Description of problem: 1. CVE-2010-2537 - The BTRFS_IOC_CLONE and BTRFS_IOC_CLONE_RANGE ioctls should check whether the donor file is append-only before writing to it. 2. CVE-2010-2538 - The BTRFS_IOC_CLONE_RANGE ioctl appears to have an integer overflow that allows a user to specify an out-of-bounds range to copy from the source file (if off + len wraps around). Upstream commit: http://git.kernel.org/linus/2ebc3464781ad24474abcbd2274e6254689853b5 Reference: https://btrfs.wiki.kernel.org/index.php/Main_Page The kernel in Red Hat Enterprise Linux 6 has support for Btrfs by default.
Statement: Not vulnerable. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, 5 and Red Hat Enterprise MRG as they did not include support for Btrfs, a new copy on write filesystem.
Acknowledgements: Red Hat would like to thank Dan Rosenberg for responsibly reporting this issue.
*** Bug 616992 has been marked as a duplicate of this bug. ***
Fixed upstream in 2.6.35, 2.6.34.2, 2.6.33.7 and 2.6.32.17