Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 298067

Summary: <sys-apps/acl-2.2.49 ACL modification flaw (CVE-2009-4411)
Product: Gentoo Security Reporter: Bernd Wurst <bugzilla-gentoo>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: normal CC: base-system, hanno
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A3 [glsa]
Package list:
Runtime testing required: ---

Description Bernd Wurst 2009-12-23 05:59:06 UTC
Current stable version sys-apps/acl-2.2.47 has a critical bug about symlink handling. This leads to infinite loops and security problems.

See bug #265425 about info.

So please stabilize version 2.2.47-r1 which contains this fix for half a year now.
Comment 1 Hanno Böck gentoo-dev 2009-12-24 11:26:49 UTC
base-system, are you okay with stabilization?

Also, acl has a new home and version 2.2.49:
Comment 2 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-01-08 17:45:16 UTC
CVE-2009-4411 (
  The (1) setfacl and (2) getfacl commands in XFS acl 2.2.47, when
  running in recursive (-R) mode, follow symbolic links even when the
  --physical (aka -P) or -L option is specified, which might allow
  local users to modify the ACL for arbitrary files or directories via
  a symlink attack.

Comment 3 SpanKY gentoo-dev 2010-01-09 03:02:54 UTC
some people seem to think the symlink fix didnt work completely in 2.2.47-r1 (see the referenced bug report)

at any rate, 2.2.49 is in the tree now
Comment 4 Hanno Böck gentoo-dev 2010-03-27 18:05:21 UTC
Archs, please stabilize 2.2.49, targets:
alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86
Comment 5 Christian Faulhammer (RETIRED) gentoo-dev 2010-03-29 14:00:59 UTC
x86 stable
Comment 6 Markus Meier gentoo-dev 2010-03-29 21:44:11 UTC
amd64/arm stable
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2010-04-01 13:13:45 UTC
Stable for HPPA.
Comment 8 Raúl Porcel (RETIRED) gentoo-dev 2010-04-02 12:18:12 UTC
alpha/ia64/m68k/s390/sh/sparc stable 
Comment 9 Brent Baude (RETIRED) gentoo-dev 2010-04-02 13:26:04 UTC
ppc and ppc64 done
Comment 10 Tim Sammut (RETIRED) gentoo-dev 2011-01-02 04:24:46 UTC
Thanks, everyone. GLSA request filed.
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2014-12-12 00:20:41 UTC
This issue was resolved and addressed in
 GLSA 201412-08 at
by GLSA coordinator Sean Amoss (ackle).