Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 286096 (CVE-2009-3286) - Kernel: NFSv4 O_EXCL creates broken (CVE-2009-3286)
Summary: Kernel: NFSv4 O_EXCL creates broken (CVE-2009-3286)
Alias: CVE-2009-3286
Product: Gentoo Security
Classification: Unclassified
Component: Kernel (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: [linux <2.6.19]
Depends on:
Reported: 2009-09-23 14:29 UTC by Alex Legler (RETIRED)
Modified: 2013-09-15 18:41 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Alex Legler (RETIRED) archtester gentoo-dev Security 2009-09-23 14:29:29 UTC
CVE-2009-3286 (
  NFSv4 in the Linux kernel 2.6.18, and possibly other versions, does
  not properly clean up an inode when an O_EXCL create fails, which
  causes files to be created with insecure settings such as setuid
  bits, and possibly allows local users to gain privileges, related to
  the execution of the do_open_permission function even when a create
  fails. That also explains why we don't see this problem with
  root...the permission check is always passing there (provided we're
  not root squashing).