Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 214189

Summary: JFFS2 incorrectly stores permissions on inode creation and ACL setting (CVE-2007-4849)
Product: Gentoo Security Reporter: unnamedrambler
Component: KernelAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: chainsaw, kernel
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.debian.org/security/2007/dsa-1378
Whiteboard: [linux < 2.6.23][linux < 2.6.22.9][linux <= 2.6.21.7][linux < 2.6.20.16][linux < 2.6.19.3][genpatches < 2.6.23-1]
Package list:
Runtime testing required: ---

Description unnamedrambler 2008-03-21 23:33:11 UTC 
+++ This bug was initially created as a clone of Bug #194075 +++

CVE-2007-4849:
  JFFS2, as used on One Laptop Per Child (OLPC) build 542 and possibly
  other Linux systems, when POSIX ACL support is enabled, does not
  properly store permissions during (1) inode creation or (2) ACL
  setting, which might allow local users to access restricted files
  or directories after a remount of a filesystem, related to "legacy
  modes" and an inconsistency between dentry permissions and inode
  permissions.