Bug 289111 - (CVE-2007-4849) CVE-2007-4849 jffs2 doesn't preserve permissions
CVE-2007-4849 jffs2 doesn't preserve permissions
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
medium Severity low
: ---
: ---
Assigned To: Red Hat Product Security
Depends On: 297781 297791 297801 297811 297821 297831
  Show dependency treegraph
Reported: 2007-09-13 07:36 EDT by Mark J. Cox (Product Security)
Modified: 2007-10-10 07:09 EDT (History)
9 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-10-10 07:09:54 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Mark J. Cox (Product Security) 2007-09-13 07:36:52 EDT
JFFS2 does not perserve directory permissions across reboots when using a custom


Most probably a impact=low for Enterprise Linux if we're affected at all
(awaiting triage)
Comment 2 Aristeu Rozanski 2007-09-21 09:37:45 EDT
in RHEL-4, there's no support for ACL in JFFS2. I've tested using a script I
attached in BZ#297811 and couldn't reproduce the problem. There's support for ACL
in RHEL-5 but it's not enabled (ACL support depends on XATTR and
CONFIG_JFFS2_FS_XATTR is disabled in RHEL-5). I've run the same script on RHEL-5
and even repeated the test in http://dev.laptop.org/ticket/2732 and couldn't
reproduce the problem. Unless I'm missing something, I believe we can close the
RHEL-4/RHEL-5 bugs (not sure about RHEL-2/RHEL-3).
Comment 3 Mark J. Cox (Product Security) 2007-09-24 06:06:13 EDT
Thanks Aristeu; I've closed tracking bugs for RHEL4 and RHEL5 as they are not
affected by the issue.
Comment 4 Aristeu Rozanski 2007-10-02 09:27:45 EDT
JFFS2 is not enabled in RHEL-3 kernel. BZ#297791 can be closed too.
Comment 5 Don Howard 2007-10-02 19:24:33 EDT
Same on RHEL2.1 - JFFS2 is not enabled.  

All bugs in the dependency tree are now closed/NOTABUG.
Comment 6 Aristeu Rozanski 2007-10-05 11:50:16 EDT
JFFS2 is enabled in RHEL2.1, ia64 version. There's no support for ACL, so it's
unlikely it affects this version too. I'm trying to get a ia64 box with RHEL2.1
installed in RHTS to use the same set of scripts I've used in RHEL-4/RHEL-5 but
no luck so far.
Comment 7 Don Howard 2007-10-05 13:54:38 EDT
Hi Aristeu -

Are you certain that JFFS2 is enabled in rhel2.1-ia64? I don't see it in
config-generic, nor do I see the jffs2 module in the -e.65 kernel rpm.  

Am I missing something?
Comment 8 Aristeu Rozanski 2007-10-05 14:22:20 EDT
My bad. I was looking in RHEL-2.1-ia64 branch in CVS.
Comment 9 Mark J. Cox (Product Security) 2007-10-10 07:09:54 EDT
Not vulnerable.  There is no support for jffs2 in the Linux kernel as
distributed with Red Hat Enterprise Linux 2.1 or 3.  There is no ACL support for
jffs2 in the Linux kernel as distributed with Red Hat Enterprise Linux 4 or 5.

Note You need to log in before you can comment on or make changes to this bug.