CVE-2009-4411

Priority
Low
Description
The (1) setfacl and (2) getfacl commands in XFS acl 2.2.47, when running in
recursive (-R) mode, follow symbolic links even when the --physical (aka
-P) or -L option is specified, which might allow local users to modify the
ACL for arbitrary files or directories via a symlink attack.
References
Bugs
debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=499076
upstream: http://savannah.nongnu.org/bugs/?28131
Notes
sbeattie> hardy may not be needed, according to debian bug report the
sbeattie> issue may have introduced in 2.2.46.
Package
Source: acl (LP Ubuntu Debian)
Upstream:needed
Ubuntu 12.04 LTS (Precise Pangolin):not-affected (2.2.49-2)
More Information

Valid XHTML 1.0 Strict

Updated: 2015-07-15 19:33:01 UTC (commit 9690)