oss-sec mailing list archives
Re: CVE request - kernel: btrfs: prevent users from setting ACLs on files they do not own
From: Eugene Teo <eugeneteo () kernel sg>
Date: Mon, 14 Jun 2010 10:00:56 +0800
On 06/14/2010 09:42 AM, Eugene Teo wrote:
On 06/12/2010 04:32 AM, Dan Rosenberg wrote:Shi Weihua discovered that btrfs did not check ownership of files before setting ACLs, allowing any user to set ACLs for any file, completely bypassing all file permissions. This wasn't reported as a security issue, but it seems pretty serious to me (for those who use btrfs). See http://lkml.org/lkml/2010/5/17/544 for his original post.Thanks, please use CVE-2010-2071.
Upstream commit: http://git.kernel.org/linus/2f26afba Eugene -- main(i) { putchar(182623909 >> (i-1) * 5&31|!!(i<7)<<6) && main(++i); }
Current thread:
- CVE request - kernel: btrfs: prevent users from setting ACLs on files they do not own Dan Rosenberg (Jun 11)
- Re: CVE request - kernel: btrfs: prevent users from setting ACLs on files they do not own Eugene Teo (Jun 13)
- Re: CVE request - kernel: btrfs: prevent users from setting ACLs on files they do not own Eugene Teo (Jun 13)
- Re: CVE request - kernel: btrfs: prevent users from setting ACLs on files they do not own Eugene Teo (Jun 13)