Common Vulnerabilities and Exposures assigned an identifier CVE-2009-0269 to the following vulnerability: fs/ecryptfs/inode.c in the eCryptfs subsystem in the Linux kernel before 2.6.28.1 allows local users to cause a denial of service (fault or memory corruption), or possibly have unspecified other impact, via a readlink call that results in an error, leading to use of a -1 return value as an array index. Hyperlink:https://lists.launchpad.net/ecryptfs-devel/msg00011.html Hyperlink:https://lists.launchpad.net/ecryptfs-devel/msg00010.html Hyperlink:http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.27.y.git;a=commit;h=a17d5232de7b53d34229de79ec22f4bb04adb7e4
So based on a quick technical first pass on the affected code: - it can only affect systems that are using and have mounted a ecryptfs directory, and allow such to be done by unprivileged users - the local attacker would need to be able to make a readlink on a symlink fail, most likely permissions, or perhaps too many symlinks. - the outcome would be writing a single null byte one memory address before the kmalloc()ed buffer. Some sites are writing up this issue as a privilege escalation flaw, but I believe that given the circumstances this is most unlikely. Setting severity to moderate and requesting review from a kernel engineer.
Mark, I concur with your severity analysis. Patch sent to rhkernel-list on 2/4/2009 (sorry for the delay...) -Eric
This issue has been addressed in following products: MRG for RHEL-5 Via RHSA-2009:0360 https://rhn.redhat.com/errata/RHSA-2009-0360.html
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2009:0326 https://rhn.redhat.com/errata/RHSA-2009-0326.html
Patch is in -158.el5. Adding SanityOnly.