Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 18 May 2010 13:44:40 -0400
From: Dan Rosenberg <dan.j.rosenberg@...il.com>
To: oss-security@...ts.openwall.com
Cc: coley@...us.mitre.org
Subject: Re: kernel: btrfs: check for read permission on src 
	file in the clone ioctl

Ubuntu 10.4 ships with a kernel that supports btrfs:

https://bugs.launchpad.net/ubuntu/+source/linux/+bug/579585

In case the bug description needs clarification, the bug allows an
unprivileged user to clone files that can be opened for writing
without read permissions.  Since cloning results in the creation of a
duplicate copy owned by the user who performed the cloning operation,
this is an information disclosure vulnerability.

-Dan

On Tue, May 18, 2010 at 5:13 AM, Eugene Teo <eugene@...hat.com> wrote:
> The existing [btrfs] code would have allowed you to clone a file that was
> only open for writing. Not an expected behaviour.
>
> Upstream commit:
> http://git.kernel.org/linus/5dc6416414fb3ec6e2825fd4d20c8bf1d7fe0395
>
> Reference:
> https://bugzilla.redhat.com/show_bug.cgi?id=593226
>
> I'm not requesting a CVE name for this as it did not affect any of Red Hats'
> supported Linux kernels.
>
> Thanks, Eugene
> --
> main(i) { putchar(182623909 >> (i-1) * 5&31|!!(i<7)<<6) && main(++i); }
>

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.