CVE-2008-3833 : The generic_file_splice_write function in fs/splice.c in the Linux kernel before

The generic_file_splice_write function in fs/splice.c in the Linux kernel before 2.6.19 does not properly strip setuid and setgid bits when there is a write to a file, which allows local users to gain the privileges of a different group, and obtain sensitive information or possibly have unspecified other impact, by splicing into an inode in order to create an executable file in a setgid directory, a different vulnerability than CVE-2008-4210.

Published 2008-10-03 17:41:40

Updated 2023-02-13 02:19:28

Source Red Hat, Inc.

View at NVD, CVE.org

Products affected by CVE-2008-3833

Linux » Linux Kernel
Versions up to, including, (<=) 2.6.26.4
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Matching versions
Linux » Linux Kernel » Version: 2.4.36.2
cpe:2.3:o:linux:linux_kernel:2.4.36.2:*:*:*:*:*:*:*
Matching versions
Linux » Linux Kernel » Version: 2.4.36
cpe:2.3:o:linux:linux_kernel:2.4.36:*:*:*:*:*:*:*
Matching versions
Linux » Linux Kernel » Version: 2.4.36.3
cpe:2.3:o:linux:linux_kernel:2.4.36.3:*:*:*:*:*:*:*
Matching versions
Linux » Linux Kernel » Version: 2.4.36.4
cpe:2.3:o:linux:linux_kernel:2.4.36.4:*:*:*:*:*:*:*
Matching versions
Linux » Linux Kernel » Version: 2.2.27
cpe:2.3:o:linux:linux_kernel:2.2.27:*:*:*:*:*:*:*
Matching versions
Linux » Linux Kernel » Version: 2.4.36.5
cpe:2.3:o:linux:linux_kernel:2.4.36.5:*:*:*:*:*:*:*
Matching versions
Linux » Linux Kernel » Version: 2.4.36.1
cpe:2.3:o:linux:linux_kernel:2.4.36.1:*:*:*:*:*:*:*
Matching versions
Linux » Linux Kernel » Version: 2.4.36.6
cpe:2.3:o:linux:linux_kernel:2.4.36.6:*:*:*:*:*:*:*
Matching versions
Linux » Linux Kernel » Version: 2.6.18 Update RC1
cpe:2.3:o:linux:linux_kernel:2.6.18:rc1:*:*:*:*:*:*
Matching versions
Linux » Linux Kernel » Version: 2.6.18 Update RC2
cpe:2.3:o:linux:linux_kernel:2.6.18:rc2:*:*:*:*:*:*
Matching versions
Linux » Linux Kernel » Version: 2.6.18 Update RC5
cpe:2.3:o:linux:linux_kernel:2.6.18:rc5:*:*:*:*:*:*
Matching versions
Linux » Linux Kernel » Version: 2.6.18 Update RC3
cpe:2.3:o:linux:linux_kernel:2.6.18:rc3:*:*:*:*:*:*
Matching versions
Linux » Linux Kernel » Version: 2.6.18 Update RC4
cpe:2.3:o:linux:linux_kernel:2.6.18:rc4:*:*:*:*:*:*
Matching versions
Linux » Linux Kernel » Version: 2.6.18
cpe:2.3:o:linux:linux_kernel:2.6.18:*:*:*:*:*:*:*
Matching versions
Linux » Linux Kernel » Version: 2.6.18 Update RC6
cpe:2.3:o:linux:linux_kernel:2.6.18:rc6:*:*:*:*:*:*
Matching versions
Linux » Linux Kernel » Version: 2.6.18 Update RC7
cpe:2.3:o:linux:linux_kernel:2.6.18:rc7:*:*:*:*:*:*
Matching versions
Linux » Linux Kernel » Version: 2.6.22
cpe:2.3:o:linux:linux_kernel:2.6.22:*:*:*:*:*:*:*
Matching versions
Linux » Linux Kernel » Version: 2.6.22.1
cpe:2.3:o:linux:linux_kernel:2.6.22.1:*:*:*:*:*:*:*
Matching versions
Linux » Linux Kernel » Version: 2.6.23.9
cpe:2.3:o:linux:linux_kernel:2.6.23.9:*:*:*:*:*:*:*
Matching versions
Linux » Linux Kernel » Version: 2.6.23
cpe:2.3:o:linux:linux_kernel:2.6.23:*:*:*:*:*:*:*
Matching versions
Linux » Linux Kernel » Version: 2.6.19.7
cpe:2.3:o:linux:linux_kernel:2.6.19.7:*:*:*:*:*:*:*
Matching versions
Linux » Linux Kernel » Version: 2.6.19.4
cpe:2.3:o:linux:linux_kernel:2.6.19.4:*:*:*:*:*:*:*
Matching versions
Linux » Linux Kernel » Version: 2.6.19.5
cpe:2.3:o:linux:linux_kernel:2.6.19.5:*:*:*:*:*:*:*
Matching versions
Linux » Linux Kernel » Version: 2.6.19.6
cpe:2.3:o:linux:linux_kernel:2.6.19.6:*:*:*:*:*:*:*
Matching versions
Linux » Linux Kernel » Version: 2.6.21.7
cpe:2.3:o:linux:linux_kernel:2.6.21.7:*:*:*:*:*:*:*
Matching versions
Linux » Linux Kernel » Version: 2.6.21.6
cpe:2.3:o:linux:linux_kernel:2.6.21.6:*:*:*:*:*:*:*
Matching versions
Linux » Linux Kernel » Version: 2.6.21.5
cpe:2.3:o:linux:linux_kernel:2.6.21.5:*:*:*:*:*:*:*
Matching versions
Linux » Linux Kernel » Version: 2.6.20.20
cpe:2.3:o:linux:linux_kernel:2.6.20.20:*:*:*:*:*:*:*
Matching versions
Linux » Linux Kernel » Version: 2.6.20.19
cpe:2.3:o:linux:linux_kernel:2.6.20.19:*:*:*:*:*:*:*
Matching versions
Linux » Linux Kernel » Version: 2.6.20.16
cpe:2.3:o:linux:linux_kernel:2.6.20.16:*:*:*:*:*:*:*
Matching versions
Linux » Linux Kernel » Version: 2.6.20.21
cpe:2.3:o:linux:linux_kernel:2.6.20.21:*:*:*:*:*:*:*
Matching versions
Linux » Linux Kernel » Version: 2.6.20.18
cpe:2.3:o:linux:linux_kernel:2.6.20.18:*:*:*:*:*:*:*
Matching versions
Linux » Linux Kernel » Version: 2.6.20.17
cpe:2.3:o:linux:linux_kernel:2.6.20.17:*:*:*:*:*:*:*
Matching versions
Linux » Linux Kernel » Version: 2.6
cpe:2.3:o:linux:linux_kernel:2.6:*:*:*:*:*:*:*
Matching versions
Linux » Linux Kernel » Version: 2.6.22.20
cpe:2.3:o:linux:linux_kernel:2.6.22.20:*:*:*:*:*:*:*
Matching versions
Linux » Linux Kernel » Version: 2.6.22.19
cpe:2.3:o:linux:linux_kernel:2.6.22.19:*:*:*:*:*:*:*
Matching versions
Linux » Linux Kernel » Version: 2.6.22.8
cpe:2.3:o:linux:linux_kernel:2.6.22.8:*:*:*:*:*:*:*
Matching versions
Linux » Linux Kernel » Version: 2.6.22.9
cpe:2.3:o:linux:linux_kernel:2.6.22.9:*:*:*:*:*:*:*
Matching versions
Linux » Linux Kernel » Version: 2.6.22.13
cpe:2.3:o:linux:linux_kernel:2.6.22.13:*:*:*:*:*:*:*
Matching versions
Linux » Linux Kernel » Version: 2.6.22.14
cpe:2.3:o:linux:linux_kernel:2.6.22.14:*:*:*:*:*:*:*
Matching versions
Linux » Linux Kernel » Version: 2.6.22.15
cpe:2.3:o:linux:linux_kernel:2.6.22.15:*:*:*:*:*:*:*
Matching versions
Linux » Linux Kernel » Version: 2.6.22.17
cpe:2.3:o:linux:linux_kernel:2.6.22.17:*:*:*:*:*:*:*
Matching versions
Linux » Linux Kernel » Version: 2.6.22.18
cpe:2.3:o:linux:linux_kernel:2.6.22.18:*:*:*:*:*:*:*
Matching versions
Linux » Linux Kernel » Version: 2.6.22.22
cpe:2.3:o:linux:linux_kernel:2.6.22.22:*:*:*:*:*:*:*
Matching versions
Linux » Linux Kernel » Version: 2.6.22.21
cpe:2.3:o:linux:linux_kernel:2.6.22.21:*:*:*:*:*:*:*
Matching versions
Linux » Linux Kernel » Version: 2.6.22.2
cpe:2.3:o:linux:linux_kernel:2.6.22.2:*:*:*:*:*:*:*
Matching versions
Linux » Linux Kernel » Version: 2.6.22.10
cpe:2.3:o:linux:linux_kernel:2.6.22.10:*:*:*:*:*:*:*
Matching versions
Linux » Linux Kernel » Version: 2.6.22.11
cpe:2.3:o:linux:linux_kernel:2.6.22.11:*:*:*:*:*:*:*
Matching versions
Linux » Linux Kernel » Version: 2.6.22.12
cpe:2.3:o:linux:linux_kernel:2.6.22.12:*:*:*:*:*:*:*
Matching versions
Linux » Linux Kernel » Version: 2.6.23.13
cpe:2.3:o:linux:linux_kernel:2.6.23.13:*:*:*:*:*:*:*
Matching versions
Linux » Linux Kernel » Version: 2.6.23.8
cpe:2.3:o:linux:linux_kernel:2.6.23.8:*:*:*:*:*:*:*
Matching versions
Linux » Linux Kernel » Version: 2.6.23.11
cpe:2.3:o:linux:linux_kernel:2.6.23.11:*:*:*:*:*:*:*
Matching versions
Linux » Linux Kernel » Version: 2.6.23.12
cpe:2.3:o:linux:linux_kernel:2.6.23.12:*:*:*:*:*:*:*
Matching versions
Linux » Linux Kernel » Version: 2.6.23.10
cpe:2.3:o:linux:linux_kernel:2.6.23.10:*:*:*:*:*:*:*
Matching versions
Linux » Linux Kernel » Version: 2.6.24
cpe:2.3:o:linux:linux_kernel:2.6.24:*:*:*:*:*:*:*
Matching versions
Linux » Linux Kernel » Version: 2.6.23.16
cpe:2.3:o:linux:linux_kernel:2.6.23.16:*:*:*:*:*:*:*
Matching versions
Linux » Linux Kernel » Version: 2.6.23.15
cpe:2.3:o:linux:linux_kernel:2.6.23.15:*:*:*:*:*:*:*
Matching versions
Linux » Linux Kernel » Version: 2.6.23.17
cpe:2.3:o:linux:linux_kernel:2.6.23.17:*:*:*:*:*:*:*
Matching versions
Linux » Linux Kernel » Version: 2.6.25
cpe:2.3:o:linux:linux_kernel:2.6.25:*:*:*:*:*:*:*
Matching versions
Linux » Linux Kernel » Version: 2.6.26.3
cpe:2.3:o:linux:linux_kernel:2.6.26.3:*:*:*:*:*:*:*
Matching versions
Linux » Linux Kernel » Version: 2.6.26.1
cpe:2.3:o:linux:linux_kernel:2.6.26.1:*:*:*:*:*:*:*
Matching versions
Linux » Linux Kernel » Version: 2.6.26.2
cpe:2.3:o:linux:linux_kernel:2.6.26.2:*:*:*:*:*:*:*
Matching versions
Linux » Linux Kernel » Version: 2.6.22 Rc1
cpe:2.3:o:linux:linux_kernel:2.6.22_rc1:*:*:*:*:*:*:*
Matching versions
Linux » Linux Kernel » Version: 2.6.22 Rc7
cpe:2.3:o:linux:linux_kernel:2.6.22_rc7:*:*:*:*:*:*:*
Matching versions

Threat overview for CVE-2008-3833

Top countries where our scanners detected CVE-2008-3833

Top open port discovered on systems with this issue 52869

IPs affected by CVE-2008-3833 192,991

Threat actors abusing to this issue? Yes

Find out if you^* are affected by CVE-2008-3833!

^*Directly or indirectly through your vendors, service providers and 3rd parties. Powered by attack surface intelligence from SecurityScorecard.

Exploit prediction scoring system (EPSS) score for CVE-2008-3833

EPSS FAQ

0.04%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 8 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2008-3833

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
4.9	MEDIUM	AV:L/AC:L/Au:N/C:C/I:N/A:N	3.9	6.9	NIST
Access Vector: Local Access Complexity: Low Authentication: None Confidentiality Impact: Complete Integrity Impact: None Availability Impact: None

CWE ids for CVE-2008-3833

CWE-264

Assigned by: nvd@nist.gov (Primary)

Vendor statements for CVE-2008-3833

Red Hat 2009-01-15

This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, and Red Hat Enterprise MRG. It was addressed in Red Hat Enterprise Linux 5 via: https://rhn.redhat.com/errata/RHSA-2008-0957.html

References for CVE-2008-3833

https://bugzilla.redhat.com/show_bug.cgi?id=464450
http://www.securityfocus.com/bid/31567
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9980
http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.19.y.git%3Ba=commit%3Bh=8c34e2d63231d4bf4852bac8521883944d770fe3
http://lists.opensuse.org/opensuse-security-announce/2008-11/msg00001.html

[security-announce] SUSE Security Summary Report: SUSE-SR:2008:025 - openSUSE Security Announce - openSUSE Mailing Lists

CVEs referencing this url
http://openwall.com/lists/oss-security/2008/10/03/1
http://www.kernel.org/pub/linux/kernel/v2.6/testing/v2.6.19/ChangeLog-2.6.19-rc3
http://www.redhat.com/support/errata/RHSA-2008-0957.html

Support

CVEs referencing this url
https://exchange.xforce.ibmcloud.com/vulnerabilities/45922
http://www.debian.org/security/2008/dsa-1653

Debian -- Security Information -- DSA-1653-1 linux-2.6

CVEs referencing this url

Jump to