Your message dated Sun, 27 Dec 2009 05:04:24 +0000
with message-id <[email protected]>
and subject line Re: CVE-2009-4411
has caused the Debian Bug report #499076,
regarding CVE-2009-4411: Physical walk no longer ignores all symlinks
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
499076: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=499076
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: acl
Version: 2.2.47-2
After upgrading a system from Etch to Lenny, we are having some problems
with our backup scripts which rely on getfacl/getfattr.
Previously we had been using "getfacl -RP ..." to recursively dump all
the ACLs in a number of directories which are also Samba shares. Because
we use the DFS features of Samba, we have numerous intentional
"dangling" symlinks in these directories. However, now this is causing
getfacl to exit with non-zero status and spew lots of unwanted output to
stderr.
A simple test case to reproduce the problem:
#!/bin/sh
ln -f -s no_such_file foo
getfacl -RP . > dev/null
echo $?
Output on Etch:
0
Output on Lenny:
getfacl: ./foo: No such file or directory
1
I realise that upstream changed the behaviour at some point there, as
the manpage description of the -P option differs between Etch/Lenny.
However, we still need a way to ignore all symlinks - if the current
behaviour is be design (I don't understand why this would be desirable),
then can we have another option to completely ignore symlinks?
Thanks,
Kevin.
--- End Message ---
--- Begin Message ---
Version 2.2.49-1
On Sat, Dec 26, 2009 at 06:42:15PM +0100, Giuseppe Iuculano wrote:
>retitle 499076 CVE-2009-4411: Physical walk no longer ignores all symlinks
>tags 499076 security
>severity 499076 serious
>thanks
>
>Hi,
>
>this issue got a CVE id:
>
>CVE-2009-4411[0]:
>| The (1) setfacl and (2) getfacl commands in XFS acl 2.2.47, when
>| running in recursive (-R) mode, follow symbolic links even when the
>| --physical (aka -P) or -L option is specified, which might allow local
>| users to modify the ACL for arbitrary files or directories via a
>| symlink attack.
>
>If you fix the vulnerability please also make sure to include the
>CVE id in your changelog entry.
>
>For further information see:
>
>[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4411
> http://security-tracker.debian.org/tracker/CVE-2009-4411
>
Already fixed in 2.2.49-1, which was uploaded on 24 Nov 2009, more than
a month ago.
signature.asc
Description: Digital signature
--- End Message ---
