CVE-2009-4411

Priority
Low
Description
The (1) setfacl and (2) getfacl commands in XFS acl 2.2.47, when running in
recursive (-R) mode, follow symbolic links even when the --physical (aka
-P) or -L option is specified, which might allow local users to modify the
ACL for arbitrary files or directories via a symlink attack.
References
Bugs
debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=499076
upstream: http://savannah.nongnu.org/bugs/?28131
Notes
sbeattie> hardy may not be needed, according to debian bug report the
sbeattie> issue may have introduced in 2.2.46.
Package
Source: acl (LP Ubuntu Debian)
Upstream:needed
Ubuntu 8.04 LTS (Hardy Heron):ignored (reached end-of-life)
Ubuntu 10.04 LTS (Lucid Lynx):not-affected (2.2.49-2)
Ubuntu 11.10 (Oneiric Ocelot):not-affected (2.2.49-2)
Ubuntu 12.04 LTS (Precise Pangolin):not-affected (2.2.49-2)
Ubuntu 12.10 (Quantal Quetzal):not-affected (2.2.49-2)
Ubuntu 13.04 (Raring Ringtail):not-affected (2.2.49-2)
Ubuntu 13.10 (Saucy Salamander):not-affected (2.2.49-2)
More Information

Valid XHTML 1.0 Strict

Updated: 2013-05-09 15:18:00 UTC (commit 6824)