CVE-2023-49298

OpenZFS through 2.1.13 and 2.2.x through 2.2.1, in certain scenarios involving applications that try to rely on efficient copying of file data, can replace file contents with zero-valued bytes and thus potentially disable security mechanisms. NOTE: this issue is not always security related, but can be security related in realistic situations. A possible example is cp, from a recent GNU Core Utilities (coreutils) version, when attempting to preserve a rule set for denying unauthorized access. (One might use cp when configuring access control, such as with the /etc/hosts.deny file specified in the IBM Support reference.) NOTE: this issue occurs less often in version 2.2.1, and in versions before 2.1.4, because of the default configuration in those versions.

References

Affected packages

Git / github.com/openzfs/zfs

Affected ranges

Type: GIT
Repo: https://github.com/openzfs/zfs
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

494aaaed89cb9fe9f2da3b6c6f465a4bc9f6a7e1

Fixed

d99134be83753266b5f7a79738aeab5b08db1e35

Affected versions

zfs-0.*

zfs-0.5.1

zfs-0.5.2

zfs-0.6.0-rc1

zfs-0.6.0-rc10

zfs-0.6.0-rc11

zfs-0.6.0-rc12

zfs-0.6.0-rc13

zfs-0.6.0-rc14

zfs-0.6.0-rc2

zfs-0.6.0-rc3

zfs-0.6.0-rc4

zfs-0.6.0-rc5

zfs-0.6.0-rc6

zfs-0.6.0-rc7

zfs-0.6.0-rc8

zfs-0.6.0-rc9

zfs-0.6.1

zfs-0.6.2

zfs-0.6.3

zfs-0.6.4

zfs-0.6.5

zfs-0.7.0

zfs-0.7.0-rc1

zfs-0.7.0-rc2

zfs-0.7.0-rc3

zfs-0.7.0-rc4

zfs-0.7.0-rc5

zfs-0.8.0

zfs-0.8.0-rc1

zfs-0.8.0-rc2

zfs-0.8.0-rc3

zfs-0.8.0-rc4

zfs-0.8.0-rc5

zfs-2.*

zfs-2.0.0-rc1

zfs-2.1.0

zfs-2.1.0-rc1

zfs-2.1.0-rc2

zfs-2.1.0-rc3

zfs-2.1.0-rc4

zfs-2.1.0-rc5

zfs-2.1.0-rc6

zfs-2.1.0-rc7

zfs-2.1.0-rc8

zfs-2.1.1

zfs-2.1.10

zfs-2.1.11

zfs-2.1.12

zfs-2.1.13

zfs-2.1.2

zfs-2.1.3

zfs-2.1.4

zfs-2.1.5

zfs-2.1.6

zfs-2.1.7

zfs-2.1.8

zfs-2.1.9

zfs-2.1.99

zfs-2.2.0

zfs-2.2.0-rc1

zfs-2.2.0-rc2

zfs-2.2.0-rc3

zfs-2.2.0-rc4

zfs-2.2.0-rc5

zfs-2.2.1