Technical Description

Two vulnerabilities have been identified in Symantec Veritas File System (VxFS), which could be exploited by malicious users to gain knowledge of sensitive information.

The first issue is caused by an error in the "qiomkfile" command that allocates file system blocks to a new file without initializing those blocks, which could cause the contents of the blocks to become readable by any user that can read the new file.

The second vulnerability is caused by an error in the set-uid root "qioadmin" utility for the Quick I/O for Database feature, which could allow unprivileged users to disclose the contents of arbitrary files.

Affected Products

Symantec Veritas File System (VxFS) for Solaris, Linux, AIX and HP-UX

Solution

Symantec Veritas File System (VxFS) for Solaris, Linux, and AIX - Upgrade to version 5.0 MP3 :
http://entsupport.symantec.com/docs/310872

Symantec Veritas File System (VxFS) for HP-UX - Remove the set-uid flag for qioadmin and qiomkfile

References

http://www.vupen.com/english/advisories/2008/2875
http://securityresponse.symantec.com/avcenter/security/Content/2008.10.20.html

Credits

Vulnerabilities reported by Derek Callaway (Security Objectives).

ChangeLog

2008-10-21 : Initial release

Vulnerability Management

Subscribe to VUPEN VNS and receive real-time alerts when new advisories or patches relevant to your systems and network configurations are available.

Feedback

If you have additional information or corrections for this security advisory please submit them via our contact form.