[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#529326: linux-2.6: CVE-2009-0787 information disclosure in ecryptfs



Hi,
* dann frazier <dannf@dannf.org> [2009-05-18 23:19]:
> On Mon, May 18, 2009 at 02:20:20PM -0400, Michael S. Gilbert wrote:
> > On Mon, 18 May 2009 11:52:04 -0600, dann frazier wrote:
> > > On Mon, May 18, 2009 at 01:28:56PM -0400, Michael S. Gilbert wrote:
[...] 
> > > This issue supposedly only affected 2.6.28 - do you have information
> > > to the contrary?
> > 
> > yes, i have studied the code/patches for this issue.  the 2.6.26
> > ecryptfs kernel code is identical to that of the affected 2.6.28 code.
> > hence, it is my assessment that 2.6.26 is vulnerable.
> > 
> > i anticipate that this also affects etch-and-a-half (2.6.24) as well,
> > but i have not checked yet.
> 
> My understanding is that this issue was introduced by 87b811c (in
> 2.6.28), which resulted in only a single page getting allocated for
> the headers even though the size of the headers maybe > the page size.

Yes and you are correct with this, no other version included 
the vulnerable code.

Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

Attachment: pgpwaMGyzSi7F.pgp
Description: PGP signature


Reply to: