Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 212145 (CVE-2008-0777) - sys-freebsd/freebsd-sources < 6.2-r4 sendfile(2) write-only file permission bypass (CVE-2008-0777)
Summary: sys-freebsd/freebsd-sources < 6.2-r4 sendfile(2) write-only file permission b...
Status: RESOLVED FIXED
Alias: CVE-2008-0777
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High trivial
Assignee: Gentoo Security
URL: http://security.freebsd.org/advisorie...
Whiteboard: ~3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2008-03-03 01:32 UTC by Robert Buchholz (RETIRED)
Modified: 2008-05-17 20:37 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2008-03-03 01:32:02 UTC 
CVE-2008-0777 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0777):
  The sendfile system call in FreeBSD 5.5 through 7.0 does not check the access
  flags of the file descriptor used for sending a file, which allows local
  users to read the contents of write-only files.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-03-03 01:33:27 UTC 
BSD herd, please act.

This is the third security bug that is now open, and the others are not moving at all. Are you maintaining the Gentoo BSD port, or can/should this be p.masked?
Comment 2 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-05-09 14:26:41 UTC 
(In reply to comment #1)
> BSD herd, please act.
> 
> This is the third security bug that is now open, and the others are not moving
> at all. Are you maintaining the Gentoo BSD port, or can/should this be
> p.masked?
> 

*ping*
Comment 3 Alexis Ballier gentoo-dev 2008-05-17 19:55:28 UTC 
6.2-r4 has the patch
Comment 4 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-05-17 20:37:37 UTC 
thanks, closing.