Bug 65424 (CVE-2005-2801)

Summary: L3: VUL-0: CVE-2005-2801: kernel: Default ACLs disappear
Product: [Novell Products] SUSE Security Incidents Reporter: Andreas Gruenbacher <agruen>
Component: IncidentsAssignee: Rolf Schmidt <rschmid>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Critical    
Priority: P3 - Medium CC: gp, hhetter, rf, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: CVE-2005-2801: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
Found By: Other Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: Proposed fix
This fixes the real problem

Description Andreas Gruenbacher 2005-02-02 20:35:24 UTC 
We have a race in ext2/ext3 extended attribute sharing that has been reported to
show as default ACLs that disappear under specific circumstances. We haven't had
bug reports against SLES8 or SLES9 so far, and I was assuming that this did not
trigger, but now I have a bug report from Grant Bigham from IBM; he has
triggered it on SLES8. (The bug was fixed in the mainline kernel in December.)

This will probably become an L3 case. I'm already working on a minimal fix for
SLES8 and SLES9 SP1; for SP2 we might want to have the "proper" fix instead.
Comment 1 Andreas Gruenbacher 2005-02-02 21:44:05 UTC 
Created attachment 28134 [details]
Proposed fix

This is a minimal fix that will somewhat slow down ext2 and ext3, but should
suffice to fix the race. I'm testing this fix now.
Comment 2 Marcus Meissner 2005-02-03 17:46:29 UTC 
this affects older releases too, right?
Comment 3 Andreas Gruenbacher 2005-02-03 17:59:53 UTC 
Yes, SLES8 and SLES9 are affected. The fix in comment 1 didn't fix the problem
for Grant. That was on an s390, but the bug has been reproduced on i386 with
2.6.10 mainline before, so I'll try to collect more debug information there first.
Comment 4 Andreas Gruenbacher 2005-02-06 02:06:51 UTC 
Created attachment 28230 [details]
This fixes the real problem

In order not to run into the other bugs that Andrew Tridgell triggered, we
should apply the patches in both attachments.
Comment 5 Andreas Gruenbacher 2005-02-07 18:29:11 UTC 
Note that the fix from comment 1 only fixes the mbcache race, but does not
address the journal_release_buffer journal accounting bug. The
journal_release_buffer bug is even more unlikely to trigger, and I'd prefer not
to fix it at all without any customer bug reports.
Comment 6 Andreas Gruenbacher 2005-02-07 18:42:52 UTC 
Ralf, I need your decision concerning the fix in comment 1: IMO it is safe, but
the change is too fundamental to release without having QA run a bunch of ACL
tests on it.
Comment 11 Holger Hetterich 2005-02-11 23:18:12 UTC 
Reassigning to agruen. Andreas, can you please create the mentioned PTF as an
mbuild?
Comment 21 Andreas Gruenbacher 2005-03-09 13:59:45 UTC 
This issue is already fixed in all relevant branches.
Comment 23 Marcus Meissner 2005-04-14 11:29:40 UTC 
i released this fix with a security update already.
Comment 24 Rolf Schmidt 2005-04-27 14:29:29 UTC 
Issue is resolved. STTS Ticket closed.
Comment 25 Ludwig Nussel 2005-09-09 11:43:30 UTC 
CAN-2005-2801
Comment 26 Thomas Biege 2009-10-13 21:03:31 UTC 
CVE-2005-2801: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)