Description of problem: User "foo" can use the SWAPEXT ioctl to swap a write-only file owned by user "bar" into a file owned by "foo" and subsequently reading it. It does so by checking that the file descriptors passed to the ioctl are also opened for reading. References: http://archives.free.net.ph/message/20100616.130710.301704aa.en.html http://archives.free.net.ph/message/20100616.135735.40f53a32.en.html
Acknowledgements: Red Hat would like to thank Dan Rosenberg for reporting this issue.
Statement: This issue did not affect the version of Linux kernel as shipped with Red Hat Enterprise Linux 3, 4 and Red Hat Enterprise MRG as they did not include support for the XFS filesystem. A future kernel update in Red Hat Enterprise Linux 5 will address this issue.
Upstream commit: http://git.kernel.org/linus/1817176a86352f65210139d4c794ad2d19fc6b63
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2010:0610 https://rhn.redhat.com/errata/RHSA-2010-0610.html