Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 14 Jun 2010 10:00:56 +0800
From: Eugene Teo <eugeneteo@...nel.sg>
To: oss-security@...ts.openwall.com
CC: Dan Rosenberg <dan.j.rosenberg@...il.com>
Subject: Re: CVE request - kernel: btrfs: prevent users from
 setting ACLs on files 	they do not own

On 06/14/2010 09:42 AM, Eugene Teo wrote:
> On 06/12/2010 04:32 AM, Dan Rosenberg wrote:
>> Shi Weihua discovered that btrfs did not check ownership of files
>> before setting ACLs, allowing any user to set ACLs for any file,
>> completely bypassing all file permissions. This wasn't reported as a
>> security issue, but it seems pretty serious to me (for those who use
>> btrfs). See http://lkml.org/lkml/2010/5/17/544 for his original post.
>
> Thanks, please use CVE-2010-2071.

Upstream commit: http://git.kernel.org/linus/2f26afba

Eugene
-- 
main(i) { putchar(182623909 >> (i-1) * 5&31|!!(i<7)<<6) && main(++i); }

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ