Oval Definition:	oval:com.ubuntu.precise:def:20169604000
Revision Date: 2016-12-31 Version: 1 Title: CVE-2016-9604 on Ubuntu 12.04 LTS (precise) - medium. Description: Keyrings whose name begin with a '.' are special internal keyrings and so userspace isn't allowed to create keyrings by this name to prevent shadowing. However, the patch that added the guard didn't fix KEYCTL_JOIN_SESSION_KEYRING. Not only can that create dot-named keyrings, it can also subscribe to them as a session keyring if they grant SEARCH permission to the user. This, for example, allows a root process to set .builtin_trusted_keys as its session keyring, at which point it has full access because now the possessor permissions are added. This permits root to add extra public keys, thereby bypassing module verification. Family: unix Class: vulnerability Status: Reference(s): CVE-2016-9604 Platform(s): Ubuntu 12.04 LTS Product(s): Definition Synopsis Ubuntu 12.04 LTS (precise) is installed. AND Package Information The 'linux' package in precise is affected and needs fixing. OR The 'linux-armadaxp' package in precise is affected and needs fixing. OR While related to the CVE in some way, a decision has been made to ignore it (note: 'abandoned'). OR While related to the CVE in some way, a decision has been made to ignore it (note: 'abandoned'). OR While related to the CVE in some way, a decision has been made to ignore it (note: 'abandoned'). OR While related to the CVE in some way, a decision has been made to ignore it (note: 'end-of-life'). OR While related to the CVE in some way, a decision has been made to ignore it (note: 'end-of-life'). OR While related to the CVE in some way, a decision has been made to ignore it (note: 'end-of-life'). OR The 'linux-lts-trusty' package in precise is affected and needs fixing. OR While related to the CVE in some way, a decision has been made to ignore it (note: 'abandoned'). OR The 'linux-ti-omap4' package in precise is affected and needs fixing.
BACK