CVE-2009-4411

Publication date 24 December 2009

Last updated 24 July 2024

Description

The (1) setfacl and (2) getfacl commands in XFS acl 2.2.47, when running in recursive (-R) mode, follow symbolic links even when the --physical (aka -P) or -L option is specified, which might allow local users to modify the ACL for arbitrary files or directories via a symlink attack.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
acl	13.04 raring	Not affected
	12.10 quantal	Not affected
	12.04 LTS precise	Not affected
	11.10 oneiric	Not affected
	11.04 natty	Not affected
	10.10 maverick	Not affected
	10.04 LTS lucid	Not affected
	9.10 karmic	Ignored end of life
	9.04 jaunty	Ignored end of life
	8.10 intrepid	Ignored end of life, was needed
	8.04 LTS hardy	Ignored end of life
	6.06 LTS dapper	Ignored end of life

How can I get the fixes?
What do statuses mean?

Notes

sbeattie

hardy may not be needed, according to debian bug report the issue may have introduced in 2.2.46.

References

MITRE
NVD
Launchpad
Debian

Other references

https://www.cve.org/CVERecord?id=CVE-2009-4411