Bug 809155 (CVE-2013-1848) - VUL-1: CVE-2013-1848: kernel: format string exploit in ext3 super
Summary: VUL-1: CVE-2013-1848: kernel: format string exploit in ext3 super
Status: RESOLVED FIXED
Alias: CVE-2013-1848
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL:
Whiteboard: maint:released:sle11-sp2:52260 maint:...
Keywords:
Depends on:
Blocks:
 
Reported: 2013-03-13 12:52 UTC by Marcus Meissner
Modified: 2014-06-12 08:37 UTC (History)
5 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2013-03-13 12:52:27 UTC 
not yet fully disclosed.

CRD Monday, 2013-03-18.

CVE-2013-1848

From: Petr Matousek <pmatouse@redhat.com>
Date: Tue, 12 Mar 2013 18:48:42 +0100
Subject: [vs-plain] CVE-2013-1848

Hello, vendors.

This is the first security@kernel.org security issue forwarded as per
oss-sec agreement (http://seclists.org/oss-sec/2013/q1/454 thread).

The description of the issue and fix can be found at:
https://git.kernel.org/cgit/linux/kernel/git/next/linux-next.git/commit/fs/ext3?id=8d0c2d10dd72c5292eda7a06231056a4c972e4cc

Lars-Peter also commented that:

"If the user has privileges to mount a filesystem while being able to
specify mount options, it is pretty easy to use this to cause a denial
of service on the kernel:
        `mount -t ext3 -o loop,sd=%n%n%n%n... ext3.bin mnt`

It can also be used to disclose data from the kernel stack and I
wouldn't be surprised if code execution is also possible."

If noone objects I'll send the info about this issue to oss-sec on
Monday, 2013-03-18.
Comment 1 Jan Kara 2013-03-13 14:21:38 UTC 
The bug affects SLE11-SP2 (and SP3) kernels and openSUSE kernels. The fix should get to these via -stable kernels but I'll push it directly to our repo just in case some maintenance update gets released before that.
Comment 2 Jan Kara 2013-03-13 17:10:01 UTC 
OK, pushed to these branches. So it's done from my POV. Markus, should I reassign to you for further tracking?
Comment 7 Marcus Meissner 2013-03-15 07:30:29 UTC 
in mainline.

commit 8d0c2d10dd72c5292eda7a06231056a4c972e4cc
Author: Lars-Peter Clausen <lars@metafoo.de>
Date:   Sat Mar 9 15:28:44 2013 +0100

    ext3: Fix format string issues
    
    ext3_msg() takes the printk prefix as the second parameter and the
    format string as the third parameter. Two callers of ext3_msg omit the
    prefix and pass the format string as the second parameter and the first
    parameter to the format string as the third parameter. In both cases
    this string comes from an arbitrary source. Which means the string may
    contain format string characters, which will
    lead to undefined and potentially harmful behavior.
    
    The issue was introduced in commit 4cf46b67eb("ext3: Unify log messages
    in ext3") and is fixed by this patch.
    
    CC: stable@vger.kernel.org
    Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
    Signed-off-by: Jan Kara <jack@suse.cz>
Comment 8 Marcus Meissner 2013-04-19 16:25:37 UTC 
in patches.kernel.org/patch-3.0.69-70
Comment 9 Marcus Meissner 2013-05-07 11:45:44 UTC 
We have just released a kernel update for SUSE Linux Enterprise 11 SP2 that mentions/fixes this bug. The released kernel version is 3.0.74-0.6.6.2.
Comment 10 Swamp Workflow Management 2013-05-07 14:15:06 UTC 
Update released for: cluster-network-kmp-default, cluster-network-kmp-trace, gfs2-kmp-default, gfs2-kmp-trace, kernel-default, kernel-default-base, kernel-default-debuginfo, kernel-default-debugsource, kernel-default-devel, kernel-default-devel-debuginfo, kernel-default-extra, kernel-default-hmac, kernel-default-man, kernel-source, kernel-source-debuginfo, kernel-source-vanilla, kernel-syms, kernel-trace, kernel-trace-base, kernel-trace-debuginfo, kernel-trace-debugsource, kernel-trace-devel, kernel-trace-devel-debuginfo, kernel-trace-extra, kernel-trace-hmac, kernel-trace-man, ocfs2-kmp-default, ocfs2-kmp-trace
Products:
SLE-DEBUGINFO 11-SP2 (s390x)
SLE-HAE 11-SP2 (s390x)
SLE-SERVER 11-SP2 (s390x)
Comment 11 Swamp Workflow Management 2013-05-07 14:38:10 UTC 
Update released for: cluster-network-kmp-default, cluster-network-kmp-pae, cluster-network-kmp-trace, cluster-network-kmp-xen, gfs2-kmp-default, gfs2-kmp-pae, gfs2-kmp-trace, gfs2-kmp-xen, kernel-default, kernel-default-base, kernel-default-devel, kernel-default-extra, kernel-default-hmac, kernel-desktop-devel, kernel-ec2, kernel-ec2-base, kernel-ec2-devel, kernel-ec2-extra, kernel-ec2-hmac, kernel-pae, kernel-pae-base, kernel-pae-devel, kernel-pae-extra, kernel-pae-hmac, kernel-source, kernel-source-vanilla, kernel-syms, kernel-trace, kernel-trace-base, kernel-trace-devel, kernel-trace-extra, kernel-trace-hmac, kernel-xen, kernel-xen-base, kernel-xen-devel, kernel-xen-extra, kernel-xen-hmac, ocfs2-kmp-default, ocfs2-kmp-pae, ocfs2-kmp-trace, ocfs2-kmp-xen
Products:
SLE-DEBUGINFO 11-SP2 (i386)
SLE-DESKTOP 11-SP2 (i386)
SLE-HAE 11-SP2 (i386)
SLE-SERVER 11-SP2 (i386)
SLES4VMWARE 11-SP2 (i386)
Comment 12 Swamp Workflow Management 2013-05-07 14:46:09 UTC 
Update released for: cluster-network-kmp-default, cluster-network-kmp-ppc64, cluster-network-kmp-trace, gfs2-kmp-default, gfs2-kmp-ppc64, gfs2-kmp-trace, kernel-default, kernel-default-base, kernel-default-debuginfo, kernel-default-debugsource, kernel-default-devel, kernel-default-extra, kernel-default-hmac, kernel-ppc64, kernel-ppc64-base, kernel-ppc64-debuginfo, kernel-ppc64-debugsource, kernel-ppc64-devel, kernel-ppc64-extra, kernel-ppc64-hmac, kernel-source, kernel-source-debuginfo, kernel-source-vanilla, kernel-syms, kernel-trace, kernel-trace-base, kernel-trace-debuginfo, kernel-trace-debugsource, kernel-trace-devel, kernel-trace-extra, kernel-trace-hmac, ocfs2-kmp-default, ocfs2-kmp-ppc64, ocfs2-kmp-trace
Products:
SLE-DEBUGINFO 11-SP2 (ppc64)
SLE-HAE 11-SP2 (ppc64)
SLE-SERVER 11-SP2 (ppc64)
Comment 13 Swamp Workflow Management 2013-05-07 15:27:38 UTC 
Update released for: cluster-network-kmp-default, cluster-network-kmp-trace, gfs2-kmp-default, gfs2-kmp-trace, kernel-default, kernel-default-base, kernel-default-debuginfo, kernel-default-debugsource, kernel-default-devel, kernel-default-devel-debuginfo, kernel-default-extra, kernel-default-hmac, kernel-source, kernel-source-debuginfo, kernel-source-vanilla, kernel-syms, kernel-trace, kernel-trace-base, kernel-trace-debuginfo, kernel-trace-debugsource, kernel-trace-devel, kernel-trace-devel-debuginfo, kernel-trace-extra, kernel-trace-hmac, ocfs2-kmp-default, ocfs2-kmp-trace
Products:
SLE-DEBUGINFO 11-SP2 (ia64)
SLE-HAE 11-SP2 (ia64)
SLE-SERVER 11-SP2 (ia64)
Comment 14 Swamp Workflow Management 2013-05-07 19:09:55 UTC 
Update released for: ext4-writeable-kmp-default, ext4-writeable-kmp-trace, ext4-writeable-kmp-xen, kernel-default-extra, kernel-xen-extra
Products:
SLE-SERVER 11-EXTRA (x86_64)
Comment 15 Swamp Workflow Management 2013-05-07 20:10:33 UTC 
Update released for: ext4-writeable-kmp-default, ext4-writeable-kmp-pae, ext4-writeable-kmp-trace, ext4-writeable-kmp-xen, kernel-default-extra, kernel-pae-extra, kernel-xen-extra
Products:
SLE-SERVER 11-EXTRA (i386)
Comment 16 Swamp Workflow Management 2013-05-07 21:11:52 UTC 
Update released for: ext4-writeable-kmp-default, ext4-writeable-kmp-trace, kernel-default-extra
Products:
SLE-SERVER 11-EXTRA (s390x)
Comment 17 Swamp Workflow Management 2013-05-07 22:12:30 UTC 
Update released for: ext4-writeable-kmp-default, ext4-writeable-kmp-ppc64, ext4-writeable-kmp-trace, kernel-default-extra, kernel-ppc64-extra
Products:
SLE-SERVER 11-EXTRA (ppc64)
Comment 18 Swamp Workflow Management 2013-05-07 23:13:51 UTC 
Update released for: ext4-writeable-kmp-default, ext4-writeable-kmp-trace, kernel-default-extra
Products:
SLE-SERVER 11-EXTRA (ia64)
Comment 19 Swamp Workflow Management 2013-05-14 12:10:43 UTC 
Update released for: cluster-network-kmp-rt, cluster-network-kmp-rt_trace, drbd-kmp-rt, drbd-kmp-rt_trace, iscsitarget-kmp-rt, iscsitarget-kmp-rt_trace, kernel-rt, kernel-rt-base, kernel-rt-debuginfo, kernel-rt-debugsource, kernel-rt-devel, kernel-rt-devel-debuginfo, kernel-rt-extra, kernel-rt-hmac, kernel-rt_trace, kernel-rt_trace-base, kernel-rt_trace-debuginfo, kernel-rt_trace-debugsource, kernel-rt_trace-devel, kernel-rt_trace-devel-debuginfo, kernel-rt_trace-extra, kernel-rt_trace-hmac, kernel-source-rt, kernel-syms-rt, lttng-modules-kmp-rt, lttng-modules-kmp-rt_trace, ocfs2-kmp-rt, ocfs2-kmp-rt_trace, ofed-kmp-rt, ofed-kmp-rt_trace
Products:
SLE-RT 11-SP2 (x86_64)
Comment 20 Marcus Meissner 2013-05-24 14:23:53 UTC 
all done i think.
Comment 21 Swamp Workflow Management 2013-05-24 15:06:05 UTC 
openSUSE-SU-2013:0824-1: An update that solves 8 vulnerabilities and has three fixes is now available.

Category: security (moderate)
Bug References: 792500,802153,805633,806138,806976,806980,808829,809155,809330,809748,813963
CVE References: CVE-2013-0913,CVE-2013-1763,CVE-2013-1767,CVE-2013-1774,CVE-2013-1796,CVE-2013-1797,CVE-2013-1798,CVE-2013-1848
Sources used:
openSUSE 12.2 (src):    kernel-docs-3.4.42-2.28.2, kernel-source-3.4.42-2.28.1, kernel-syms-3.4.42-2.28.1
Comment 22 Swamp Workflow Management 2013-06-10 09:22:01 UTC 
openSUSE-SU-2013:0923-1: An update that solves 5 vulnerabilities and has 7 fixes is now available.

Category: security (moderate)
Bug References: 800686,802812,806966,806980,806990,807850,808829,809155,809330,809748,811417,812113
CVE References: CVE-2013-0913,CVE-2013-1796,CVE-2013-1797,CVE-2013-1798,CVE-2013-1848
Sources used:
openSUSE 12.3 (src):    kernel-docs-3.7.10-1.4.3, kernel-source-3.7.10-1.4.1, kernel-syms-3.7.10-1.4.1
Comment 23 Swamp Workflow Management 2013-06-10 09:46:16 UTC 
openSUSE-SU-2013:0925-1: An update that solves 21 vulnerabilities and has 87 fixes is now available.

Category: security (important)
Bug References: 578046,651219,714604,722398,730117,736149,738210,744692,754583,754898,758243,761849,762424,763494,767612,768052,773577,776787,777616,777746,779577,780977,786150,786814,786900,787821,788826,789235,789311,789359,790867,792674,792793,793139,793671,794513,794529,794805,795269,795928,795957,795961,796412,796418,796823,797042,797175,798921,799197,799209,799270,799275,799578,799926,800280,800701,801038,801178,801713,801717,801720,801782,802153,802353,802445,802712,803056,803067,803394,803674,803712,804154,804220,804609,805823,806138,806395,806404,806431,806466,806469,806492,806631,806825,806847,806908,806976,806980,807431,807517,807560,807853,808166,808307,808829,808966,808991,809155,809166,809375,809493,809748,812281,812315,813963,816443,819789,89359
CVE References: CVE-2010-3873,CVE-2011-4131,CVE-2011-4604,CVE-2011-4622,CVE-2012-1601,CVE-2012-2119,CVE-2012-2137,CVE-2012-4461,CVE-2012-5517,CVE-2013-0160,CVE-2013-0216,CVE-2013-0231,CVE-2013-0871,CVE-2013-0913,CVE-2013-1767,CVE-2013-1774,CVE-2013-1796,CVE-2013-1797,CVE-2013-1798,CVE-2013-1848,CVE-2013-2094
Sources used:
openSUSE 11.4 (src):    iscsitarget-1.4.19-18.2, kernel-docs-3.0.74-34.2, kernel-source-3.0.74-34.1, kernel-syms-3.0.74-34.1, ndiswrapper-1.57rc1-20.1, omnibook-20100406-13.1, open-vm-tools-2012.8.8.1-41.1, pcfclock-0.44-250.1, preload-1.2-6.29.1, systemtap-1.4-1.11.1, virtualbox-4.0.12-0.58.1, xen-4.0.3_05-57.1, xtables-addons-1.37-0.22.1
Comment 24 Marcus Meissner 2013-06-17 05:38:48 UTC 
We have just released a kernel update for SUSE Linux Enterprise 11 SP2 that mentions/fixes this problem. Released kernel version is 3.0.80-0.5.1.
Comment 25 Swamp Workflow Management 2013-06-17 07:05:49 UTC 
Update released for: ext4-writeable-kmp-default, ext4-writeable-kmp-trace, ext4-writeable-kmp-xen, kernel-default-extra, kernel-xen-extra
Products:
SLE-SERVER 11-EXTRA (x86_64)
Comment 26 Swamp Workflow Management 2013-06-17 08:05:55 UTC 
Update released for: ext4-writeable-kmp-default, ext4-writeable-kmp-pae, ext4-writeable-kmp-trace, ext4-writeable-kmp-xen, kernel-default-extra, kernel-pae-extra, kernel-xen-extra
Products:
SLE-SERVER 11-EXTRA (i386)
Comment 27 Swamp Workflow Management 2013-06-17 09:07:21 UTC 
Update released for: ext4-writeable-kmp-default, ext4-writeable-kmp-ppc64, ext4-writeable-kmp-trace, kernel-default-extra, kernel-ppc64-extra
Products:
SLE-SERVER 11-EXTRA (ppc64)
Comment 28 Swamp Workflow Management 2013-06-17 10:12:48 UTC 
Update released for: ext4-writeable-kmp-default, ext4-writeable-kmp-trace, kernel-default-extra
Products:
SLE-SERVER 11-EXTRA (s390x)
Comment 29 Swamp Workflow Management 2013-06-17 10:57:25 UTC 
Update released for: cluster-network-kmp-default, cluster-network-kmp-trace, cluster-network-kmp-xen, gfs2-kmp-default, gfs2-kmp-trace, gfs2-kmp-xen, kernel-default, kernel-default-base, kernel-default-debuginfo, kernel-default-debugsource, kernel-default-devel, kernel-default-devel-debuginfo, kernel-default-extra, kernel-default-hmac, kernel-desktop-devel, kernel-ec2, kernel-ec2-base, kernel-ec2-debuginfo, kernel-ec2-debugsource, kernel-ec2-devel, kernel-ec2-devel-debuginfo, kernel-ec2-extra, kernel-ec2-hmac, kernel-source, kernel-source-debuginfo, kernel-source-vanilla, kernel-syms, kernel-trace, kernel-trace-base, kernel-trace-debuginfo, kernel-trace-debugsource, kernel-trace-devel, kernel-trace-devel-debuginfo, kernel-trace-extra, kernel-trace-hmac, kernel-xen, kernel-xen-base, kernel-xen-debuginfo, kernel-xen-debugsource, kernel-xen-devel, kernel-xen-devel-debuginfo, kernel-xen-extra, kernel-xen-hmac, ocfs2-kmp-default, ocfs2-kmp-trace, ocfs2-kmp-xen, xen-kmp-default, xen-kmp-pae, xen-kmp-trace
Products:
SLE-DEBUGINFO 11-SP2 (x86_64)
SLE-DESKTOP 11-SP2 (x86_64)
SLE-HAE 11-SP2 (x86_64)
SLE-SERVER 11-SP2 (x86_64)
SLES4VMWARE 11-SP2 (x86_64)
Comment 30 Swamp Workflow Management 2013-06-17 11:03:35 UTC 
Update released for: cluster-network-kmp-default, cluster-network-kmp-ppc64, cluster-network-kmp-trace, gfs2-kmp-default, gfs2-kmp-ppc64, gfs2-kmp-trace, kernel-default, kernel-default-base, kernel-default-debuginfo, kernel-default-debugsource, kernel-default-devel, kernel-default-extra, kernel-default-hmac, kernel-ppc64, kernel-ppc64-base, kernel-ppc64-debuginfo, kernel-ppc64-debugsource, kernel-ppc64-devel, kernel-ppc64-extra, kernel-ppc64-hmac, kernel-source, kernel-source-debuginfo, kernel-source-vanilla, kernel-syms, kernel-trace, kernel-trace-base, kernel-trace-debuginfo, kernel-trace-debugsource, kernel-trace-devel, kernel-trace-extra, kernel-trace-hmac, ocfs2-kmp-default, ocfs2-kmp-ppc64, ocfs2-kmp-trace
Products:
SLE-DEBUGINFO 11-SP2 (ppc64)
SLE-HAE 11-SP2 (ppc64)
SLE-SERVER 11-SP2 (ppc64)
Comment 31 Swamp Workflow Management 2013-06-17 11:08:44 UTC 
Update released for: ext4-writeable-kmp-default, ext4-writeable-kmp-trace, kernel-default-extra
Products:
SLE-SERVER 11-EXTRA (ia64)
Comment 32 Swamp Workflow Management 2013-06-17 11:20:14 UTC 
Update released for: cluster-network-kmp-default, cluster-network-kmp-pae, cluster-network-kmp-trace, cluster-network-kmp-xen, gfs2-kmp-default, gfs2-kmp-pae, gfs2-kmp-trace, gfs2-kmp-xen, kernel-default, kernel-default-base, kernel-default-devel, kernel-default-extra, kernel-default-hmac, kernel-desktop-devel, kernel-ec2, kernel-ec2-base, kernel-ec2-devel, kernel-ec2-extra, kernel-ec2-hmac, kernel-pae, kernel-pae-base, kernel-pae-devel, kernel-pae-extra, kernel-pae-hmac, kernel-source, kernel-source-vanilla, kernel-syms, kernel-trace, kernel-trace-base, kernel-trace-devel, kernel-trace-extra, kernel-trace-hmac, kernel-xen, kernel-xen-base, kernel-xen-devel, kernel-xen-extra, kernel-xen-hmac, ocfs2-kmp-default, ocfs2-kmp-pae, ocfs2-kmp-trace, ocfs2-kmp-xen
Products:
SLE-DEBUGINFO 11-SP2 (i386)
SLE-DESKTOP 11-SP2 (i386)
SLE-HAE 11-SP2 (i386)
SLE-SERVER 11-SP2 (i386)
SLES4VMWARE 11-SP2 (i386)
Comment 33 Swamp Workflow Management 2013-06-17 11:33:06 UTC 
Update released for: cluster-network-kmp-default, cluster-network-kmp-trace, gfs2-kmp-default, gfs2-kmp-trace, kernel-default, kernel-default-base, kernel-default-debuginfo, kernel-default-debugsource, kernel-default-devel, kernel-default-devel-debuginfo, kernel-default-extra, kernel-default-hmac, kernel-source, kernel-source-debuginfo, kernel-source-vanilla, kernel-syms, kernel-trace, kernel-trace-base, kernel-trace-debuginfo, kernel-trace-debugsource, kernel-trace-devel, kernel-trace-devel-debuginfo, kernel-trace-extra, kernel-trace-hmac, ocfs2-kmp-default, ocfs2-kmp-trace
Products:
SLE-DEBUGINFO 11-SP2 (ia64)
SLE-HAE 11-SP2 (ia64)
SLE-SERVER 11-SP2 (ia64)
Comment 34 Swamp Workflow Management 2013-06-17 11:35:02 UTC 
Update released for: cluster-network-kmp-default, cluster-network-kmp-trace, gfs2-kmp-default, gfs2-kmp-trace, kernel-default, kernel-default-base, kernel-default-debuginfo, kernel-default-debugsource, kernel-default-devel, kernel-default-devel-debuginfo, kernel-default-extra, kernel-default-hmac, kernel-default-man, kernel-source, kernel-source-debuginfo, kernel-source-vanilla, kernel-syms, kernel-trace, kernel-trace-base, kernel-trace-debuginfo, kernel-trace-debugsource, kernel-trace-devel, kernel-trace-devel-debuginfo, kernel-trace-extra, kernel-trace-hmac, kernel-trace-man, ocfs2-kmp-default, ocfs2-kmp-trace
Products:
SLE-DEBUGINFO 11-SP2 (s390x)
SLE-HAE 11-SP2 (s390x)
SLE-SERVER 11-SP2 (s390x)
Comment 35 Swamp Workflow Management 2013-06-18 07:05:24 UTC 
Update released for: cluster-network-kmp-rt, cluster-network-kmp-rt_trace, drbd-kmp-rt, drbd-kmp-rt_trace, iscsitarget-kmp-rt, iscsitarget-kmp-rt_trace, kernel-rt, kernel-rt-base, kernel-rt-debuginfo, kernel-rt-debugsource, kernel-rt-devel, kernel-rt-devel-debuginfo, kernel-rt-extra, kernel-rt-hmac, kernel-rt_trace, kernel-rt_trace-base, kernel-rt_trace-debuginfo, kernel-rt_trace-debugsource, kernel-rt_trace-devel, kernel-rt_trace-devel-debuginfo, kernel-rt_trace-extra, kernel-rt_trace-hmac, kernel-source-rt, kernel-syms-rt, lttng-modules-kmp-rt, lttng-modules-kmp-rt_trace, ocfs2-kmp-rt, ocfs2-kmp-rt_trace, ofed-kmp-rt, ofed-kmp-rt_trace
Products:
SLE-RT 11-SP2 (x86_64)