Bug 289111 (CVE-2007-4849) - CVE-2007-4849 jffs2 doesn't preserve permissions
Summary: CVE-2007-4849 jffs2 doesn't preserve permissions
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2007-4849
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 297781 297791 297801 297811 297821 297831
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-09-13 11:36 UTC by Mark J. Cox
Modified: 2021-11-12 19:44 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2007-10-10 11:09:54 UTC


Attachments (Terms of Use)

Description Mark J. Cox 2007-09-13 11:36:52 UTC
JFFS2 does not perserve directory permissions across reboots when using a custom
/sbin/init.

http://dev.laptop.org/ticket/2732
http://git.infradead.org/?p=mtd-2.6.git;a=commitdiff;h=9ed437c50d89eabae763dd422579f73fdebf288d

Most probably a impact=low for Enterprise Linux if we're affected at all
(awaiting triage)

Comment 2 Aristeu Rozanski 2007-09-21 13:37:45 UTC
Mark,
in RHEL-4, there's no support for ACL in JFFS2. I've tested using a script I
attached in BZ#297811 and couldn't reproduce the problem. There's support for ACL
in RHEL-5 but it's not enabled (ACL support depends on XATTR and
CONFIG_JFFS2_FS_XATTR is disabled in RHEL-5). I've run the same script on RHEL-5
and even repeated the test in http://dev.laptop.org/ticket/2732 and couldn't
reproduce the problem. Unless I'm missing something, I believe we can close the
RHEL-4/RHEL-5 bugs (not sure about RHEL-2/RHEL-3).


Comment 3 Mark J. Cox 2007-09-24 10:06:13 UTC
Thanks Aristeu; I've closed tracking bugs for RHEL4 and RHEL5 as they are not
affected by the issue.

Comment 4 Aristeu Rozanski 2007-10-02 13:27:45 UTC
Mark,
JFFS2 is not enabled in RHEL-3 kernel. BZ#297791 can be closed too.


Comment 5 Don Howard 2007-10-02 23:24:33 UTC
Same on RHEL2.1 - JFFS2 is not enabled.  

All bugs in the dependency tree are now closed/NOTABUG.

Comment 6 Aristeu Rozanski 2007-10-05 15:50:16 UTC
JFFS2 is enabled in RHEL2.1, ia64 version. There's no support for ACL, so it's
unlikely it affects this version too. I'm trying to get a ia64 box with RHEL2.1
installed in RHTS to use the same set of scripts I've used in RHEL-4/RHEL-5 but
no luck so far.


Comment 7 Don Howard 2007-10-05 17:54:38 UTC
Hi Aristeu -

Are you certain that JFFS2 is enabled in rhel2.1-ia64? I don't see it in
config-generic, nor do I see the jffs2 module in the -e.65 kernel rpm.  

Am I missing something?


Comment 8 Aristeu Rozanski 2007-10-05 18:22:20 UTC
My bad. I was looking in RHEL-2.1-ia64 branch in CVS.


Comment 9 Mark J. Cox 2007-10-10 11:09:54 UTC
Not vulnerable.  There is no support for jffs2 in the Linux kernel as
distributed with Red Hat Enterprise Linux 2.1 or 3.  There is no ACL support for
jffs2 in the Linux kernel as distributed with Red Hat Enterprise Linux 4 or 5.


Note You need to log in before you can comment on or make changes to this bug.