CVE-2023-49298 (https://github.com/openzfs/zfs/issues/15526): OpenZFS through 2.1.13 and 2.2.x through 2.2.1, in certain scenarios involving applications that try to rely on efficient copying of file data, can replace file contents with zero-valued bytes and thus potentially disable security mechanisms. NOTE: this issue is not always security related, but can be security related in realistic situations. A possible example is cp, from a recent GNU Core Utilities (coreutils) version, when attempting to preserve a rule set for denying unauthorized access. (One might use cp when configuring access control, such as with the /etc/hosts.deny file specified in the IBM Support reference.) NOTE: this issue occurs less often in version 2.2.1, and in versions before 2.1.4, because of the default configuration in those versions.
I am unconvinced that this is worthy of a CVE..
This tool can easily detect all the corrupted files: https://github.com/0x5c/zfs-bclonecheck
(In reply to Mike from comment #2) > This tool can easily detect all the corrupted files: > > https://github.com/0x5c/zfs-bclonecheck Some of the detected corrupted files then can be re-created by Gentoo user by re-emerge: equery b DETECTED_CORRUPTED_FILE_1 emerge -1 --usepkg=n PACKAGE
Please keep the discussion on the upstream bug for detection but that is NOT complete. Non cloned files may be affected.
New versions of zfs have been released today which solve the corruption bug https://github.com/openzfs/zfs/releases/download/zfs-2.2.2/zfs-2.2.2.tar.gz https://github.com/openzfs/zfs/releases/download/zfs-2.1.14/zfs-2.1.14.tar.gz
I suppose we'll treat those as the fixed versions then. I'll vote no on a GLSA (but still wait for a second opinion).
I'd say no.