forked from pool/e2fsprogs
Set link to e2fsprogs.726 via maintenance_release request
Rev SUSE:SLE-12:Update/2 Md5 1c9e70abd219b716b0625f6923f93ea5 2015-08-04 08:02:22 krahmer None
This commit is contained in:
OBS User krahmer
Git OBS Bridge
parent
e48c8be103
commit
64ac32fbac
@ -1,3 +1,15 @@
|
||||
-------------------------------------------------------------------
|
||||
Tue May 26 11:42:47 UTC 2015 - jack@suse.cz
|
||||
|
||||
- libext2fs-fix-potential-buffer-overflow-in-closefs.patch: libext2fs: fix
|
||||
potential buffer overflow in closefs() (bsc#918346 CVE-2015-1572)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue May 26 11:30:53 UTC 2015 - jack@suse.cz
|
||||
|
||||
- libext2fs-avoid-buffer-overflow-if-s_first_meta_bg-i.patch: libext2fs:
|
||||
avoid buffer overflow if s_first_meta_bg is too big (bsc#915402 CVE-2015-0247)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Jan 9 09:05:27 UTC 2015 - jack@suse.cz
|
||||
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
#
|
||||
# spec file for package e2fsprogs
|
||||
#
|
||||
# Copyright (c) 2015 SUSE LINUX Products GmbH, Nuernberg, Germany.
|
||||
# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany.
|
||||
#
|
||||
# All modifications and additions to the file contributed by third parties
|
||||
# remain the property of their copyright owners, unless otherwise agreed
|
||||
@ -62,6 +62,8 @@ Patch4: e2fsprogs-1.42-implicit_fortify_decl.patch
|
||||
Patch5: e2fsprogs-1.42-ext2fsh_implicit.patch
|
||||
Patch6: e2fsck-free-ctx-fs-not-fs-at-the-end-of-fsck.patch
|
||||
Patch7: e2fsck-fix-free-pointer-dereferences.patch
|
||||
Patch8: libext2fs-avoid-buffer-overflow-if-s_first_meta_bg-i.patch
|
||||
Patch9: libext2fs-fix-potential-buffer-overflow-in-closefs.patch
|
||||
|
||||
# Do not suppress make commands
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||
@ -146,6 +148,8 @@ Development files for the com_err error message display library.
|
||||
%patch5
|
||||
%patch6 -p1
|
||||
%patch7 -p1
|
||||
%patch8 -p1
|
||||
%patch9 -p1
|
||||
cp %{SOURCE2} .
|
||||
|
||||
%build
|
||||
|
||||
58
libext2fs-avoid-buffer-overflow-if-s_first_meta_bg-i.patch
Normal file
58
libext2fs-avoid-buffer-overflow-if-s_first_meta_bg-i.patch
Normal file
@ -0,0 +1,58 @@
|
||||
From f66e6ce4446738c2c7f43d41988a3eb73347e2f5 Mon Sep 17 00:00:00 2001
|
||||
From: Theodore Ts'o <tytso@mit.edu>
|
||||
Date: Sat, 9 Aug 2014 12:24:54 -0400
|
||||
Subject: [PATCH] libext2fs: avoid buffer overflow if s_first_meta_bg is too
|
||||
big
|
||||
References: bsc#915402 CVE-2015-0247
|
||||
|
||||
If s_first_meta_bg is greater than the of number block group
|
||||
descriptor blocks, then reading or writing the block group descriptors
|
||||
will end up overruning the memory buffer allocated for the
|
||||
descriptors. Fix this by limiting first_meta_bg to no more than
|
||||
fs->desc_blocks. This doesn't correct the bad s_first_meta_bg value,
|
||||
but it avoids causing the e2fsprogs userspace programs from
|
||||
potentially crashing.
|
||||
|
||||
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
||||
Acked-by: Jan Kara <jack@suse.cz>
|
||||
---
|
||||
lib/ext2fs/closefs.c | 6 ++++--
|
||||
lib/ext2fs/openfs.c | 6 ++++--
|
||||
2 files changed, 8 insertions(+), 4 deletions(-)
|
||||
|
||||
Index: e2fsprogs-1.42.11/lib/ext2fs/closefs.c
|
||||
===================================================================
|
||||
--- e2fsprogs-1.42.11.orig/lib/ext2fs/closefs.c
|
||||
+++ e2fsprogs-1.42.11/lib/ext2fs/closefs.c
|
||||
@@ -344,9 +344,11 @@ errcode_t ext2fs_flush2(ext2_filsys fs,
|
||||
* superblocks and group descriptors.
|
||||
*/
|
||||
group_ptr = (char *) group_shadow;
|
||||
- if (fs->super->s_feature_incompat & EXT2_FEATURE_INCOMPAT_META_BG)
|
||||
+ if (fs->super->s_feature_incompat & EXT2_FEATURE_INCOMPAT_META_BG) {
|
||||
old_desc_blocks = fs->super->s_first_meta_bg;
|
||||
- else
|
||||
+ if (old_desc_blocks > fs->super->s_first_meta_bg)
|
||||
+ old_desc_blocks = fs->desc_blocks;
|
||||
+ } else
|
||||
old_desc_blocks = fs->desc_blocks;
|
||||
|
||||
ext2fs_numeric_progress_init(fs, &progress, NULL,
|
||||
Index: e2fsprogs-1.42.11/lib/ext2fs/openfs.c
|
||||
===================================================================
|
||||
--- e2fsprogs-1.42.11.orig/lib/ext2fs/openfs.c
|
||||
+++ e2fsprogs-1.42.11/lib/ext2fs/openfs.c
|
||||
@@ -378,9 +378,11 @@ errcode_t ext2fs_open2(const char *name,
|
||||
#ifdef WORDS_BIGENDIAN
|
||||
groups_per_block = EXT2_DESC_PER_BLOCK(fs->super);
|
||||
#endif
|
||||
- if (fs->super->s_feature_incompat & EXT2_FEATURE_INCOMPAT_META_BG)
|
||||
+ if (fs->super->s_feature_incompat & EXT2_FEATURE_INCOMPAT_META_BG) {
|
||||
first_meta_bg = fs->super->s_first_meta_bg;
|
||||
- else
|
||||
+ if (first_meta_bg > fs->desc_blocks)
|
||||
+ first_meta_bg = fs->desc_blocks;
|
||||
+ } else
|
||||
first_meta_bg = fs->desc_blocks;
|
||||
if (first_meta_bg) {
|
||||
retval = io_channel_read_blk(fs->io, group_block +
|
||||
58
libext2fs-fix-potential-buffer-overflow-in-closefs.patch
Normal file
58
libext2fs-fix-potential-buffer-overflow-in-closefs.patch
Normal file
@ -0,0 +1,58 @@
|
||||
From 49d0fe2a14f2a23da2fe299643379b8c1d37df73 Mon Sep 17 00:00:00 2001
|
||||
From: Theodore Ts'o <tytso@mit.edu>
|
||||
Date: Fri, 6 Feb 2015 12:46:39 -0500
|
||||
Subject: [PATCH] libext2fs: fix potential buffer overflow in closefs()
|
||||
References: bsc#918346 CVE-2015-1572
|
||||
|
||||
The bug fix in f66e6ce4446: "libext2fs: avoid buffer overflow if
|
||||
s_first_meta_bg is too big" had a typo in the fix for
|
||||
ext2fs_closefs(). In practice most of the security exposure was from
|
||||
the openfs path, since this meant if there was a carefully crafted
|
||||
file system, buffer overrun would be triggered when the file system was
|
||||
opened.
|
||||
|
||||
However, if corrupted file system didn't trip over some corruption
|
||||
check, and then the file system was modified via tune2fs or debugfs,
|
||||
such that the superblock was marked dirty and then written out via the
|
||||
closefs() path, it's possible that the buffer overrun could be
|
||||
triggered when the file system is closed.
|
||||
|
||||
Also clear up a signed vs unsigned warning while we're at it.
|
||||
|
||||
Thanks to Nick Kralevich <nnk@google.com> for asking me to look at
|
||||
compiler warning in the code in question, which led me to notice the
|
||||
bug in f66e6ce4446.
|
||||
|
||||
Addresses: CVE-2015-1572
|
||||
|
||||
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
||||
Acked-by: Jan Kara <jack@suse.cz>
|
||||
---
|
||||
lib/ext2fs/closefs.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/lib/ext2fs/closefs.c b/lib/ext2fs/closefs.c
|
||||
index 1f9911311a1a..ab5b2fb2365e 100644
|
||||
--- a/lib/ext2fs/closefs.c
|
||||
+++ b/lib/ext2fs/closefs.c
|
||||
@@ -287,7 +287,7 @@ errcode_t ext2fs_flush2(ext2_filsys fs, int flags)
|
||||
dgrp_t j;
|
||||
#endif
|
||||
char *group_ptr;
|
||||
- int old_desc_blocks;
|
||||
+ blk64_t old_desc_blocks;
|
||||
struct ext2fs_numeric_progress_struct progress;
|
||||
|
||||
EXT2_CHECK_MAGIC(fs, EXT2_ET_MAGIC_EXT2FS_FILSYS);
|
||||
@@ -346,7 +346,7 @@ errcode_t ext2fs_flush2(ext2_filsys fs, int flags)
|
||||
group_ptr = (char *) group_shadow;
|
||||
if (fs->super->s_feature_incompat & EXT2_FEATURE_INCOMPAT_META_BG) {
|
||||
old_desc_blocks = fs->super->s_first_meta_bg;
|
||||
- if (old_desc_blocks > fs->super->s_first_meta_bg)
|
||||
+ if (old_desc_blocks > fs->desc_blocks)
|
||||
old_desc_blocks = fs->desc_blocks;
|
||||
} else
|
||||
old_desc_blocks = fs->desc_blocks;
|
||||
--
|
||||
2.1.4
|
||||
|
||||
Loading…
Reference in New Issue
Block a user