An information-leak vulnerability was found in the kernel when it truncated a file to a smaller size which consisted of an inline extent that was compressed. The data between the new file size and the old file size was not discarded and the number of bytes used by the inode were not correctly decremented, which gave the wrong report for callers of the stat(2) syscall. This wasted metadata space and allowed for the truncated data to be leaked, and data corruption or loss to occur. A caller of the clone ioctl could exploit this flaw by using only standard file-system operations without root access to read the truncated data.
Find out more about CVE-2015-8374 from the MITRE CVE dictionary dictionary and NIST NVD.
This issue does not affect the Linux kernel packages as shipped with Red Hat Enterprise Linux 5 as the code with the flaw is not present in the products listed.
This issue affects the Linux kernel packages as shipped with Red Hat Enterprise Linux 6 and is not currently planned to be addressed in future updates.
This issue affects the Linux kernel packages as shipped with Red Hat Enterprise Linux 7 and MRG-2. Future Linux kernel updates for the respective releases might address this issue.
Base Score | 3.5 |
---|---|
Base Metrics | AV:N/AC:M/Au:S/C:P/I:N/A:N |
Access Vector | Network |
Access Complexity | Medium |
Authentication | Single |
Confidentiality Impact | Partial |
Integrity Impact | None |
Availability Impact | None |
Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).
Platform | Errata | Release Date |
---|---|---|
Red Hat Enterprise Linux for Real Time for NFV (v. 7) (kernel-rt) | RHSA-2016:2584 | 2016-11-03 |
Red Hat Enterprise Linux 7 (kernel) | RHSA-2016:2574 | 2016-11-03 |
Platform | Package | State |
---|---|---|
Red Hat Enterprise MRG 2 | realtime-kernel | Will not fix |
Red Hat Enterprise Linux 6 | kernel | Will not fix |
Red Hat Enterprise Linux 5 | kernel | Not affected |