A flaw was found in the Linux kernels function path_openat() in which would incorrectly clear up twice (as part of path_lookupat() called by do_tmpfile(). Doing so again can lead to double fput(). This can lead to a use-after free condition. CVE assignment: http://seclists.org/oss-sec/2015/q3/270 Introduced in this commit: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=bb458c644a59dbba3a1fe59b27106c5e68e1c4bd Upstream patch: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=f15133df088ecadd141ea1907f2c96df67c729f0 OSS-SEC request: http://seclists.org/oss-sec/2015/q3/371
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1250048]
According to this, this bug affects only 3.19 and 4.0 kernel versions: http://seclists.org/oss-sec/2015/q3/371 https://bugzilla.suse.com/show_bug.cgi?id=940339
Statement: This issue does not affect any shipping versions of Red Hat Enterprise Linux kernels. The patch causing the incorrect "double put" condition is not applied to any shipping kernel.
Updated, now this should be a little clearer.