CVE-2008-5182 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5182): The inotify functionality in Linux kernel 2.6 before 2.6.28-rc5 might allow local users to gain privileges via unknown vectors related to race conditions in inotify watch removal and umount.
http://git.kernel.org/?p=linux/kernel/git/stable/stable-queue.git;a=blob;f=releases/2.6.27.8/fix-inotify-watch-removal-umount-races.patch;h=b446894e9fbc7b58817a569f68255d1259cdac77;hb=1db886b63e735c3439e5c2f6813c5207c2206895
(In reply to comment #1) > http://git.kernel.org/?p=linux/kernel/git/stable/stable-queue.git;a=blob;f=releases/2.6.27.8/fix-inotify-watch-removal-umount-races.patch;h=b446894e9fbc7b58817a569f68255d1259cdac77;hb=1db886b63e735c3439e5c2f6813c5207c2206895 > gentoo-sources-2.6.26-r4 are based on 2.6.27.8. Just marked stable on x86/amd64 by dsd.
Argh! It's .26 not .27 sorry.
(In reply to comment #3) > Argh! It's .26 not .27 sorry. Daniel just added this patch to genpatches (Version 5) for 2.6.26 http://sources.gentoo.org/viewcvs.py/linux-patches?rev=1424&view=rev and has released 2.6.26-r4 (already stable on x86/amd64). Does this mean the bug can be closed?
Amended the Status Whiteboard. hardened-kernel unaffected at present time. Removing alias. PS: genpatches-2.6.27-7 added 2.6.27.8 and, as Axel pointed out, >=genpatches-2.6.26-5 is unaffected. =genpatches-2.6.25* remains vulnerable. However, hardened-sources-2.6.25-r13 does not because we independently folded in the same patch.
