Bugzilla – Bug 915402
VUL-1: CVE-2015-0247: e2fsprogs: couple of heap overflows in e2fsprogs (fsck, dumpe2fs, e2image...)
Last modified: 2018-12-20 07:41:34 UTC
------------------------------------------------------------------------ I found a couple of heap overflows in e2fsprogs (fsck, dumpe2fs, e2image...). The issues affect versions lower than the last version (1.42.12). There issues were "fixed" in the last version due to a code refactor. The version 1.42.12 has been out for quite a while, but Debian and Ubuntu (not sure about RedHat) have a vulnerable version on their stable releases. Since I think there's not going to be a patch for older versions, I was wondering if you can help coordinating an update that brings 1.42.12 to stable. ------------------------------------------------------------------------ ...the upstream developer (Ted Tso) works in Google too. I've been in contact with him and recommended to update since patches may have unexpected side effects on something as complex as e2fsprogs. Even he is wary to patch odler versions, so I think upgrading would be the best option. That said, if you need something to show the different distros as an argument for upgrading, here's a nasty bug in lib/ext2fs/openfs.c: fs->desc_blocks = ext2fs_div_ceil(fs->group_desc_count, EXT2_DESC_PER_BLOCK(fs->super)); retval = ext2fs_get_array(fs->desc_blocks, fs->blocksize, &fs->group_desc); if (retval) goto cleanup; if (!group_block) group_block = fs->super->s_first_data_block; dest = (char *) fs->group_desc; groups_per_block = EXT2_DESC_PER_BLOCK(fs->super); if (fs->super->s_feature_incompat & EXT2_FEATURE_INCOMPAT_META_BG) first_meta_bg = fs->super->s_first_meta_bg; else first_meta_bg = fs->desc_blocks; if (first_meta_bg) { retval = io_channel_read_blk(fs->io, group_block+1, first_meta_bg, dest); This code allocates an array stored in fs->group_desc based on the values of fs->desc_blocks and fs->blocksize (I think desc_blocks*blocksize). However if the EXT2_FEATURE_INCOMPAT_META_BG flag is set we can set an arbitrary first_meta_bg that will cause an overflow in io_channel_read_blk. I found this before the holidays so my memory is a bit blurred, but the bug would be the equivalent to something on the lines: dest = malloc(size*count); if (flags & EXT2_FEATURE_INCOMPAT_META_BG) first = first_meta_bg; else first = count; memcpy(dest, src+first, count); At least on Ubuntu 14.04, this allows a "av->top" heap overwrite (see "house of force" in the malloc maleficarum), that allows a trivial arbitrary memory write if the attacker controls a size passed to malloc after the overflow. I didn't work on a full exploit but should be doable. Given that fsck is affected, and that an ext2/3/4 image can force a filesystem check on mount, this will allow code execution on systems that have automount enabled by just plugging a device. I hope this is a good explanation/reason to push for the upgrade, please let me know what they think."
Hum, IMO the reporter is wrong that we do filesystem check on automount. We just try mounting and if the filesystem is corrupted, we refuse to work with it. fsck is called only on boot. So I don't think these bugs have any security impact (at least for SUSE). We do have 1.42.12 in Factory so my position would be to just don't do anything. If you guys think I should submit 1.42.12 to some other distros, just tell me. Otherwise I'd just close this.
bugbot adjusting priority
(In reply to Jan Kara from comment #2) I think it is security relevant. You could provide someone with an USB stick with a prepared filesystem, chances are that he runs fsck on it. So this should be fixed even if it's not exploitable on automount. But since accepting USB sticks from untrusted sources is a risk by itself without this issue we could maybe tag it as VUL-1. I'll follow the discussion on distros and decide next week.
CRD: 2015-02-05 15:00 CET
Public on oss. Because of the low probability we will handle this as VUL-1
So I was investigating this somewhat more. I don't think pushing 1.42.12 to older distros is really an option (I would consider the risk of breaking something with version update too high given the security risk of this bug). The disclosure is pretty general so I'm not sure about all the overflows that were found. So what I can do is that I'll backport commit f66e6ce4 from e2fsprogs repo to our maintained distros and be done with this. Opinions?
(In reply to Jan Kara from comment #8) sounds like a plan. Please include bnc#918346
OK, I have prepared updates for openSUSE-13.1, openSUSE-13.2, SLE12, SLE11-SP3, SLE11-SP4 (for this bug and bsc#918346). When should I submit them to the respective projects?
If possible, please postpone the update for 11-SP3. For 11-SP4, as e2fsprogs was branched, you can just submit to SUSE:SLE-11-SP4:GA (sooner the better for the release managers). For SLE 12 it's up to the Security Team. Both bugs we have in the planned updates list are security related.
OK, submitted for 11-SP4. Also for openSUSE-13.1 and openSUSE-13.2 since there's no point in waiting there. Waiting for the rest.
This is an autogenerated message for OBS integration: This bug (915402) was mentioned in https://build.opensuse.org/request/show/308845 13.2 / e2fsprogs https://build.opensuse.org/request/show/308846 13.1 / e2fsprogs
openSUSE-SU-2015:1006-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 915402,918346 CVE References: CVE-2015-0247,CVE-2015-1572 Sources used: openSUSE 13.1 (src): e2fsprogs-1.42.8-2.8.1
SUSE-SU-2015:1103-1: An update that contains security fixes can now be installed. Category: security (important) Bug References: 915402,918346 CVE References: Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): e2fsprogs-1.41.9-2.14.2 SUSE Linux Enterprise Server 11-SP4 (src): e2fsprogs-1.41.9-2.14.2 SUSE Linux Enterprise Desktop 11-SP4 (src): e2fsprogs-1.41.9-2.14.2
An update workflow for this issue was started. This issue was rated as low. Please submit fixed packages until 2015-07-23. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/62120
An update workflow for this issue was started. This issue was rated as low. Please submit fixed packages until 2015-07-23. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/62121
I've submitted the fix for SLE12 as maintenance request 61120. I've added the security fixes to SLE11-SP1 version and submitted the result as request 61122. SLE10-SP3 code looks different so originally I thought the CVE doesn't apply there. Now when I looked again, I think it does (at least to some extent) but the fix will need some massage. I'll submit later today.
OK, submitted fixes for SLE10-SP4 as request 61150. And to SLE10-SP3 as request 61160.
Is there anything to be done or can we just close this?
looks like we're fine. Please don't close security bugs, just assign them to us.
SUSE-SU-2015:1341-1: An update that fixes two vulnerabilities is now available. Category: security (low) Bug References: 915402,918346 CVE References: CVE-2015-0247,CVE-2015-1572 Sources used: SUSE Linux Enterprise Software Development Kit 12 (src): e2fsprogs-1.42.11-7.1 SUSE Linux Enterprise Server 12 (src): e2fsprogs-1.42.11-7.1 SUSE Linux Enterprise Desktop 12 (src): e2fsprogs-1.42.11-7.1
released
SUSE-SU-2015:1364-1: An update that solves two vulnerabilities and has one errata is now available. Category: security (low) Bug References: 915402,918346,932539 CVE References: CVE-2015-0247,CVE-2015-1572 Sources used: SUSE Linux Enterprise Software Development Kit 11 SP3 (src): e2fsprogs-1.41.9-2.10.11.1, util-linux-2.19.1-6.62.7 SUSE Linux Enterprise Server 11 SP3 for VMware (src): e2fsprogs-1.41.9-2.10.11.1, util-linux-2.19.1-6.62.7 SUSE Linux Enterprise Server 11 SP3 (src): e2fsprogs-1.41.9-2.10.11.1, util-linux-2.19.1-6.62.7 SUSE Linux Enterprise Desktop 11 SP3 (src): e2fsprogs-1.41.9-2.10.11.1, util-linux-2.19.1-6.62.7
SUSE-SU-2018:1987-1: An update that solves two vulnerabilities and has three fixes is now available. Category: security (moderate) Bug References: 1009532,1038194,915402,918346,960273 CVE References: CVE-2015-0247,CVE-2015-1572 Sources used: SUSE Linux Enterprise Module for Basesystem 15 (src): e2fsprogs-1.43.8-4.3.1
openSUSE-SU-2018:2133-1: An update that solves two vulnerabilities and has three fixes is now available. Category: security (moderate) Bug References: 1009532,1038194,915402,918346,960273 CVE References: CVE-2015-0247,CVE-2015-1572 Sources used: openSUSE Leap 15.0 (src): e2fsprogs-1.43.8-lp150.3.3.1