From 64ac32fbac0da9a7a8df5718176f6781162060f4 Mon Sep 17 00:00:00 2001 From: OBS User krahmer Date: Tue, 4 Aug 2015 08:02:22 +0000 Subject: [PATCH] Set link to e2fsprogs.726 via maintenance_release request Rev SUSE:SLE-12:Update/2 Md5 1c9e70abd219b716b0625f6923f93ea5 2015-08-04 08:02:22 krahmer None --- e2fsprogs.changes | 12 ++++ e2fsprogs.spec | 6 +- ...buffer-overflow-if-s_first_meta_bg-i.patch | 58 +++++++++++++++++++ ...potential-buffer-overflow-in-closefs.patch | 58 +++++++++++++++++++ 4 files changed, 133 insertions(+), 1 deletion(-) create mode 100644 libext2fs-avoid-buffer-overflow-if-s_first_meta_bg-i.patch create mode 100644 libext2fs-fix-potential-buffer-overflow-in-closefs.patch diff --git a/e2fsprogs.changes b/e2fsprogs.changes index c4c5ed3..fce1160 100644 --- a/e2fsprogs.changes +++ b/e2fsprogs.changes @@ -1,3 +1,15 @@ +------------------------------------------------------------------- +Tue May 26 11:42:47 UTC 2015 - jack@suse.cz + +- libext2fs-fix-potential-buffer-overflow-in-closefs.patch: libext2fs: fix + potential buffer overflow in closefs() (bsc#918346 CVE-2015-1572) + +------------------------------------------------------------------- +Tue May 26 11:30:53 UTC 2015 - jack@suse.cz + +- libext2fs-avoid-buffer-overflow-if-s_first_meta_bg-i.patch: libext2fs: + avoid buffer overflow if s_first_meta_bg is too big (bsc#915402 CVE-2015-0247) + ------------------------------------------------------------------- Fri Jan 9 09:05:27 UTC 2015 - jack@suse.cz diff --git a/e2fsprogs.spec b/e2fsprogs.spec index d4a5ecd..14e53e8 100644 --- a/e2fsprogs.spec +++ b/e2fsprogs.spec @@ -1,7 +1,7 @@ # # spec file for package e2fsprogs # -# Copyright (c) 2015 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -62,6 +62,8 @@ Patch4: e2fsprogs-1.42-implicit_fortify_decl.patch Patch5: e2fsprogs-1.42-ext2fsh_implicit.patch Patch6: e2fsck-free-ctx-fs-not-fs-at-the-end-of-fsck.patch Patch7: e2fsck-fix-free-pointer-dereferences.patch +Patch8: libext2fs-avoid-buffer-overflow-if-s_first_meta_bg-i.patch +Patch9: libext2fs-fix-potential-buffer-overflow-in-closefs.patch # Do not suppress make commands BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -146,6 +148,8 @@ Development files for the com_err error message display library. %patch5 %patch6 -p1 %patch7 -p1 +%patch8 -p1 +%patch9 -p1 cp %{SOURCE2} . %build diff --git a/libext2fs-avoid-buffer-overflow-if-s_first_meta_bg-i.patch b/libext2fs-avoid-buffer-overflow-if-s_first_meta_bg-i.patch new file mode 100644 index 0000000..7343e0c --- /dev/null +++ b/libext2fs-avoid-buffer-overflow-if-s_first_meta_bg-i.patch @@ -0,0 +1,58 @@ +From f66e6ce4446738c2c7f43d41988a3eb73347e2f5 Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Sat, 9 Aug 2014 12:24:54 -0400 +Subject: [PATCH] libext2fs: avoid buffer overflow if s_first_meta_bg is too + big +References: bsc#915402 CVE-2015-0247 + +If s_first_meta_bg is greater than the of number block group +descriptor blocks, then reading or writing the block group descriptors +will end up overruning the memory buffer allocated for the +descriptors. Fix this by limiting first_meta_bg to no more than +fs->desc_blocks. This doesn't correct the bad s_first_meta_bg value, +but it avoids causing the e2fsprogs userspace programs from +potentially crashing. + +Signed-off-by: Theodore Ts'o +Acked-by: Jan Kara +--- + lib/ext2fs/closefs.c | 6 ++++-- + lib/ext2fs/openfs.c | 6 ++++-- + 2 files changed, 8 insertions(+), 4 deletions(-) + +Index: e2fsprogs-1.42.11/lib/ext2fs/closefs.c +=================================================================== +--- e2fsprogs-1.42.11.orig/lib/ext2fs/closefs.c ++++ e2fsprogs-1.42.11/lib/ext2fs/closefs.c +@@ -344,9 +344,11 @@ errcode_t ext2fs_flush2(ext2_filsys fs, + * superblocks and group descriptors. + */ + group_ptr = (char *) group_shadow; +- if (fs->super->s_feature_incompat & EXT2_FEATURE_INCOMPAT_META_BG) ++ if (fs->super->s_feature_incompat & EXT2_FEATURE_INCOMPAT_META_BG) { + old_desc_blocks = fs->super->s_first_meta_bg; +- else ++ if (old_desc_blocks > fs->super->s_first_meta_bg) ++ old_desc_blocks = fs->desc_blocks; ++ } else + old_desc_blocks = fs->desc_blocks; + + ext2fs_numeric_progress_init(fs, &progress, NULL, +Index: e2fsprogs-1.42.11/lib/ext2fs/openfs.c +=================================================================== +--- e2fsprogs-1.42.11.orig/lib/ext2fs/openfs.c ++++ e2fsprogs-1.42.11/lib/ext2fs/openfs.c +@@ -378,9 +378,11 @@ errcode_t ext2fs_open2(const char *name, + #ifdef WORDS_BIGENDIAN + groups_per_block = EXT2_DESC_PER_BLOCK(fs->super); + #endif +- if (fs->super->s_feature_incompat & EXT2_FEATURE_INCOMPAT_META_BG) ++ if (fs->super->s_feature_incompat & EXT2_FEATURE_INCOMPAT_META_BG) { + first_meta_bg = fs->super->s_first_meta_bg; +- else ++ if (first_meta_bg > fs->desc_blocks) ++ first_meta_bg = fs->desc_blocks; ++ } else + first_meta_bg = fs->desc_blocks; + if (first_meta_bg) { + retval = io_channel_read_blk(fs->io, group_block + diff --git a/libext2fs-fix-potential-buffer-overflow-in-closefs.patch b/libext2fs-fix-potential-buffer-overflow-in-closefs.patch new file mode 100644 index 0000000..fe233ac --- /dev/null +++ b/libext2fs-fix-potential-buffer-overflow-in-closefs.patch @@ -0,0 +1,58 @@ +From 49d0fe2a14f2a23da2fe299643379b8c1d37df73 Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Fri, 6 Feb 2015 12:46:39 -0500 +Subject: [PATCH] libext2fs: fix potential buffer overflow in closefs() +References: bsc#918346 CVE-2015-1572 + +The bug fix in f66e6ce4446: "libext2fs: avoid buffer overflow if +s_first_meta_bg is too big" had a typo in the fix for +ext2fs_closefs(). In practice most of the security exposure was from +the openfs path, since this meant if there was a carefully crafted +file system, buffer overrun would be triggered when the file system was +opened. + +However, if corrupted file system didn't trip over some corruption +check, and then the file system was modified via tune2fs or debugfs, +such that the superblock was marked dirty and then written out via the +closefs() path, it's possible that the buffer overrun could be +triggered when the file system is closed. + +Also clear up a signed vs unsigned warning while we're at it. + +Thanks to Nick Kralevich for asking me to look at +compiler warning in the code in question, which led me to notice the +bug in f66e6ce4446. + +Addresses: CVE-2015-1572 + +Signed-off-by: Theodore Ts'o +Acked-by: Jan Kara +--- + lib/ext2fs/closefs.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/lib/ext2fs/closefs.c b/lib/ext2fs/closefs.c +index 1f9911311a1a..ab5b2fb2365e 100644 +--- a/lib/ext2fs/closefs.c ++++ b/lib/ext2fs/closefs.c +@@ -287,7 +287,7 @@ errcode_t ext2fs_flush2(ext2_filsys fs, int flags) + dgrp_t j; + #endif + char *group_ptr; +- int old_desc_blocks; ++ blk64_t old_desc_blocks; + struct ext2fs_numeric_progress_struct progress; + + EXT2_CHECK_MAGIC(fs, EXT2_ET_MAGIC_EXT2FS_FILSYS); +@@ -346,7 +346,7 @@ errcode_t ext2fs_flush2(ext2_filsys fs, int flags) + group_ptr = (char *) group_shadow; + if (fs->super->s_feature_incompat & EXT2_FEATURE_INCOMPAT_META_BG) { + old_desc_blocks = fs->super->s_first_meta_bg; +- if (old_desc_blocks > fs->super->s_first_meta_bg) ++ if (old_desc_blocks > fs->desc_blocks) + old_desc_blocks = fs->desc_blocks; + } else + old_desc_blocks = fs->desc_blocks; +-- +2.1.4 +