pool/e2fsprogs
2
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

Set link to e2fsprogs.726 via maintenance_release request

Browse Source 
Rev SUSE:SLE-12:Update/2 Md5 1c9e70abd219b716b0625f6923f93ea5 2015-08-04 08:02:22 krahmer None
This commit is contained in:
OBS User krahmer 2015-08-04 08:02:22 +00:00 committed by Git OBS Bridge
parent e48c8be103
commit 64ac32fbac
4 changed files with 133 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
e2fsprogs.changes
View File

@ -1,3 +1,15 @@
-------------------------------------------------------------------
Tue May 26 11:42:47 UTC 2015 - jack@suse.cz
- libext2fs-fix-potential-buffer-overflow-in-closefs.patch: libext2fs: fix
potential buffer overflow in closefs() (bsc#918346 CVE-2015-1572)
-------------------------------------------------------------------
Tue May 26 11:30:53 UTC 2015 - jack@suse.cz
- libext2fs-avoid-buffer-overflow-if-s_first_meta_bg-i.patch: libext2fs:
avoid buffer overflow if s_first_meta_bg is too big (bsc#915402 CVE-2015-0247)
------------------------------------------------------------------- -------------------------------------------------------------------
Fri Jan 9 09:05:27 UTC 2015 - jack@suse.cz Fri Jan 9 09:05:27 UTC 2015 - jack@suse.cz

6
e2fsprogs.spec
View File

@ -1,7 +1,7 @@
# #
# spec file for package e2fsprogs # spec file for package e2fsprogs
# #
# Copyright (c) 2015 SUSE LINUX Products GmbH, Nuernberg, Germany. # Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany.
# #
# All modifications and additions to the file contributed by third parties # All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed # remain the property of their copyright owners, unless otherwise agreed
@ -62,6 +62,8 @@ Patch4: e2fsprogs-1.42-implicit_fortify_decl.patch
Patch5: e2fsprogs-1.42-ext2fsh_implicit.patch Patch5: e2fsprogs-1.42-ext2fsh_implicit.patch
Patch6: e2fsck-free-ctx-fs-not-fs-at-the-end-of-fsck.patch Patch6: e2fsck-free-ctx-fs-not-fs-at-the-end-of-fsck.patch
Patch7: e2fsck-fix-free-pointer-dereferences.patch Patch7: e2fsck-fix-free-pointer-dereferences.patch
Patch8: libext2fs-avoid-buffer-overflow-if-s_first_meta_bg-i.patch
Patch9: libext2fs-fix-potential-buffer-overflow-in-closefs.patch
# Do not suppress make commands # Do not suppress make commands
BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRoot: %{_tmppath}/%{name}-%{version}-build
@ -146,6 +148,8 @@ Development files for the com_err error message display library.
%patch5 %patch5
%patch6 -p1 %patch6 -p1
%patch7 -p1 %patch7 -p1
%patch8 -p1
%patch9 -p1
cp %{SOURCE2} . cp %{SOURCE2} .
%build %build

58
libext2fs-avoid-buffer-overflow-if-s_first_meta_bg-i.patch Normal file
View File

@ -0,0 +1,58 @@
From f66e6ce4446738c2c7f43d41988a3eb73347e2f5 Mon Sep 17 00:00:00 2001
From: Theodore Ts'o <tytso@mit.edu>
Date: Sat, 9 Aug 2014 12:24:54 -0400
Subject: [PATCH] libext2fs: avoid buffer overflow if s_first_meta_bg is too
big
References: bsc#915402 CVE-2015-0247
If s_first_meta_bg is greater than the of number block group
descriptor blocks, then reading or writing the block group descriptors
will end up overruning the memory buffer allocated for the
descriptors. Fix this by limiting first_meta_bg to no more than
fs->desc_blocks. This doesn't correct the bad s_first_meta_bg value,
but it avoids causing the e2fsprogs userspace programs from
potentially crashing.
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Acked-by: Jan Kara <jack@suse.cz>
---
lib/ext2fs/closefs.c | 6 ++++--
lib/ext2fs/openfs.c | 6 ++++--
2 files changed, 8 insertions(+), 4 deletions(-)
Index: e2fsprogs-1.42.11/lib/ext2fs/closefs.c
===================================================================
--- e2fsprogs-1.42.11.orig/lib/ext2fs/closefs.c
+++ e2fsprogs-1.42.11/lib/ext2fs/closefs.c
@@ -344,9 +344,11 @@ errcode_t ext2fs_flush2(ext2_filsys fs,
* superblocks and group descriptors.
*/
group_ptr = (char *) group_shadow;
- if (fs->super->s_feature_incompat & EXT2_FEATURE_INCOMPAT_META_BG)
+ if (fs->super->s_feature_incompat & EXT2_FEATURE_INCOMPAT_META_BG) {
old_desc_blocks = fs->super->s_first_meta_bg;
- else
+ if (old_desc_blocks > fs->super->s_first_meta_bg)
+ old_desc_blocks = fs->desc_blocks;
+ } else
old_desc_blocks = fs->desc_blocks;
ext2fs_numeric_progress_init(fs, &progress, NULL,
Index: e2fsprogs-1.42.11/lib/ext2fs/openfs.c
===================================================================
--- e2fsprogs-1.42.11.orig/lib/ext2fs/openfs.c
+++ e2fsprogs-1.42.11/lib/ext2fs/openfs.c
@@ -378,9 +378,11 @@ errcode_t ext2fs_open2(const char *name,
#ifdef WORDS_BIGENDIAN
groups_per_block = EXT2_DESC_PER_BLOCK(fs->super);
#endif
- if (fs->super->s_feature_incompat & EXT2_FEATURE_INCOMPAT_META_BG)
+ if (fs->super->s_feature_incompat & EXT2_FEATURE_INCOMPAT_META_BG) {
first_meta_bg = fs->super->s_first_meta_bg;
- else
+ if (first_meta_bg > fs->desc_blocks)
+ first_meta_bg = fs->desc_blocks;
+ } else
first_meta_bg = fs->desc_blocks;
if (first_meta_bg) {
retval = io_channel_read_blk(fs->io, group_block +

58
libext2fs-fix-potential-buffer-overflow-in-closefs.patch Normal file
View File

@ -0,0 +1,58 @@
From 49d0fe2a14f2a23da2fe299643379b8c1d37df73 Mon Sep 17 00:00:00 2001
From: Theodore Ts'o <tytso@mit.edu>
Date: Fri, 6 Feb 2015 12:46:39 -0500
Subject: [PATCH] libext2fs: fix potential buffer overflow in closefs()
References: bsc#918346 CVE-2015-1572
The bug fix in f66e6ce4446: "libext2fs: avoid buffer overflow if
s_first_meta_bg is too big" had a typo in the fix for
ext2fs_closefs(). In practice most of the security exposure was from
the openfs path, since this meant if there was a carefully crafted
file system, buffer overrun would be triggered when the file system was
opened.
However, if corrupted file system didn't trip over some corruption
check, and then the file system was modified via tune2fs or debugfs,
such that the superblock was marked dirty and then written out via the
closefs() path, it's possible that the buffer overrun could be
triggered when the file system is closed.
Also clear up a signed vs unsigned warning while we're at it.
Thanks to Nick Kralevich <nnk@google.com> for asking me to look at
compiler warning in the code in question, which led me to notice the
bug in f66e6ce4446.
Addresses: CVE-2015-1572
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Acked-by: Jan Kara <jack@suse.cz>
---
lib/ext2fs/closefs.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/lib/ext2fs/closefs.c b/lib/ext2fs/closefs.c
index 1f9911311a1a..ab5b2fb2365e 100644
--- a/lib/ext2fs/closefs.c
+++ b/lib/ext2fs/closefs.c
@@ -287,7 +287,7 @@ errcode_t ext2fs_flush2(ext2_filsys fs, int flags)
dgrp_t j;
#endif
char *group_ptr;
- int old_desc_blocks;
+ blk64_t old_desc_blocks;
struct ext2fs_numeric_progress_struct progress;
EXT2_CHECK_MAGIC(fs, EXT2_ET_MAGIC_EXT2FS_FILSYS);
@@ -346,7 +346,7 @@ errcode_t ext2fs_flush2(ext2_filsys fs, int flags)
group_ptr = (char *) group_shadow;
if (fs->super->s_feature_incompat & EXT2_FEATURE_INCOMPAT_META_BG) {
old_desc_blocks = fs->super->s_first_meta_bg;
- if (old_desc_blocks > fs->super->s_first_meta_bg)
+ if (old_desc_blocks > fs->desc_blocks)
old_desc_blocks = fs->desc_blocks;
} else
old_desc_blocks = fs->desc_blocks;
--
2.1.4