New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 854580 link

Starred by 1 user
Status: WontFix
Owner:
zsm@chromium.org
Closed: Jun 2018
Cc:
wonderfly@chromium.org
groeck@chromium.org
chromeos-kernel-security-bug-access@google.com
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 3
Type: Bug-Security



Sign in to add a comment

CVE-2017-18270 CrOS: Vulnerability reported in Linux kernel

Project Member Reported by vomit.go...@appspot.gserviceaccount.com, Jun 20 2018 
VOMIT (go/vomit) has received an external vulnerability report for the Linux kernel. 

Advisory: CVE-2017-18270
  Details: http://vomit.googleplex.com/advisory?id=CVE/CVE-2017-18270
  CVSS severity score: 3.6/10.0
  Description:

In the Linux kernel before 4.13.5, a local user could create keyrings for other users via keyctl commands, setting unwanted defaults or causing a denial of service.



This bug was filed by http://go/vomit
Please contact us at vomit-team@google.com if you need any assistance.

Comment 1 by zsm@chromium.org, Jun 20 2018

Cc: groeck@chromium.org wonderfly@chromium.org
Labels: Security_Severity-Low Security_Impact-Stable Pri-3
Owner: zsm@chromium.org
Status: WontFix (was: Untriaged)
Upstream commit is 237bbd29("KEYS: prevent creating a different user's keyrings")

The patch is present in 4.14, 4.4, 3.18. Older kernels do not have this patch, and applying this patch causes merge conflicts. As the severity of this bug is low, and as a backport is not available in upstream stable, marking as WontFix.

Sign in to add a comment