The xfs_swapext function in fs/xfs/xfs_dfrag.c in the Linux kernel before 2.6.35 does not properly check the file descriptors passed to the SWAPEXT ioctl, which allows local users to leverage write access and obtain read access by swapping one file into another file.
http://lists.opensuse.org/opensuse-security-announce/2010-12/msg00004.html
http://lists.opensuse.org/opensuse-security-announce/2011-02/msg00000.html
http://marc.info/?l=oss-security&m=127677135609357&w=2
http://marc.info/?l=oss-security&m=127687486331790&w=2
https://bugzilla.redhat.com/show_bug.cgi?id=605158
http://secunia.com/advisories/43315
http://www.debian.org/security/2010/dsa-2094
http://www.mandriva.com/security/advisories?name=MDVSA-2010:198
http://www.redhat.com/support/errata/RHSA-2010-0610.html
http://www.ubuntu.com/usn/USN-1000-1
http://www.vmware.com/security/advisories/VMSA-2011-0003.html