Bugzilla – Bug 939367
VUL-1: CVE-2012-2150 xfsprogs: xfs_metadump information disclosure flaw
Last modified: 2016-09-08 22:20:29 UTC
rh#817696 xfs_metadump does not properly obfuscate data. For details please see the RH bug, currently not fix available as far as I can see References: https://bugzilla.redhat.com/show_bug.cgi?id=817696 http://seclists.org/oss-sec/2015/q3/181 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2150 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2150
bugbot adjusting priority
New upstream release that fixes the issue http://oss.sgi.com/pipermail/xfs/2015-July/042726.html
Ok, I've pushed the package to "filesystems" repo and factory. I'll be working on backporting the fixes to older codestreams.
So I have patches ported to SLE12 (that was easy) and can submit it when needed. I have also ported patches to SLE11 SP2 codebase (used also for SP3 and SP4 in case of xfsprogs). But they don't fix the issue completely because the version of xfs_metadump used for SLE11 SP2 doesn't have the ability to properly iterate multi-block directories. So how hard do we want to try to fix this? There are three options I can see: 1) Just ignore the problem for anything older than SLE12. 2) Use backported patches so some (but not all) of the exposed data are properly obfuscated. 3) Port other work on xfs_metadump so that obfuscation can work properly in all the cases. IMHO the threat here (exposure of filenames, parts of old xattrs if we go for 1) isn't big here and if the customer is sending us metadump he has a contract with us anyway so it shouldn't be a big concern. So the risk and effort to backport more features into metadump is outweighting the gain... But I wanted to consult this with the security team... Guys, what's your opinion?
(In reply to Jan Kara from comment #4) I would opt for 2. It there a place where we can add a warning to the user which data still gets exposed after the patch?
We can comment on it in the manpage, I'll add that.
OK, so the manpage already has a comment about this so there's nothing more to add. I'll push patches I have once I finish the final round of testing.
OK, I have update for SLE11 SP2 (SP3, SP4) prepared as well. I have spent a couple of hours trying to backport fixes further to SLE11 SP1 but it gets even messier and so far patches still corrupt images so I'm inclined to just don't fix the problem in xfsprogs in SLE11 SP1 and older since in my opinion it's not worth the effort... I'll have a look at openSUSE now.
OK, openSUSE is done. So to summarize: I have prepared updates for openSUSE-13.1, openSUSE-13.2, SLE12, SLE11-SP2 (used for SP3 & SP4 as well) which is all I can do with reasonable effort. Please let me know when I should submit packages.
please submit, we can accept and not yet put them to QA. seperate submits.
This is an autogenerated message for OBS integration: This bug (939367) was mentioned in https://build.opensuse.org/request/show/322851 13.2+13.1 / xfsprogs
Submitted for SLE12 as request 65392. Submitted for SLE11-SP2 as request 65394 (bundled with another bug fix that was there). Submitted for openSUSE 13.1 and 13.2 as request 322851. I've created it there with osc mbranch which then created only one request for both openSUSE versions. I hope it's fine. If not, I can redo the submit for openSUSE.
(In reply to Jan Kara from comment #13) > Submitted for openSUSE 13.1 and 13.2 as request 322851. I've created it > there with osc mbranch which then created only one request for both openSUSE > versions. I hope it's fine. If not, I can redo the submit for openSUSE. That's fine for openSUSE for identical or similar changes that fix the same bugs.
openSUSE-SU-2015:1429-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 939367 CVE References: CVE-2012-2150 Sources used: openSUSE 13.2 (src): xfsprogs-3.2.1-2.3.1 openSUSE 13.1 (src): xfsprogs-3.1.11-2.3.1
I think this can be closed but reassigning to security team for that.
SUSE-SU-2015:2383-1: An update that solves one vulnerability and has one errata is now available. Category: security (moderate) Bug References: 911866,939367 CVE References: CVE-2012-2150 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): xfsprogs-3.1.8-0.7.1 SUSE Linux Enterprise Software Development Kit 11-SP3 (src): xfsprogs-3.1.8-0.7.1 SUSE Linux Enterprise Server for VMWare 11-SP3 (src): xfsprogs-3.1.8-0.7.1 SUSE Linux Enterprise Server 11-SP4 (src): xfsprogs-3.1.8-0.7.1 SUSE Linux Enterprise Server 11-SP3 (src): xfsprogs-3.1.8-0.7.1 SUSE Linux Enterprise Desktop 11-SP4 (src): xfsprogs-3.1.8-0.7.1 SUSE Linux Enterprise Desktop 11-SP3 (src): xfsprogs-3.1.8-0.7.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): xfsprogs-3.1.8-0.7.1
SUSE-SU-2015:2384-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 939367 CVE References: CVE-2012-2150 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP1 (src): xfsprogs-3.2.1-3.5 SUSE Linux Enterprise Software Development Kit 12 (src): xfsprogs-3.2.1-3.5 SUSE Linux Enterprise Server 12-SP1 (src): xfsprogs-3.2.1-3.5 SUSE Linux Enterprise Server 12 (src): xfsprogs-3.2.1-3.5 SUSE Linux Enterprise Desktop 12-SP1 (src): xfsprogs-3.2.1-3.5 SUSE Linux Enterprise Desktop 12 (src): xfsprogs-3.2.1-3.5
fixed and released to all affected products.
openSUSE-SU-2016:0018-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 939367 CVE References: CVE-2012-2150 Sources used: openSUSE Leap 42.1 (src): xfsprogs-3.2.1-5.1