Date: Fri, 7 Mar 1997 00:05:45 -0600 (CST) From: Karl <karl@Mcs.Net> To: FreeBSD-gnats-submit@freebsd.org Subject: kern/2906: SEVERE security bug in vfs_vnops.c Message-ID: <199703070605.AAA07600@Codebase.mcs.net> Resent-Message-ID: <199703070610.WAA17738@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 2906
>Category: kern
>Synopsis: SEVERE security bug in vfs_vnops.c
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: freebsd-bugs
>State: open
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Thu Mar 6 22:10:03 PST 1997
>Last-Modified:
>Originator: Karl
>Organization:
MCSNet
>Release: FreeBSD 3.0-CURRENT i386
>Environment:
generation numbers are visible to any user for files, making
unauthorized modification of files on exported NFS filesystems
easily possible.
>Description:
see posting to freebsd-security@freebsd.org
>How-To-Repeat:
see posting to freebsd-security@freebsd.org
>Fix:
*** vfs_vnops.c Fri Mar 7 00:03:33 1997
--- vfs_vnops.c.saved Fri Mar 7 00:03:08 1997
***************
*** 410,420 ****
sb->st_mtimespec = vap->va_mtime;
sb->st_ctimespec = vap->va_ctime;
sb->st_blksize = vap->va_blocksize;
! if (suser (p->u_cred, &p->p_acflag)) {
! sb->st_gen = 0;
! } else {
! sb->st_gen = vap->va_gen;
! }
sb->st_gen = vap->va_gen;
#if (S_BLKSIZE == 512)
/* Optimize this case */
--- 410,416 ----
sb->st_mtimespec = vap->va_mtime;
sb->st_ctimespec = vap->va_ctime;
sb->st_blksize = vap->va_blocksize;
! sb->st_flags = vap->va_flags;
sb->st_gen = vap->va_gen;
#if (S_BLKSIZE == 512)
/* Optimize this case */
-- Karl Denninger
MCSNet
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199703070605.AAA07600>