CVE-2023-49298

OpenZFS through 2.1.13 and 2.2.x through 2.2.1, in certain scenarios involving applications that try to rely on efficient copying of file data, can replace file contents with zero-valued bytes and thus potentially disable security mechanisms. NOTE: this issue is not always security related, but can be security related in realistic situations. A possible example is cp, from a recent GNU Core Utilities (coreutils) version, when attempting to preserve a rule set for denying unauthorized access. (One might use cp when configuring access control, such as with the /etc/hosts.deny file specified in the IBM Support reference.) NOTE: this issue occurs less often in version 2.2.1, and in versions before 2.1.4, because of the default configuration in those versions.
References
Link Resource
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=275308 Issue Tracking Patch
https://bugs.gentoo.org/917224
https://github.com/openzfs/zfs/issues/15526 Exploit Issue Tracking Patch Vendor Advisory
https://github.com/openzfs/zfs/pull/15571 Exploit Patch Vendor Advisory
https://github.com/openzfs/zfs/releases/tag/zfs-2.1.14
https://github.com/openzfs/zfs/releases/tag/zfs-2.2.2
https://lists.debian.org/debian-lts-announce/2024/03/msg00019.html
https://news.ycombinator.com/item?id=38405731 Patch Third Party Advisory
https://news.ycombinator.com/item?id=38770168
https://web.archive.org/web/20231124172959/https://www.ibm.com/support/pages/how-remove-missing%C2%A0newline%C2%A0or%C2%A0line%C2%A0too%C2%A0long-error-etchostsallow%C2%A0and%C2%A0etchostsdeny-files Third Party Advisory
https://www.theregister.com/2023/12/04/two_new_versions_of_openzfs/
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=275308 Issue Tracking Patch
https://bugs.gentoo.org/917224
https://github.com/openzfs/zfs/issues/15526 Exploit Issue Tracking Patch Vendor Advisory
https://github.com/openzfs/zfs/pull/15571 Exploit Patch Vendor Advisory
https://github.com/openzfs/zfs/releases/tag/zfs-2.1.14
https://github.com/openzfs/zfs/releases/tag/zfs-2.2.2
https://lists.debian.org/debian-lts-announce/2024/03/msg00019.html
https://news.ycombinator.com/item?id=38405731 Patch Third Party Advisory
https://news.ycombinator.com/item?id=38770168
https://web.archive.org/web/20231124172959/https://www.ibm.com/support/pages/how-remove-missing%C2%A0newline%C2%A0or%C2%A0line%C2%A0too%C2%A0long-error-etchostsallow%C2%A0and%C2%A0etchostsdeny-files Third Party Advisory
https://www.theregister.com/2023/12/04/two_new_versions_of_openzfs/
Configurations

Configuration 1 (hide)

AND
OR cpe:2.3:a:openzfs:openzfs:*:*:*:*:*:*:*:*
cpe:2.3:a:openzfs:openzfs:2.2.0:-:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.0:-:*:*:*:*:*:*

History

21 Nov 2024, 08:33

Type Values Removed Values Added
References () https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=275308 - Issue Tracking, Patch () https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=275308 - Issue Tracking, Patch
References () https://bugs.gentoo.org/917224 - () https://bugs.gentoo.org/917224 -
References () https://github.com/openzfs/zfs/issues/15526 - Exploit, Issue Tracking, Patch, Vendor Advisory () https://github.com/openzfs/zfs/issues/15526 - Exploit, Issue Tracking, Patch, Vendor Advisory
References () https://github.com/openzfs/zfs/pull/15571 - Exploit, Patch, Vendor Advisory () https://github.com/openzfs/zfs/pull/15571 - Exploit, Patch, Vendor Advisory
References () https://github.com/openzfs/zfs/releases/tag/zfs-2.1.14 - () https://github.com/openzfs/zfs/releases/tag/zfs-2.1.14 -
References () https://github.com/openzfs/zfs/releases/tag/zfs-2.2.2 - () https://github.com/openzfs/zfs/releases/tag/zfs-2.2.2 -
References () https://lists.debian.org/debian-lts-announce/2024/03/msg00019.html - () https://lists.debian.org/debian-lts-announce/2024/03/msg00019.html -
References () https://news.ycombinator.com/item?id=38405731 - Patch, Third Party Advisory () https://news.ycombinator.com/item?id=38405731 - Patch, Third Party Advisory
References () https://news.ycombinator.com/item?id=38770168 - () https://news.ycombinator.com/item?id=38770168 -
References () https://web.archive.org/web/20231124172959/https://www.ibm.com/support/pages/how-remove-missing%C2%A0newline%C2%A0or%C2%A0line%C2%A0too%C2%A0long-error-etchostsallow%C2%A0and%C2%A0etchostsdeny-files - Third Party Advisory () https://web.archive.org/web/20231124172959/https://www.ibm.com/support/pages/how-remove-missing%C2%A0newline%C2%A0or%C2%A0line%C2%A0too%C2%A0long-error-etchostsallow%C2%A0and%C2%A0etchostsdeny-files - Third Party Advisory
References () https://www.theregister.com/2023/12/04/two_new_versions_of_openzfs/ - () https://www.theregister.com/2023/12/04/two_new_versions_of_openzfs/ -

18 Mar 2024, 22:15

Type Values Removed Values Added
References
  • () https://lists.debian.org/debian-lts-announce/2024/03/msg00019.html -

26 Dec 2023, 15:15

Type Values Removed Values Added
References
  • () https://news.ycombinator.com/item?id=38770168 -
  • () https://bugs.gentoo.org/917224 -

07 Dec 2023, 07:15

Type Values Removed Values Added
References
  • () https://github.com/openzfs/zfs/releases/tag/zfs-2.2.2 -
  • () https://github.com/openzfs/zfs/releases/tag/zfs-2.1.14 -
  • () https://www.theregister.com/2023/12/04/two_new_versions_of_openzfs/ -

30 Nov 2023, 20:10

Type Values Removed Values Added
CWE CWE-639
CPE cpe:2.3:a:openzfs:openzfs:*:*:*:*:*:*:*:*
cpe:2.3:a:openzfs:openzfs:2.2.0:-:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.0:-:*:*:*:*:*:*
References () https://web.archive.org/web/20231124172959/https://www.ibm.com/support/pages/how-remove-missing%C2%A0newline%C2%A0or%C2%A0line%C2%A0too%C2%A0long-error-etchostsallow%C2%A0and%C2%A0etchostsdeny-files - () https://web.archive.org/web/20231124172959/https://www.ibm.com/support/pages/how-remove-missing%C2%A0newline%C2%A0or%C2%A0line%C2%A0too%C2%A0long-error-etchostsallow%C2%A0and%C2%A0etchostsdeny-files - Third Party Advisory
References () https://github.com/openzfs/zfs/issues/15526 - () https://github.com/openzfs/zfs/issues/15526 - Exploit, Issue Tracking, Patch, Vendor Advisory
References () https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=275308 - () https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=275308 - Issue Tracking, Patch
References () https://github.com/openzfs/zfs/pull/15571 - () https://github.com/openzfs/zfs/pull/15571 - Exploit, Patch, Vendor Advisory
References () https://news.ycombinator.com/item?id=38405731 - () https://news.ycombinator.com/item?id=38405731 - Patch, Third Party Advisory
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 7.5

27 Nov 2023, 13:52

Type Values Removed Values Added
New CVE

Information

Published : 2023-11-24 19:15

Updated : 2024-11-21 08:33


NVD link : CVE-2023-49298

Mitre link : CVE-2023-49298

CVE.ORG link : CVE-2023-49298


JSON object : View

Products Affected

openzfs

  • openzfs

freebsd

  • freebsd
CWE
CWE-639

Authorization Bypass Through User-Controlled Key