[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] Re: CVE-2012-2150 xfsprogs: xfs_metadump information disclosure flaw
From: Dave Chinner <david () fromorbit ! com>
Date: 2015-07-30 2:25:12
Message-ID: 20150730022512.GM16638 () dastard
[Download RAW message or body]
On Thu, Jul 23, 2015 at 08:41:05AM -0600, Kurt Seifried wrote:
> https://bugzilla.redhat.com/show_bug.cgi?id=817696
>
> Gabriel Vlasiu reported that xfs_metadump, part of the xfsprogs suite of
> tools for the XFS filesystem, did not properly obfuscate data.
> xfs_metadump properly obfuscates active metadata, but the rest of the
> space within that fs block comes through in the clear. This could lead
> to exposure of stale disk data via the produced metadump image.
>
> The expectation of xfs_metadump is to obfuscate all but the shortest
> names in the metadata, as noted in the manpage:
>
> By default, xfs_metadump obfuscates most file (regular file,
> directory and symbolic link) names and extended attribute names to
> allow the dumps to be sent without revealing confidential
> information. Extended attribute values are zeroed and no data is
> copied. The only exceptions are file or attribute names that are 4 or
> less characters in length. Also file names that span extents (this can
> only occur with the mkfs.xfs(8) options where -n size > -b size) are not
> obfuscated. Names between 5 and 8 characters in length
> inclusively are partially obfuscated.
>
> While the xfs_metadump tool can be run by unprivileged users, it
> requires appropriate permissions to access block devices (such as root)
> where the sensitive data might be dumped. An unprivileged user, without
> access to the block device, could not use this flaw to obtain sensitive
> data they would not otherwise have permission to access.
>
> Upstream patches will be available at
> https://git.kernel.org/cgit/fs/xfs/xfsprogs-dev.git/
I have just released xfsprogs v3.2.4 to address these issues. Please
see the release announcement here for details on where to find it:
http://oss.sgi.com/pipermail/xfs/2015-July/042726.html
-Dave.
PS: A comment on the CVE disclosure process: please ensure that the
upstream maintainer is informed of the CVE and the public disclosure
plan *before* disclosure occurs. Apart from preventing co-ordinated
release of the fixes, failing to inform the maintainer of the
problem before public disclosure is impolite and disrespectful.
--
Dave Chinner
david@fromorbit.com
["signature.asc" (application/pgp-signature)]
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic