Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 248754 (CVE-2008-5182) - Linux: <2.6.27.8 inotify race conditions (CVE-2008-5182)
Summary: Linux: <2.6.27.8 inotify race conditions (CVE-2008-5182)
Status: RESOLVED FIXED
Alias: CVE-2008-5182
Product: Gentoo Security
Classification: Unclassified
Component: Kernel (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://git.kernel.org/?p=linux/kernel...
Whiteboard: [linux <2.6.27.8]
Keywords:
Depends on:
Blocks:
 
Reported: 2008-11-25 09:16 UTC by Stefan Behte (RETIRED)
Modified: 2013-09-05 03:49 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Behte (RETIRED) gentoo-dev Security 2008-11-25 09:16:53 UTC
CVE-2008-5182 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5182):
  The inotify functionality in Linux kernel 2.6 before 2.6.28-rc5 might
  allow local users to gain privileges via unknown vectors related to
  race conditions in inotify watch removal and umount.
Comment 3 Axel Dyks 2008-12-06 22:53:22 UTC
Argh! It's .26 not .27 sorry.
Comment 4 Axel Dyks 2008-12-08 01:04:36 UTC
(In reply to comment #3)
> Argh! It's .26 not .27 sorry.

Daniel just added this patch to genpatches (Version 5) for 2.6.26

  http://sources.gentoo.org/viewcvs.py/linux-patches?rev=1424&view=rev

and has released 2.6.26-r4 (already stable on x86/amd64).

Does this mean the bug can be closed? 

Comment 5 Kerin Millar 2009-07-21 00:25:02 UTC
Amended the Status Whiteboard. hardened-kernel unaffected at present time. Removing alias.

PS: genpatches-2.6.27-7 added 2.6.27.8 and, as Axel pointed out, >=genpatches-2.6.26-5 is unaffected. =genpatches-2.6.25* remains vulnerable.
However, hardened-sources-2.6.25-r13 does not because we independently folded
in the same patch.