[kernel-sec-discuss] r952 - active
jmm at alioth.debian.org
jmm at alioth.debian.org
Fri Sep 21 08:42:59 UTC 2007
Author: jmm
Date: 2007-09-21 08:42:59 +0000 (Fri, 21 Sep 2007)
New Revision: 952
Modified:
active/CVE-2007-4849
Log:
JFFS2 information disclosure doesn't affect Sarge
Modified: active/CVE-2007-4849
===================================================================
--- active/CVE-2007-4849 2007-09-19 13:34:02 UTC (rev 951)
+++ active/CVE-2007-4849 2007-09-21 08:42:59 UTC (rev 952)
@@ -1,14 +1,24 @@
Candidate: CVE-2007-4849
References:
+ http://git.infradead.org/?p=mtd-2.6.git;a=commitdiff;h=9ed437c50d89eabae763dd422579f73fdebf288d
+ http://lists.infradead.org/pipermail/linux-mtd-cvs/2007-August/005897.html
+ http://dev.laptop.org/ticket/2732
Description:
+ JFFS2, as used on One Laptop Per Child (OLPC) build 542 and possibly other Linux
+ systems, when POSIX ACL support is enabled, does not properly store permissions during
+ (1) inode creation or (2) ACL setting, which might allow local users to access
+ restricted files or directories after a remount of a filesystem, related to "legacy
+ modes" and an inconsistency between dentry permissions and inode permissions.
Ubuntu-Description:
Notes:
+ jmm> ACL support was introduced in 2.6.17 with commit aa98d7cf59b5b0764d3502662053489585faf2fe, marking
+ jmm> earlier Debian releases as N/A
Bugs:
-upstream:
-linux-2.6:
-2.6.18-etch-security:
-2.6.8-sarge-security:
-2.4.27-sarge-security:
+upstream: released (2.6.23-rc4)
+linux-2.6: needed
+2.6.18-etch-security: needed
+2.6.8-sarge-security: N/A
+2.4.27-sarge-security: N/A
2.6.15-dapper-security:
2.6.17-edgy-security:
2.6.20-feisty-security:
More information about the kernel-sec-discuss
mailing list