fs/proc/base.c in the Linux kernel before 220.127.116.11 does not properly restrict access to /proc/#####/io files, which allows local users to obtain sensitive I/O statistics by polling a file, as demonstrated by discovering the length of another user's password.
This has been addressed in Red Hat Enterprise Linux 5, 6 and Red Hat Enterprise MRG via https://rhn.redhat.com/errata/RHSA-2011-1212.html, https://rhn.redhat.com/errata/RHSA-2011-1189.html, and https://rhn.redhat.com/errata/RHSA-2011-1253.html. Red Hat Enterprise Linux 4 is now in Production 3 of the maintenance life-cycle, https://access.redhat.com/support/policy/updates/errata/, therefore the fix for this issue is not currently planned to be included in the future updates.
CVE-2011-2495 kernel: /proc/PID/io infoleak
Red Hat would like to thank Vasiliy Kulikov of Openwall for reporting this issue.
Red Hat Security Errata
|Red Hat Enterprise Linux 6 (kernel)
|Red Hat Enterprise Linux EUS (v. 5.6 server) (kernel)
|MRG Grid for RHEL 6 Server v.2 (kernel-rt)
|Red Hat Enterprise Linux 5 (kernel)
Affected Packages State
|Red Hat Enterprise MRG 2.0
|Red Hat Enterprise Linux 4
||Will not fix