Summary: | <sys-apps/acl-2.2.49 ACL modification flaw (CVE-2009-4411) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Bernd Wurst <bugzilla-gentoo> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | base-system, hanno |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4411 | ||
Whiteboard: | A3 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Bernd Wurst
2009-12-23 05:59:06 UTC
base-system, are you okay with stabilization? Also, acl has a new home and version 2.2.49: http://savannah.nongnu.org/projects/acl CVE-2009-4411 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4411): The (1) setfacl and (2) getfacl commands in XFS acl 2.2.47, when running in recursive (-R) mode, follow symbolic links even when the --physical (aka -P) or -L option is specified, which might allow local users to modify the ACL for arbitrary files or directories via a symlink attack. some people seem to think the symlink fix didnt work completely in 2.2.47-r1 (see the referenced bug report) at any rate, 2.2.49 is in the tree now Archs, please stabilize 2.2.49, targets: alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86 x86 stable amd64/arm stable Stable for HPPA. alpha/ia64/m68k/s390/sh/sparc stable ppc and ppc64 done Thanks, everyone. GLSA request filed. This issue was resolved and addressed in GLSA 201412-08 at http://security.gentoo.org/glsa/glsa-201412-08.xml by GLSA coordinator Sean Amoss (ackle). |