CVE-2023-49298

Name of the Vulnerable Software and Affected Versions OpenZFS versions 2.1.13 and earlier OpenZFS versions 2.2.x through 2.2.1

Description The issue is related to the replacement of file contents with zero-valued bytes, potentially disabling security mechanisms in certain scenarios involving applications that rely on efficient copying of file data. This can occur when using applications like cp from recent GNU Core Utilities (coreutils) versions to preserve rule sets for denying unauthorized access, such as when configuring access control with the /etc/hosts.deny file. The issue is not always security-related but can be in realistic situations.

Recommendations For OpenZFS versions 2.1.13 and earlier, consider updating to a version where this issue is fixed, if available. For OpenZFS versions 2.2.x through 2.2.1, consider updating to a version where this issue is fixed, if available. As a temporary workaround, consider avoiding the use of applications that rely on efficient copying of file data, such as cp, when preserving security-related configurations until a patch is available. Restrict access to sensitive files and configurations to minimize the risk of exploitation.