Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 221123 (CVE-2008-2148) - Linux Kernels 2.6.22-> - utimensat() file time modification bypass vulnerability (CVE-2008-2148)
Summary: Linux Kernels 2.6.22-> - utimensat() file time modification bypass vu...
Alias: CVE-2008-2148
Product: Gentoo Security
Classification: Unclassified
Component: Kernel (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: [linux >=2.6.22 <]
Depends on:
Reported: 2008-05-09 19:06 UTC by Gordon Malm (RETIRED)
Modified: 2013-09-05 02:55 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Gordon Malm (RETIRED) gentoo-dev 2008-05-09 19:06:16 UTC;a=blob;f=review-2.6.25/vfs-fix-permission-checking-in-sys_utimensat.patch;h=1da0b9bf9f078e3eb147a6799e5a74af2484014a;hb=cbe22288b271b4e4e51f5573281662f53466e41a

"If utimensat() is called with both times set to UTIME_NOW or one of them to
UTIME_NOW and the other to UTIME_OMIT, then it will update the file time
without any permission checking.

I don't think this can be used for anything other than a local DoS, but could
be quite bewildering at that (e.g.  "Why was that large source tree rebuilt
when I didn't modify anything???")

This affects all kernels from 2.6.22, when the utimensat() syscall was

Fix by doing the same permission checking as for the "times == NULL" case."

Reproducible: Always
Comment 1 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-05-10 11:31:56 UTC
thanks for the report, but please use "gentoo security" when filing security bugs.