214189 – JFFS2 incorrectly stores permissions on inode creation and ACL setting (CVE-2007-4849)

Bug 214189 - JFFS2 incorrectly stores permissions on inode creation and ACL setting (CVE-2007-4849)

Summary: JFFS2 incorrectly stores permissions on inode creation and ACL setting (CVE-2...

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Kernel (show other bugs)
Hardware:	All Linux

Importance:	High normal (vote)
Assignee:	Gentoo Security

URL:	http://www.debian.org/security/2007/d...
Whiteboard:	[linux < 2.6.23][linux < 2.6.22.9][li...
Keywords:

Depends on:
Blocks:

Reported:	2008-03-21 23:33 UTC by unnamedrambler
Modified:	2013-09-03 03:50 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description unnamedrambler 2008-03-21 23:33:11 UTC

+++ This bug was initially created as a clone of Bug #194075 +++

CVE-2007-4849:
  JFFS2, as used on One Laptop Per Child (OLPC) build 542 and possibly
  other Linux systems, when POSIX ACL support is enabled, does not
  properly store permissions during (1) inode creation or (2) ACL
  setting, which might allow local users to access restricted files
  or directories after a remount of a filesystem, related to "legacy
  modes" and an inconsistency between dentry permissions and inode
  permissions.