Debian Bug report logs - #566684
kfreebsd-7: ZFS security bug, local users may access unauthorized files - CVE-2010-0318

version graph

Package: kfreebsd-7; Maintainer for kfreebsd-7 is (unknown);

Reported by: Pedro R <pedrib@gmail.com>

Date: Sun, 24 Jan 2010 14:48:02 UTC

Severity: grave

Tags: security

Fixed in version 7.2-10

Done: Pedro Ribeiro <pedrib@gmail.com>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, pedrib@gmail.com, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, GNU/kFreeBSD Maintainers <debian-bsd@lists.debian.org>:
Bug#566684; Package kfreebsd-7. (Sun, 24 Jan 2010 14:48:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Pedro R <pedrib@gmail.com>:
New Bug report received and forwarded. Copy sent to pedrib@gmail.com, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, GNU/kFreeBSD Maintainers <debian-bsd@lists.debian.org>. (Sun, 24 Jan 2010 14:48:05 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Pedro R <pedrib@gmail.com>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: kfreebsd-7: ZFS security bug, local users may access unauthorized files - CVE-2010-0318
Date: Sun, 24 Jan 2010 14:44:40 +0000
Package: kfreebsd-7
Severity: grave
Tags: security
Justification: user security hole

Hi,

the replay functionality for ZFS Intent Log (ZIL) in FreeBSD 7.1, 7.2, and 8.0, 
when creating files during replay of a setattr transaction, uses weak permissions (7777) 
instead of the original permissions, which might allow local users to read or modify 
unauthorized files in opportunistic circumstances after a system crash or power failure.

Further description and patches are available at
http://security.freebsd.org/advisories/FreeBSD-SA-10:03.zfs.asc

see also http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0318

Regards


-- System Information:
Debian Release: squeeze/sid
  APT prefers testing
  APT policy: (700, 'testing'), (650, 'unstable'), (600, 'experimental'), (500, 'testing-proposed-updates')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32.4 (SMP w/2 CPU cores; PREEMPT)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash




Reply sent to Pedro Ribeiro <pedrib@gmail.com>:
You have taken responsibility. (Sun, 24 Jan 2010 15:15:16 GMT) Full text and rfc822 format available.

Notification sent to Pedro R <pedrib@gmail.com>:
Bug acknowledged by developer. (Sun, 24 Jan 2010 15:15:16 GMT) Full text and rfc822 format available.

Message #10 received at 566684-done@bugs.debian.org (full text, mbox):

From: Pedro Ribeiro <pedrib@gmail.com>
To: 566684-done@bugs.debian.org
Subject: Re: Bug#566684: kfreebsd-7: ZFS security bug, local users may access unauthorized files - CVE-2010-0318
Date: Sun, 24 Jan 2010 15:12:31 +0000
fixed-version 7.2-10




Bug Marked as fixed in versions 7.2-10. Request was from Giuseppe Iuculano <iuculano@debian.org> to control@bugs.debian.org. (Sun, 24 Jan 2010 15:24:15 GMT) Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 24 Feb 2010 07:36:00 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 16 14:16:10 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.