DEBIAN-CVE-2023-52779
- Source
- https://security-tracker.debian.org/tracker/CVE-2023-52779
- Import Source
- https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2023-52779.json
- JSON Data
- https://api.osv.dev/v1/vulns/DEBIAN-CVE-2023-52779
- Upstream
- Published
- 2024-05-21T16:15:16Z
- Modified
- 2025-10-14T04:01:07Z
- Severity
-
- 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- [none]
- Details
-
In the Linux kernel, the following vulnerability has been resolved: fs: Pass ATGETATTRNOSEC flag to getattr interface function When vfsgetattrnosec() calls a filesystem's getattr interface function then the 'nosec' should propagate into this function so that vfsgetattrnosec() can again be called from the filesystem's gettattr rather than vfsgetattr(). The latter would add unnecessary security checks that the initial vfsgetattrnosec() call wanted to avoid. Therefore, introduce the getattr flag GETATTRNOSEC and allow to pass with the new getattrflags parameter to the getattr interface function. In overlayfs and ecryptfs use this flag to determine which one of the two functions to call. In a recent code change introduced to IMA vfsgetattrnosec() ended up calling vfsgetattr() in overlayfs, which in turn called securityinodegetattr() on an exiting process that did not have current->fs set anymore, which then caused a kernel NULL pointer dereference. With this change the call to securityinodegetattr() can be avoided, thus avoiding the NULL pointer dereference.
- References
Affected packages
Debian:13 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source
Debian:14 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source