Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 248754 (CVE-2008-5182)

Summary: Linux: <2.6.27.8 inotify race conditions (CVE-2008-5182)
Product: Gentoo Security Reporter: Stefan Behte (RETIRED) <craig>
Component: KernelAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: kernel
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=8f7b0ba1c853919b85b54774775f567f30006107
Whiteboard: [linux <2.6.27.8]
Package list:
Runtime testing required: ---

Description Stefan Behte (RETIRED) gentoo-dev Security 2008-11-25 09:16:53 UTC 
CVE-2008-5182 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5182):
  The inotify functionality in Linux kernel 2.6 before 2.6.28-rc5 might
  allow local users to gain privileges via unknown vectors related to
  race conditions in inotify watch removal and umount.
Comment 3 Axel Dyks 2008-12-06 22:53:22 UTC 
Argh! It's .26 not .27 sorry.
Comment 4 Axel Dyks 2008-12-08 01:04:36 UTC 
(In reply to comment #3)
> Argh! It's .26 not .27 sorry.

Daniel just added this patch to genpatches (Version 5) for 2.6.26

  http://sources.gentoo.org/viewcvs.py/linux-patches?rev=1424&view=rev

and has released 2.6.26-r4 (already stable on x86/amd64).

Does this mean the bug can be closed?
Comment 5 kfm 2009-07-21 00:25:02 UTC 
Amended the Status Whiteboard. hardened-kernel unaffected at present time. Removing alias.

PS: genpatches-2.6.27-7 added 2.6.27.8 and, as Axel pointed out, >=genpatches-2.6.26-5 is unaffected. =genpatches-2.6.25* remains vulnerable.
However, hardened-sources-2.6.25-r13 does not because we independently folded
in the same patch.