Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 298067 - <sys-apps/acl-2.2.49 ACL modification flaw (CVE-2009-4411)
Summary: <sys-apps/acl-2.2.49 ACL modification flaw (CVE-2009-4411)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://cve.mitre.org/cgi-bin/cvename....
Whiteboard: A3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2009-12-23 05:59 UTC by Bernd Wurst
Modified: 2014-12-12 00:20 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Bernd Wurst 2009-12-23 05:59:06 UTC
Current stable version sys-apps/acl-2.2.47 has a critical bug about symlink handling. This leads to infinite loops and security problems.

See bug #265425 about info.

So please stabilize version 2.2.47-r1 which contains this fix for half a year now.
Comment 1 Hanno Böck gentoo-dev 2009-12-24 11:26:49 UTC
base-system, are you okay with stabilization?

Also, acl has a new home and version 2.2.49:
http://savannah.nongnu.org/projects/acl
Comment 2 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2010-01-08 17:45:16 UTC
CVE-2009-4411 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4411):
  The (1) setfacl and (2) getfacl commands in XFS acl 2.2.47, when
  running in recursive (-R) mode, follow symbolic links even when the
  --physical (aka -P) or -L option is specified, which might allow
  local users to modify the ACL for arbitrary files or directories via
  a symlink attack.

Comment 3 SpanKY gentoo-dev 2010-01-09 03:02:54 UTC
some people seem to think the symlink fix didnt work completely in 2.2.47-r1 (see the referenced bug report)

at any rate, 2.2.49 is in the tree now
Comment 4 Hanno Böck gentoo-dev 2010-03-27 18:05:21 UTC
Archs, please stabilize 2.2.49, targets:
alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86
Comment 5 Christian Faulhammer (RETIRED) gentoo-dev 2010-03-29 14:00:59 UTC
x86 stable
Comment 6 Markus Meier gentoo-dev 2010-03-29 21:44:11 UTC
amd64/arm stable
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2010-04-01 13:13:45 UTC
Stable for HPPA.
Comment 8 Raúl Porcel (RETIRED) gentoo-dev 2010-04-02 12:18:12 UTC
alpha/ia64/m68k/s390/sh/sparc stable 
Comment 9 Brent Baude (RETIRED) gentoo-dev 2010-04-02 13:26:04 UTC
ppc and ppc64 done
Comment 10 Tim Sammut (RETIRED) gentoo-dev 2011-01-02 04:24:46 UTC
Thanks, everyone. GLSA request filed.
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2014-12-12 00:20:41 UTC
This issue was resolved and addressed in
 GLSA 201412-08 at http://security.gentoo.org/glsa/glsa-201412-08.xml
by GLSA coordinator Sean Amoss (ackle).