FreeBSD 7.1 through 8.1-PRERELEASE does not copy the read-only flag when creating a duplicate mbuf buffer reference, which allows local users to cause a denial of service (system file corruption) and gain privileges via the sendfile system call.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Freebsd | Freebsd | 7.1 (including) | 7.1 (including) |
| Freebsd | Freebsd | 7.1-pre-release (including) | 7.1-pre-release (including) |
| Freebsd | Freebsd | 7.1-rc1 (including) | 7.1-rc1 (including) |
| Freebsd | Freebsd | 7.1-release-p1 (including) | 7.1-release-p1 (including) |
| Freebsd | Freebsd | 7.1-release-p2 (including) | 7.1-release-p2 (including) |
| Freebsd | Freebsd | 7.1-release-p4 (including) | 7.1-release-p4 (including) |
| Freebsd | Freebsd | 7.1-release-p5 (including) | 7.1-release-p5 (including) |
| Freebsd | Freebsd | 7.1-release-p6 (including) | 7.1-release-p6 (including) |
| Freebsd | Freebsd | 7.2 (including) | 7.2 (including) |
| Freebsd | Freebsd | 7.2-pre-release (including) | 7.2-pre-release (including) |
| Freebsd | Freebsd | 7.2-stable (including) | 7.2-stable (including) |
| Freebsd | Freebsd | 7.3 (including) | 7.3 (including) |
| Freebsd | Freebsd | 8.0 (including) | 8.0 (including) |
| Freebsd | Freebsd | 8.1-pre-release (including) | 8.1-pre-release (including) |
| Kfreebsd-8 | Ubuntu | lucid | * |
| Kfreebsd-8 | Ubuntu | maverick | * |
| Kfreebsd-8 | Ubuntu | upstream | * |