A flaw was discovered in ext2 filesystem support affecting 2.4 and 2.6 kernels. When a new directory is created, the ext2 block written to disk is initialized, leading to an information leak. The following script can easily show the problem on Linux 2.4 and 2.6: #!/bin/sh FILE=foo dd if=/dev/zero of=$FILE bs=1k count=8192 mke2fs -F -b 1024 -m0 $FILE mount -o loop $FILE mnt for D in `seq 500` ; do mkdir mnt/$D ; done umount mnt Using 'strings foo' will reveal the information leak in the file. Patch committed upstream, see fixed=2.6-bk (20050325 http://linux.bkbits.net:8080/linux-2.6/cset@4244bfc9vHVlT4nv2o4ys4_sf6vzKA fixed=2.4-bk (20050325 http://linux.bkbits.net:8080/linux-2.4/cset@424473284plfEOB185qmyHPQyNPq4Q
("is not initialized")
This information leak is visible solely to the super-user.
A fix for this problem has just been committed to the RHEL3 U6 patch pool this evening (in kernel version 2.4.21-32.5.EL).
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2005-663.html