Date: Fri, 7 Mar 1997 00:05:45 -0600 (CST) From: Karl <karl@Mcs.Net> To: FreeBSD-gnats-submit@freebsd.org Subject: kern/2906: SEVERE security bug in vfs_vnops.c Message-ID: <199703070605.AAA07600@Codebase.mcs.net> Resent-Message-ID: <199703070610.WAA17738@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 2906 >Category: kern >Synopsis: SEVERE security bug in vfs_vnops.c >Confidential: no >Severity: critical >Priority: high >Responsible: freebsd-bugs >State: open >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Thu Mar 6 22:10:03 PST 1997 >Last-Modified: >Originator: Karl >Organization: MCSNet >Release: FreeBSD 3.0-CURRENT i386 >Environment: generation numbers are visible to any user for files, making unauthorized modification of files on exported NFS filesystems easily possible. >Description: see posting to freebsd-security@freebsd.org >How-To-Repeat: see posting to freebsd-security@freebsd.org >Fix: *** vfs_vnops.c Fri Mar 7 00:03:33 1997 --- vfs_vnops.c.saved Fri Mar 7 00:03:08 1997 *************** *** 410,420 **** sb->st_mtimespec = vap->va_mtime; sb->st_ctimespec = vap->va_ctime; sb->st_blksize = vap->va_blocksize; ! if (suser (p->u_cred, &p->p_acflag)) { ! sb->st_gen = 0; ! } else { ! sb->st_gen = vap->va_gen; ! } sb->st_gen = vap->va_gen; #if (S_BLKSIZE == 512) /* Optimize this case */ --- 410,416 ---- sb->st_mtimespec = vap->va_mtime; sb->st_ctimespec = vap->va_ctime; sb->st_blksize = vap->va_blocksize; ! sb->st_flags = vap->va_flags; sb->st_gen = vap->va_gen; #if (S_BLKSIZE == 512) /* Optimize this case */ -- Karl Denninger MCSNet >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199703070605.AAA07600>