[Secure-testing-team] Bug#566684: kfreebsd-7: ZFS security bug, local users may access unauthorized files - CVE-2010-0318
Pedro R
pedrib at gmail.com
Sun Jan 24 14:44:40 UTC 2010
Package: kfreebsd-7
Severity: grave
Tags: security
Justification: user security hole
Hi,
the replay functionality for ZFS Intent Log (ZIL) in FreeBSD 7.1, 7.2, and 8.0,
when creating files during replay of a setattr transaction, uses weak permissions (7777)
instead of the original permissions, which might allow local users to read or modify
unauthorized files in opportunistic circumstances after a system crash or power failure.
Further description and patches are available at
http://security.freebsd.org/advisories/FreeBSD-SA-10:03.zfs.asc
see also http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0318
Regards
-- System Information:
Debian Release: squeeze/sid
APT prefers testing
APT policy: (700, 'testing'), (650, 'unstable'), (600, 'experimental'), (500, 'testing-proposed-updates')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32.4 (SMP w/2 CPU cores; PREEMPT)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
More information about the Secure-testing-team
mailing list