Gentoo Full Text Bug Listing

Bug 212145 - sys-freebsd/freebsd-sources < 6.2-r4 sendfile(2) write-only file permission bypass (CVE-2008-0777)

Bug#: 212145 (CVE-2008-0777)	Product: Gentoo Security	Version: unspecified	Platform: All
OS/Version: Linux	Status: RESOLVED	Severity: trivial	Priority: P2
Resolution: FIXED	Assigned To: security@gentoo.org	Reported By: rbu@gentoo.org
Component: Vulnerabilities
URL: http://security.freebsd.org/advisories/FreeBSD-SA-08:03.sendfile.asc
Summary: sys-freebsd/freebsd-sources < 6.2-r4 sendfile(2) write-only file permission bypass (CVE-2008-0777)
Keywords:
Status Whiteboard: ~3 [noglsa]
Opened: 2008-03-03 01:32 0000

Description:

Opened: 2008-03-03 01:32 0000

CVE-2008-0777 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0777):
  The sendfile system call in FreeBSD 5.5 through 7.0 does not check the access
  flags of the file descriptor used for sending a file, which allows local
  users to read the contents of write-only files.

------- Comment #1 From Robert Buchholz 2008-03-03 01:33:27 0000 -------

BSD herd, please act.

This is the third security bug that is now open, and the others are not moving
at all. Are you maintaining the Gentoo BSD port, or can/should this be
p.masked?

------- Comment #2 From Pierre-Yves Rofes 2008-05-09 14:26:41 0000 -------

(In reply to comment #1)
> BSD herd, please act.
> 
> This is the third security bug that is now open, and the others are not moving
> at all. Are you maintaining the Gentoo BSD port, or can/should this be
> p.masked?
> 

*ping*

------- Comment #3 From Alexis Ballier 2008-05-17 19:55:28 0000 -------

6.2-r4 has the patch

------- Comment #4 From Pierre-Yves Rofes 2008-05-17 20:37:37 0000 -------

thanks, closing.