Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Sat, 25 Jun 2016 07:12:39 +0200
From: Salvatore Bonaccorso <>
To: OSS Security Mailinglist <>
Cc: David Sinquin <>, Ben Hutchings <>,
	CVE Assignments MITRE <>
Subject: Linux CVE-2016-1237: nfsd: any user can set a file's ACL over NFS
 and grant access to it


David Sinquin reported that anyone may be able to grant themselves
permissions to a file by setting the ACL. nfsd did not check
permissions when setting ACLs.

CVE-2016-1237 was assigned by the Debian security team for this issue
were David Singuin initially reported the issue.

The permission checks and inode locking were lost in a refactoring
with commit 4ac7249ea5a0ceef9f8269f63f33cc873c3fac61 which was in

The issue is fixed with commit
999653786df6954a31044528ac3f7a5dadca08f4 in Linus' tree.

Introduced in: (v3.14-rc1)


Fixed by 


Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ