The ReiserFS support code of Linux 2.6.x fails to properly handle crafted data structures, leading to an exploitable memory corruption condition when a sync is being done in a corrupted ReiserFS filesystem.
Not yet fixed upstream. Filed a bug here as I couldn't find any mention of it: http://bugzilla.kernel.org/show_bug.cgi?id=7737
*** Bug 156403 has been marked as a duplicate of this bug. ***
Bug was only ever present in fedora kernels, closing