux-grouper DNE
linux-maguro DNE
linux-mako DNE
linux-manta DNE
linux-flo DNE
linux-raspi2 not-affected
linux-lts-utopic DNE
linux-lts-vivid DNE
linux-lts-wily DNE
linux-lts-xenial DNE
linux-snapdragon not-affected
linux-aws DNE
linux-hwe DNE
linux-hwe-edge DNE
linux-gke DNE
linux-azure DNE
linux-gcp DNE
linux-kvm DNE
linux-euclid DNE
linux-oem DNE
trusty linux-ti-omap4 DNE
linux-linaro-omap DNE
linux-linaro-shared DNE
linux-linaro-vexpress DNE
linux-qcm-msm DNE
linux-armadaxp DNE
linux-lts-quantal DNE
linux-lts-raring DNE
linux-lts-saucy DNE
linux-lts-trusty DNE
linux-goldfish ignored
linux-grouper ignored
linux-maguro ignored
linux-mako ignored
linux-manta ignored
linux-flo ignored
linux-raspi2 DNE
linux-lts-utopic ignored
linux-lts-vivid ignored
linux-lts-wily ignored
linux-snapdragon DNE
linux-aws not-affected
linux-hwe DNE
linux-hwe-edge DNE
linux-gke DNE
linux-azure DNE
linux-gcp DNE
linux-kvm DNE
linux-euclid DNE
linux-oem DNE
xenial linux-ti-omap4 DNE
linux-linaro-omap DNE
linux-linaro-shared DNE
linux-linaro-vexpress DNE
linux-qcm-msm DNE
linux-armadaxp DNE
linux-lts-quantal DNE
linux-lts-raring DNE
linux-lts-saucy DNE
linux-lts-trusty DNE
linux-goldfish ignored
linux-grouper DNE
linux-maguro DNE
linux-mako ignored
linux-manta DNE
linux-flo ignored
linux-lts-utopic DNE
linux-lts-vivid DNE
linux-lts-wily DNE
linux-lts-xenial DNE
linux-azure not-affected
linux-gcp not-affected
linux-kvm not-affected
linux-euclid ignored
zesty linux-ti-omap4 DNE
linux-linaro-omap DNE
linux-linaro-shared DNE
linux-linaro-vexpress DNE
linux-qcm-msm DNE
linux-armadaxp DNE
linux-lts-quantal DNE
linux-lts-raring DNE
linux-lts-saucy DNE
linux-lts-trusty DNE
linux-goldfish ignored
linux-grouper DNE
linux-maguro DNE
linux-mako DNE
linux-manta DNE
linux-flo DNE
linux-lts-utopic DNE
linux-lts-vivid DNE
linux-lts-wily DNE
linux-lts-xenial DNE
linux-aws DNE
linux-hwe DNE
linux-hwe-edge DNE
linux-gke DNE
linux-azure DNE
linux-gcp DNE
linux-kvm DNE
linux-euclid DNE
linux-oem DNE