A flaw was found in ecryptfs which can result in a NULL pointer dereference. Quoting the commit message: When calling vfs_unlink() on the lower dentry, d_delete() turns the dentry into a negative dentry when the d_count is 1. This eventually caused a NULL pointer deref when a read() or write() was done and the negative dentry's d_inode was dereferenced in ecryptfs_read_update_atime() or ecryptfs_getxattr(). The upstream commit is here: http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.31.y.git;a=commit;h=afc2b6932f48f200736d3e36ad66fee0ec733136 There is a launchpad bug with more details here: https://bugs.launchpad.net/ecryptfs/+bug/387073
I suspect this flaw could result in arbitrary code execution, but I'm not 100% honestly. The pointer in question does contain function pointers. It's possible it's not, but my limited knowledge tells me to treat is as such.
MITRE's CVE-2009-2908 entry: ---------------------------- The d_delete function in fs/ecryptfs/inode.c in eCryptfs in the Linux kernel 2.6.31 allows local users to cause a denial of service (kernel OOPS) and possibly execute arbitrary code via unspecified vectors that cause a "negative dentry" and trigger a NULL pointer dereference, as demonstrated via a Mutt temporary directory in an eCryptfs mount. References: ----------- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2908 https://bugs.launchpad.net/ecryptfs/+bug/387073 http://www.securityfocus.com/bid/36639 http://xforce.iss.net/xforce/xfdb/53693
kernel-2.6.27.37-170.2.104.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/kernel-2.6.27.37-170.2.104.fc10
kernel-2.6.27.37-170.2.104.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
kernel-2.6.30.9-90.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/kernel-2.6.30.9-90.fc11
kernel-2.6.30.9-90.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2009:1548 https://rhn.redhat.com/errata/RHSA-2009-1548.html