'[oss-security] Re: CVE-2012-2150 xfsprogs: xfs_metadump information disclosure flaw'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] Re: CVE-2012-2150 xfsprogs: xfs_metadump information disclosure flaw
From:       Dave Chinner <david () fromorbit ! com>
Date:       2015-07-30 2:25:12
Message-ID: 20150730022512.GM16638 () dastard
[Download RAW message or body]


On Thu, Jul 23, 2015 at 08:41:05AM -0600, Kurt Seifried wrote:
> https://bugzilla.redhat.com/show_bug.cgi?id=817696
> 
> Gabriel Vlasiu reported that xfs_metadump, part of the xfsprogs suite of
> tools for the XFS filesystem, did not properly obfuscate data.
> xfs_metadump properly obfuscates active metadata, but the rest of the
> space within that fs block comes through in the clear.  This could lead
> to exposure of stale disk data via the produced metadump image.
> 
> The expectation of xfs_metadump is to obfuscate all but the shortest
> names in the metadata, as noted in the manpage:
> 
> By  default,  xfs_metadump  obfuscates  most  file (regular file,
> directory and symbolic link) names and extended  attribute  names to
> allow  the  dumps  to be sent without revealing confidential
> information. Extended attribute values are zeroed and no data  is
> copied.  The only exceptions are file or attribute names that are 4 or
> less characters in length. Also file names that span extents (this can
> only occur with the mkfs.xfs(8) options where -n size > -b size) are not
> obfuscated.  Names between 5 and 8 characters  in length
> inclusively are partially obfuscated.
> 
> While the xfs_metadump tool can be run by unprivileged users, it
> requires appropriate permissions to access block devices (such as root)
> where the sensitive data might be dumped.  An unprivileged user, without
> access to the block device, could not use this flaw to obtain sensitive
> data they would not otherwise have permission to access.
> 
> Upstream patches will be available at
> https://git.kernel.org/cgit/fs/xfs/xfsprogs-dev.git/

I have just released xfsprogs v3.2.4 to address these issues. Please
see the release announcement here for details on where to find it:

http://oss.sgi.com/pipermail/xfs/2015-July/042726.html

-Dave.

PS: A comment on the CVE disclosure process: please ensure that the
upstream maintainer is informed of the CVE and the public disclosure
plan *before* disclosure occurs.  Apart from preventing co-ordinated
release of the fixes, failing to inform the maintainer of the
problem before public disclosure is impolite and disrespectful.

-- 
Dave Chinner
david@fromorbit.com

["signature.asc" (application/pgp-signature)]

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic