CVE-2023-49298
Publication date 24 November 2023
Last updated 24 July 2024
Ubuntu priority
Cvss 3 Severity Score
OpenZFS through 2.1.13 and 2.2.x through 2.2.1, in certain scenarios involving applications that try to rely on efficient copying of file data, can replace file contents with zero-valued bytes and thus potentially disable security mechanisms. NOTE: this issue is not always security related, but can be security related in realistic situations. A possible example is cp, from a recent GNU Core Utilities (coreutils) version, when attempting to preserve a rule set for denying unauthorized access. (One might use cp when configuring access control, such as with the /etc/hosts.deny file specified in the IBM Support reference.) NOTE: this issue occurs less often in version 2.2.1, and in versions before 2.1.4, because of the default configuration in those versions.
Status
Package | Ubuntu Release | Status |
---|---|---|
zfs-linux | 24.04 LTS noble |
Fixed 2.2.2-0ubuntu2
|
22.04 LTS jammy |
Fixed 2.1.5-1ubuntu6~22.04.4
|
|
20.04 LTS focal |
Fixed 0.8.3-1ubuntu12.17
|
|
18.04 LTS bionic |
Vulnerable
|
|
16.04 LTS xenial |
Vulnerable
|
|
14.04 LTS trusty | Ignored end of standard support |
Notes
mdeslaur
This was fixed by a SRU in bug 2044657. For jammy and mantic, the packages were subsequently released in the -security pocket, but for focal, it is still in -updates, but the issue isn't seen in the focal version because of the default configuration so marking as released. No USN has been published for these updates.
Patch details
Package | Patch details |
---|---|
zfs-linux |
|
Severity score breakdown
Parameter | Value |
---|---|
Base score | 7.5 · High |
Attack vector | Network |
Attack complexity | Low |
Privileges required | None |
User interaction | None |
Scope | Unchanged |
Confidentiality | None |
Integrity impact | High |
Availability impact | None |
Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
References
Other references
- https://news.ycombinator.com/item?id=38405731
- https://web.archive.org/web/20231124172959/https://www.ibm.com/support/pages/how-remove-missing%C2%A0newline%C2%A0or%C2%A0line%C2%A0too%C2%A0long-error-etchostsallow%C2%A0and%C2%A0etchostsdeny-files
- https://github.com/openzfs/zfs/releases/tag/zfs-2.2.2
- https://gist.github.com/rincebrain/e23b4a39aba3fadc04db18574d30dc73
- https://www.cve.org/CVERecord?id=CVE-2023-49298