Bug 75706 (CVE-2005-0400)

Summary: VUL-0: CVE-2005-0400: kernel: ext2 information leak
Product: [Novell Products] SUSE Security Incidents Reporter: Ludwig Nussel <lnussel>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P5 - None CC: security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: All   
Whiteboard: CVE-2005-0400: CVSS v2 Base Score: 2.1 (AV:L/AC:L/Au:N/C:P/I:N/A:N)
Found By: Other Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: ext2-dir-information-leak.patch
ext2-info-leak.patch

Description Ludwig Nussel 2005-04-04 07:50:00 UTC 
We received the following report via bugtraq.
The issue is public.

Date: Fri, 01 Apr 2005 14:59:42 +0200
From: Arkoon Security Team <security@arkoon.net>
To: bugtraq@securityfocus.com
Cc: vulnwatch@vulnwatch.org
Subject: Information leak in the Linux kernel ext2 implementation

Description: Information leak in the Linux kernel ext2 implementation
References:  CAN-2005-0400
Authors:     Mathieu Lafon <mlafon@arkoon.net>
             Romain Francoise <rfrancoise@arkoon.net>


   Arkoon Security Team Advisory - March 25, 2005
   http://arkoon.net/advisories/ext2-make-empty-leak.txt
   Revision: 1.0

1. Description

   The function ext2_make_empty() used  in the Linux implementation of
   the  ext2 filesystem is  vulnerable to  an information  leak.  Upon
   directory creation, a  new block is obtained from  kernel memory to
   store the initial directory entries  ('.' and '..').  This block is
   used and  written to disk uninitialized, leading  to an information
   leak in the block's slack space.

   Depending on block size, up to 4072 (4096 - 2 * 12) bytes of kernel
   memory  can be leaked  on each  directory creation.   This quantity
   then decreases  when additional entries are added  to the directory
   block.

   Note:  since  the  ext2  implementation uses  the  dir-in-pagecache
   design, any part of kernel  memory is susceptible to be leaked, not
   only old disk/filesystem data.

2. Impact

   Leaked kernel  memory can be  found in ext2 filesystems;  either on
   hard  drives,  removable media  (USB  thumb  drives, flash  cards),
   initrd images, UML filesystem images, etc...

   A quick  scan reveals that most  ext2 images found  on the Internet
   contain information  that was not meant to  be distributed (ranging
   from xterm scrollback data to email tidbits).

3. Affected versions

   Linux 2.4.x series: all versions up to 2.4.29 (fixed in 2.4.30-rc2)
   Linux 2.6.x series: all versions up to 2.6.11.5 (fixed in 2.6.11.6)

4. Vendor response

   This  vulnerability was  acknowledged by  the Kernel  Security Team
   (security@kernel.org) and fixed in versions 2.4.30-rc2 and 2.6.11.6.

   The Common Vulnerabilities and Exposures (CVE) project has assigned
   the name CAN-2005-0400 to this issue.

5. Timeline

   03/15/2005 - Vulnerability discovered
   03/16/2005 - Vulnerability details sent to security@kernel.org
   03/16/2005 - Vulnerability confirmed by kernel maintainers
   03/25/2005 - Linux 2.6.11.6 released with fix
   03/25/2005 - Linux 2.4.30-rc2 released with fix
   04/01/2005 - Public disclosure

6. Credits

   This vulnerability  was discovered by Romain  Francoise and Mathieu
   Lafon of the Arkoon Security Team (http://www.arkoon.com/).

   Thanks to Andrew Morton,  Marcelo Tosatti, Linus Torvalds, Alan Cox
   and Chris Wright for their quick response.

7. About us

   Arkoon   Network  Security's   Security   Team  provides   security
   intelligence to Arkoon's departments,  partners and clients, and to
   the security community at large.

   For further information, see http://www.arkoon.com/.

8. Legal notices

   Copyright (C) 2005 Arkoon Network Security

   Disclaimer: this document and  all information therein are provided
   "as is" without warranty of any kind, whether express or implied.

   Arkoon  Network  Security does  not  warrant  or  assume any  legal
   liability  or responsibility  for the  accuracy or  completeness of
   this information, nor for the  possible damage caused by the use of
   it.
Comment 2 Marcus Meissner 2005-04-18 10:46:16 UTC 
Created attachment 34679 [details]
ext2-dir-information-leak.patch

patch from bk
Comment 3 Hubert Mantel 2005-04-25 09:42:58 UTC 
Marcus, the Link in your comment #2 is totally broken...
Btw, is there any ETA for the next sec update?
Comment 4 Marcus Meissner 2005-04-25 10:42:02 UTC 
Created attachment 35399 [details]
ext2-info-leak.patch
Comment 5 Marcus Meissner 2005-04-25 10:42:48 UTC 
unbroke link, dunno how that happened. 
 
An ETA for the next security update is not yet set, nothing 
critical has appeared yet.
Comment 6 Hubert Mantel 2005-05-13 14:44:05 UTC 
Fix committed to all trees.
Comment 7 Marcus Meissner 2005-05-13 15:13:35 UTC 
reopen for tracking
Comment 8 Marcus Meissner 2005-05-13 15:15:35 UTC 
i knpow hubert. i cant just do both steps (reopen / reassign) at the same 
time.
Comment 9 Ludwig Nussel 2005-06-09 12:42:38 UTC 
updates released
Comment 10 Thomas Biege 2009-10-13 21:15:34 UTC 
CVE-2005-0400: CVSS v2 Base Score: 2.1 (AV:L/AC:L/Au:N/C:P/I:N/A:N)