GET

Patch Detail

get:
Show a patch.

patch:
Update a patch.

put:
Update a patch.

GET /api/1.2/patches/810055/?format=api
HTTP 200 OK
Allow: GET, PUT, PATCH, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept

{
    "id": 810055,
    "url": "http://patchwork.ozlabs.org/api/1.2/patches/810055/?format=api",
    "web_url": "http://patchwork.ozlabs.org/project/ubuntu-kernel/patch/20170905093358.28935-1-kleber.souza@canonical.com/",
    "project": {
        "id": 15,
        "url": "http://patchwork.ozlabs.org/api/1.2/projects/15/?format=api",
        "name": "Ubuntu Kernel",
        "link_name": "ubuntu-kernel",
        "list_id": "kernel-team.lists.ubuntu.com",
        "list_email": "kernel-team@lists.ubuntu.com",
        "web_url": null,
        "scm_url": null,
        "webscm_url": null,
        "list_archive_url": "",
        "list_archive_url_format": "",
        "commit_url_format": ""
    },
    "msgid": "<20170905093358.28935-1-kleber.souza@canonical.com>",
    "list_archive_url": null,
    "date": "2017-09-05T09:33:58",
    "name": "[Trusty,SRU,CVE-2016-9604] KEYS: Disallow keyrings beginning with '.' to be joined as session keyrings",
    "commit_ref": null,
    "pull_url": null,
    "state": "new",
    "archived": false,
    "hash": "942f126bd875cc3440b9a7ddae7782446dd274e4",
    "submitter": {
        "id": 71419,
        "url": "http://patchwork.ozlabs.org/api/1.2/people/71419/?format=api",
        "name": "Kleber Sacilotto de Souza",
        "email": "kleber.souza@canonical.com"
    },
    "delegate": null,
    "mbox": "http://patchwork.ozlabs.org/project/ubuntu-kernel/patch/20170905093358.28935-1-kleber.souza@canonical.com/mbox/",
    "series": [
        {
            "id": 1535,
            "url": "http://patchwork.ozlabs.org/api/1.2/series/1535/?format=api",
            "web_url": "http://patchwork.ozlabs.org/project/ubuntu-kernel/list/?series=1535",
            "date": "2017-09-05T09:33:58",
            "name": "[Trusty,SRU,CVE-2016-9604] KEYS: Disallow keyrings beginning with '.' to be joined as session keyrings",
            "version": 1,
            "mbox": "http://patchwork.ozlabs.org/series/1535/mbox/"
        }
    ],
    "comments": "http://patchwork.ozlabs.org/api/patches/810055/comments/",
    "check": "pending",
    "checks": "http://patchwork.ozlabs.org/api/patches/810055/checks/",
    "tags": {},
    "related": [],
    "headers": {
        "Return-Path": "<kernel-team-bounces@lists.ubuntu.com>",
        "X-Original-To": "incoming@patchwork.ozlabs.org",
        "Delivered-To": "patchwork-incoming@bilbo.ozlabs.org",
        "Authentication-Results": "ozlabs.org;\n\tspf=none (mailfrom) smtp.mailfrom=lists.ubuntu.com\n\t(client-ip=91.189.94.19; helo=huckleberry.canonical.com;\n\tenvelope-from=kernel-team-bounces@lists.ubuntu.com;\n\treceiver=<UNKNOWN>)",
        "Received": [
            "from huckleberry.canonical.com (huckleberry.canonical.com\n\t[91.189.94.19])\n\tby ozlabs.org (Postfix) with ESMTP id 3xmhPB20M4z9s0g;\n\tTue,  5 Sep 2017 19:34:06 +1000 (AEST)",
            "from localhost ([127.0.0.1] helo=huckleberry.canonical.com)\n\tby huckleberry.canonical.com with esmtp (Exim 4.86_2)\n\t(envelope-from <kernel-team-bounces@lists.ubuntu.com>)\n\tid 1dpAF9-0002Ga-EA; Tue, 05 Sep 2017 09:34:03 +0000",
            "from youngberry.canonical.com ([91.189.89.112])\n\tby huckleberry.canonical.com with esmtps\n\t(TLS1.0:DHE_RSA_AES_128_CBC_SHA1:128)\n\t(Exim 4.86_2) (envelope-from <kleber.souza@canonical.com>)\n\tid 1dpAF7-0002GL-AL\n\tfor kernel-team@lists.ubuntu.com; Tue, 05 Sep 2017 09:34:01 +0000",
            "from mail-wr0-f199.google.com ([209.85.128.199])\n\tby youngberry.canonical.com with esmtps\n\t(TLS1.0:RSA_AES_128_CBC_SHA1:16)\n\t(Exim 4.76) (envelope-from <kleber.souza@canonical.com>)\n\tid 1dpAF7-0004LU-31\n\tfor kernel-team@lists.ubuntu.com; Tue, 05 Sep 2017 09:34:01 +0000",
            "by mail-wr0-f199.google.com with SMTP id 40so4054872wrv.4\n\tfor <kernel-team@lists.ubuntu.com>;\n\tTue, 05 Sep 2017 02:34:01 -0700 (PDT)",
            "from localhost (ip5f5bd015.dynamic.kabel-deutschland.de.\n\t[95.91.208.21]) by smtp.gmail.com with ESMTPSA id\n\tg14sm52668edg.50.2017.09.05.02.33.59\n\tfor <kernel-team@lists.ubuntu.com>\n\t(version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);\n\tTue, 05 Sep 2017 02:33:59 -0700 (PDT)"
        ],
        "X-Google-DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed;\n\td=1e100.net; s=20161025;\n\th=x-gm-message-state:from:to:subject:date:message-id;\n\tbh=83GUzv1JDssWX1840Ych0jXvVrWc2prVeRvykqqlgMU=;\n\tb=UcHEbTpJ2tSAZXrzO+7V0+ZcA+A805pzy5wS5yqWmBHkc40xmV6zn6G6x6V5QFLV9q\n\t2eNxbA2seUZo1HhOQzLF9XvczNJbA+TQ+l4AvXxPUyPP7Ze85lSFYE00DQQROsex25Sf\n\tEaJi88okj5O1+VcOMkKfpqoK3JWz8vRbzQscYqdutTD4UGGVoml6UnqTRkDGzGA5J8Ho\n\t1Un8kMyFb7nB5Gs4EIpOCkTzLqGNvu1MAf5zwYfntIwAQSWTREI65eqbIc0vmpeCgfmJ\n\t8alVyCuE/5dFMwmRlMEEBmDuHh45GZkVqMM/ijgUGIOldOMUGyvFeXRDg5Xg5NsZdsAt\n\tZmAg==",
        "X-Gm-Message-State": "AHPjjUghDxUTKOBCqAd3N2zd7RlAaQW9ziesnMrX6E+vwzD3uFofgKXl\n\tHFXfiWTMt2tJVuK17W1iu/vwBuuTVRSS48KPJHlEQnlhWVIRrZjC+hZrLnw0m59gTYszI8tkF9Y\n\tg9FSsgD9XV73/87+DIH/pJ5ToxxLlzjvY",
        "X-Received": [
            "by 10.80.241.89 with SMTP id z25mr2752357edl.294.1504604040494; \n\tTue, 05 Sep 2017 02:34:00 -0700 (PDT)",
            "by 10.80.241.89 with SMTP id z25mr2752344edl.294.1504604040184; \n\tTue, 05 Sep 2017 02:34:00 -0700 (PDT)"
        ],
        "X-Google-Smtp-Source": "ADKCNb4OrUdICDR3WgTZdlMwtmMtzNCaTShngL+6Q3WEyNw31UKoXbH0KuTZpNnk7P2AvR0YM6GrgQ==",
        "From": "Kleber Sacilotto de Souza <kleber.souza@canonical.com>",
        "To": "kernel-team@lists.ubuntu.com",
        "Subject": "[Trusty SRU][CVE-2016-9604][PATCH] KEYS: Disallow keyrings beginning\n\twith '.' to be joined as session keyrings",
        "Date": "Tue,  5 Sep 2017 11:33:58 +0200",
        "Message-Id": "<20170905093358.28935-1-kleber.souza@canonical.com>",
        "X-Mailer": "git-send-email 2.14.1",
        "X-BeenThere": "kernel-team@lists.ubuntu.com",
        "X-Mailman-Version": "2.1.20",
        "Precedence": "list",
        "List-Id": "Kernel team discussions <kernel-team.lists.ubuntu.com>",
        "List-Unsubscribe": "<https://lists.ubuntu.com/mailman/options/kernel-team>,\n\t<mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>",
        "List-Archive": "<https://lists.ubuntu.com/archives/kernel-team>",
        "List-Post": "<mailto:kernel-team@lists.ubuntu.com>",
        "List-Help": "<mailto:kernel-team-request@lists.ubuntu.com?subject=help>",
        "List-Subscribe": "<https://lists.ubuntu.com/mailman/listinfo/kernel-team>,\n\t<mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>",
        "MIME-Version": "1.0",
        "Content-Type": "text/plain; charset=\"utf-8\"",
        "Content-Transfer-Encoding": "base64",
        "Errors-To": "kernel-team-bounces@lists.ubuntu.com",
        "Sender": "\"kernel-team\" <kernel-team-bounces@lists.ubuntu.com>"
    },
    "content": "From: David Howells <dhowells@redhat.com>\n\nThis fixes CVE-2016-9604.\n\nKeyrings whose name begin with a '.' are special internal keyrings and so\nuserspace isn't allowed to create keyrings by this name to prevent\nshadowing.  However, the patch that added the guard didn't fix\nKEYCTL_JOIN_SESSION_KEYRING.  Not only can that create dot-named keyrings,\nit can also subscribe to them as a session keyring if they grant SEARCH\npermission to the user.\n\nThis, for example, allows a root process to set .builtin_trusted_keys as\nits session keyring, at which point it has full access because now the\npossessor permissions are added.  This permits root to add extra public\nkeys, thereby bypassing module verification.\n\nThis also affects kexec and IMA.\n\nThis can be tested by (as root):\n\n\tkeyctl session .builtin_trusted_keys\n\tkeyctl add user a a @s\n\tkeyctl list @s\n\nwhich on my test box gives me:\n\n\t2 keys in keyring:\n\t180010936: ---lswrv     0     0 asymmetric: Build time autogenerated kernel key: ae3d4a31b82daa8e1a75b49dc2bba949fd992a05\n\t801382539: --alswrv     0     0 user: a\n\nFix this by rejecting names beginning with a '.' in the keyctl.\n\nSigned-off-by: David Howells <dhowells@redhat.com>\nAcked-by: Mimi Zohar <zohar@linux.vnet.ibm.com>\ncc: linux-ima-devel@lists.sourceforge.net\ncc: stable@vger.kernel.org\n(cherry picked from commit ee8f844e3c5a73b999edf733df1c529d6503ec2f)\nSigned-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>\n---\n security/keys/keyctl.c | 9 +++++++--\n 1 file changed, 7 insertions(+), 2 deletions(-)",
    "diff": "diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c\nindex 9360394b3c10..4e3fecc72f43 100644\n--- a/security/keys/keyctl.c\n+++ b/security/keys/keyctl.c\n@@ -271,7 +271,8 @@ error:\n  * Create and join an anonymous session keyring or join a named session\n  * keyring, creating it if necessary.  A named session keyring must have Search\n  * permission for it to be joined.  Session keyrings without this permit will\n- * be skipped over.\n+ * be skipped over.  It is not permitted for userspace to create or join\n+ * keyrings whose name begin with a dot.\n  *\n  * If successful, the ID of the joined session keyring will be returned.\n  */\n@@ -288,12 +289,16 @@ long keyctl_join_session_keyring(const char __user *_name)\n \t\t\tret = PTR_ERR(name);\n \t\t\tgoto error;\n \t\t}\n+\n+\t\tret = -EPERM;\n+\t\tif (name[0] == '.')\n+\t\t\tgoto error_name;\n \t}\n \n \t/* join the session */\n \tret = join_session_keyring(name);\n+error_name:\n \tkfree(name);\n-\n error:\n \treturn ret;\n }\n",
    "prefixes": [
        "Trusty",
        "SRU",
        "CVE-2016-9604"
    ]
}