221123 – (CVE-2008-2148) Linux Kernels 2.6.22->2.6.25.2 - utimensat() file time modification bypass vulnerability (CVE-2008-2148)

Bug 221123 (CVE-2008-2148) - Linux Kernels 2.6.22->2.6.25.2 - utimensat() file time modification bypass vulnerability (CVE-2008-2148)

Summary: Linux Kernels 2.6.22->2.6.25.2 - utimensat() file time modification bypass vu...

Status:	RESOLVED FIXED

Alias:	CVE-2008-2148

Product:	Gentoo Security
Classification:	Unclassified
Component:	Kernel (show other bugs)
Hardware:	All Linux

Importance:	High normal (vote)
Assignee:	Gentoo Security

URL:	http://git.kernel.org/?p=linux/kernel...
Whiteboard:	[linux >=2.6.22 <2.6.25.2]
Keywords:

Depends on:
Blocks:

Reported:	2008-05-09 19:06 UTC by Gordon Malm (RETIRED)
Modified:	2013-09-05 02:55 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Gordon Malm (RETIRED) gentoo-dev

2008-05-09 19:06:16 UTC

http://git.kernel.org/?p=linux/kernel/git/stable/stable-queue.git;a=blob;f=review-2.6.25/vfs-fix-permission-checking-in-sys_utimensat.patch;h=1da0b9bf9f078e3eb147a6799e5a74af2484014a;hb=cbe22288b271b4e4e51f5573281662f53466e41a

"If utimensat() is called with both times set to UTIME_NOW or one of them to
UTIME_NOW and the other to UTIME_OMIT, then it will update the file time
without any permission checking.

I don't think this can be used for anything other than a local DoS, but could
be quite bewildering at that (e.g.  "Why was that large source tree rebuilt
when I didn't modify anything???")

This affects all kernels from 2.6.22, when the utimensat() syscall was
introduced.

Fix by doing the same permission checking as for the "times == NULL" case."

Reproducible: Always

Comment 1 Pierre-Yves Rofes (RETIRED) gentoo-dev

2008-05-10 11:31:56 UTC

thanks for the report, but please use "gentoo security" when filing security bugs.