Bug 558677 (CVE-2010-0299)

Summary: CVE-2010-0299 kernel: Driver-Core: devtmpfs - set root directory mode to 0755
Product: [Other] Security Response Reporter: Eugene Teo (Security Response) <eteo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: arozansk, davej, kmcmartin, lwang, pmatouse, rcvalle, tcallawa
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-03-28 08:38:32 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 547593, 586016, 586020    
Bug Blocks:    

Description Eugene Teo (Security Response) 2010-01-26 00:34:38 UTC 
Description of problem:
devtmpfs - set root directory mode to 0755.

Devtmpfs lets the kernel create a tmpfs instance called devtmpfs very early at kernel initialization, before any driver-core device is registered. Every device with a major/minor will provide a device node in devtmpfs. Devtmpfs can be changed and altered by userspace at any time, and in any way needed - just like today's udev-mounted tmpfs.

Make sure the root directory permissions is 0755 instead of 1777.

This was introduced in v2.6.32-rc1 via commit 2b2af54a.

Upstream commit:
http://git.kernel.org/linus/f776c5ec4690b21b3668ad5956774a22c86f541a
http://git.kernel.org/linus/9329d1beaeed1a94f030c784dcec5ff973f402c4
Comment 1 Eugene Teo (Security Response) 2010-01-26 00:37:39 UTC 
The Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, 5 and Red Hat Enterprise MRG did not include support for Devtmpfs, and therefore are not affected by this issue.
Comment 5 Chuck Ebbert 2010-01-29 03:16:04 UTC 
Fixed in 2.6.32.7 by:

 driver-core-devtmpfs-set-root-directory-mode-to-0755.patch