Bug 1160571 (CVE-2019-5188) - VUL-0: CVE-2019-5188: e2fsprogs: code execution vulnerability in the directory rehashing functionality of e2fsck
Summary: VUL-0: CVE-2019-5188: e2fsprogs: code execution vulnerability in the director...
Status: RESOLVED FIXED
Alias: CVE-2019-5188
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/250590/
Whiteboard: CVSSv3.1:SUSE:CVE-2019-5188:6.4:(AV:L...
Keywords:
Depends on:
Blocks:
 
Reported: 2020-01-09 10:22 UTC by Wolfgang Frisch
Modified: 2024-05-28 11:58 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Wolfgang Frisch 2020-01-09 10:22:22 UTC 
CVE-2019-5188

A code execution vulnerability exists in the directory rehashing functionality
of E2fsprogs e2fsck 1.45.4. A specially crafted ext4 directory can cause an
out-of-bounds write on the stack, resulting in code execution. An attacker can
corrupt a partition to trigger this vulnerability.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-5188
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5188
https://talosintelligence.com/vulnerability_reports/TALOS-2019-0973
Comment 1 Wolfgang Frisch 2020-01-09 10:46:00 UTC 
This upstream patch should suffice:
https://git.kernel.org/pub/scm/fs/ext2/e2fsprogs.git/commit/?id=8dd73c149f418238f19791f9d666089ef9734dff
Comment 3 Jan Kara 2020-01-09 14:06:52 UTC 
According to Ted (e2fsprogs maintainer), we actually need to actually pick up:

8dd73c14 - e2fsck: abort if there is a corrupted directory block when rehashing
71ba1375 - e2fsck: don't try to rehash a deleted directory
101e73e9 - e2fsck: fix use after free in calculate_tree()

I'll work on backporting these fixes.
Comment 4 Jan Kara 2020-01-09 14:48:02 UTC 
OK, 101e73e9 - e2fsck: fix use after free in calculate_tree() is not relevant (the code with the bug does not exist yet) for any maintained version so we don't need to pick up that patch.
Comment 5 Jan Kara 2020-01-09 15:29:45 UTC 
Wolfgang, as a clarification: SUSE:SLE-11-SP4:Update seems to be also a maintained codestream for e2fsprogs. Any reason why you didn't mention it in your comment 2?
Comment 6 Wolfgang Frisch 2020-01-09 15:37:04 UTC 
(In reply to Jan Kara from comment #5)
> Wolfgang, as a clarification: SUSE:SLE-11-SP4:Update seems to be also a
> maintained codestream for e2fsprogs. Any reason why you didn't mention it in
> your comment 2?

Jan, that code stream is only used in one LTSS product nowadays, and because the CVSS score of this bug is below 7.0, an update for LTSS is not mandatory.

Nevertheless it won't hurt to update SUSE:SLE-11-SP4:Update as well.
Comment 8 Jan Kara 2020-01-09 16:05:48 UTC 
OK, thanks for clarification! Since SUSE:SLE-11-SP4:Update is based on exactly the same e2fsprogs version as SUSE:SLE-11-SP2:Update, updating that branch is very simple. So I'll probably just do that.
Comment 10 Jan Kara 2020-01-09 17:43:23 UTC 
OK, all is done from my side. Reassigning to security team for further handling.
Comment 11 Swamp Workflow Management 2020-01-13 17:12:15 UTC 
SUSE-SU-2020:0086-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1160571
CVE References: CVE-2019-5188
Sources used:
SUSE CaaS Platform 3.0 (src):    e2fsprogs-1.42.11-16.6.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Swamp Workflow Management 2020-01-30 17:12:51 UTC 
SUSE-SU-2020:0265-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1160571
CVE References: CVE-2019-5188
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    e2fsprogs-1.43.8-4.17.1
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    e2fsprogs-1.43.8-4.17.1
SUSE Linux Enterprise Module for Basesystem 15 (src):    e2fsprogs-1.43.8-4.17.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 13 Swamp Workflow Management 2020-02-04 23:11:10 UTC 
openSUSE-SU-2020:0166-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1160571
CVE References: CVE-2019-5188
Sources used:
openSUSE Leap 15.1 (src):    e2fsprogs-1.43.8-lp151.5.12.1
Comment 14 Swamp Workflow Management 2020-02-07 14:15:58 UTC 
SUSE-SU-2020:0360-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1160571
CVE References: CVE-2019-5188
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    e2fsprogs-1.43.8-3.11.1
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    e2fsprogs-1.43.8-3.11.1
SUSE Linux Enterprise Server 12-SP5 (src):    e2fsprogs-1.43.8-3.11.1
SUSE Linux Enterprise Server 12-SP4 (src):    e2fsprogs-1.43.8-3.11.1
SUSE Linux Enterprise Desktop 12-SP4 (src):    e2fsprogs-1.43.8-3.11.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 15 Carlos López 2024-05-28 11:58:29 UTC 
Done, closing.