Bug 939367 - (CVE-2012-2150) VUL-1: CVE-2012-2150 xfsprogs: xfs_metadump information disclosure flaw
(CVE-2012-2150)
VUL-1: CVE-2012-2150 xfsprogs: xfs_metadump information disclosure flaw
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Minor
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/75046/
CVSSv2:NVD:CVE-2012-2150:5.0:(AV:N/AC...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2015-07-24 11:34 UTC by Johannes Segitz
Modified: 2016-09-08 22:20 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Johannes Segitz 2015-07-24 11:34:23 UTC
rh#817696

xfs_metadump does not properly obfuscate data. For details please see the RH bug, currently not fix available as far as I can see

References:
https://bugzilla.redhat.com/show_bug.cgi?id=817696
http://seclists.org/oss-sec/2015/q3/181
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2150
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2150
Comment 1 Swamp Workflow Management 2015-07-24 21:59:44 UTC
bugbot adjusting priority
Comment 2 Johannes Segitz 2015-07-30 09:29:45 UTC
New upstream release that fixes the issue

http://oss.sgi.com/pipermail/xfs/2015-July/042726.html
Comment 3 Jan Kara 2015-07-31 10:49:30 UTC
Ok, I've pushed the package to "filesystems" repo and factory. I'll be working on backporting the fixes to older codestreams.
Comment 4 Jan Kara 2015-08-11 16:20:27 UTC
So I have patches ported to SLE12 (that was easy) and can submit it when needed. I have also ported patches to SLE11 SP2 codebase (used also for SP3 and SP4 in case of xfsprogs). But they don't fix the issue completely because the version of xfs_metadump used for SLE11 SP2 doesn't have the ability to properly iterate multi-block directories.

So how hard do we want to try to fix this? There are three options I can see:
1) Just ignore the problem for anything older than SLE12.
2) Use backported patches so some (but not all) of the exposed data are properly obfuscated.
3) Port other work on xfs_metadump so that obfuscation can work properly in all the cases.

IMHO the threat here (exposure of filenames, parts of old xattrs if we go for 1) isn't big here and if the customer is sending us metadump he has a contract with us anyway so it shouldn't be a big concern. So the risk and effort to backport more features into metadump is outweighting the gain... But I wanted to consult this with the security team... Guys, what's your opinion?
Comment 5 Johannes Segitz 2015-08-12 07:25:01 UTC
(In reply to Jan Kara from comment #4)
I would opt for 2. It there a place where we can add a warning to the user which data still gets exposed after the patch?
Comment 6 Jan Kara 2015-08-12 07:39:56 UTC
We can comment on it in the manpage, I'll add that.
Comment 7 Jan Kara 2015-08-12 09:03:36 UTC
OK, so the manpage already has a comment about this so there's nothing more to add. I'll push patches I have once I finish the final round of testing.
Comment 8 Jan Kara 2015-08-12 13:30:20 UTC
OK, I have update for SLE11 SP2 (SP3, SP4) prepared as well. I have spent a couple of hours trying to backport fixes further to SLE11 SP1 but it gets even messier and so far patches still corrupt images so I'm inclined to just don't fix the problem in xfsprogs in SLE11 SP1 and older since in my opinion it's not worth the effort...

I'll have a look at openSUSE now.
Comment 9 Jan Kara 2015-08-12 13:52:12 UTC
OK, openSUSE is done. So to summarize: I have prepared updates for openSUSE-13.1, openSUSE-13.2, SLE12, SLE11-SP2 (used for SP3 & SP4 as well) which is all I can do with reasonable effort. Please let me know when I should submit packages.
Comment 10 Marcus Meissner 2015-08-13 15:07:00 UTC
please submit, we can accept and not yet put them to QA.

seperate submits.
Comment 12 Bernhard Wiedemann 2015-08-14 08:00:12 UTC
This is an autogenerated message for OBS integration:
This bug (939367) was mentioned in
https://build.opensuse.org/request/show/322851 13.2+13.1 / xfsprogs
Comment 13 Jan Kara 2015-08-14 08:18:56 UTC
Submitted for SLE12 as request 65392. Submitted for SLE11-SP2 as request 65394 (bundled with another bug fix that was there).

Submitted for openSUSE 13.1 and 13.2 as request 322851. I've created it there with osc mbranch which then created only one request for both openSUSE versions. I hope it's fine. If not, I can redo the submit for openSUSE.
Comment 14 Andreas Stieger 2015-08-14 08:23:07 UTC
(In reply to Jan Kara from comment #13)
> Submitted for openSUSE 13.1 and 13.2 as request 322851. I've created it
> there with osc mbranch which then created only one request for both openSUSE
> versions. I hope it's fine. If not, I can redo the submit for openSUSE.

That's fine for openSUSE for identical or similar changes that fix the same bugs.
Comment 16 Swamp Workflow Management 2015-08-24 10:09:53 UTC
openSUSE-SU-2015:1429-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 939367
CVE References: CVE-2012-2150
Sources used:
openSUSE 13.2 (src):    xfsprogs-3.2.1-2.3.1
openSUSE 13.1 (src):    xfsprogs-3.1.11-2.3.1
Comment 17 Jan Kara 2015-10-22 13:35:41 UTC
I think this can be closed but reassigning to security team for that.
Comment 18 Swamp Workflow Management 2015-12-28 20:11:11 UTC
SUSE-SU-2015:2383-1: An update that solves one vulnerability and has one errata is now available.

Category: security (moderate)
Bug References: 911866,939367
CVE References: CVE-2012-2150
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    xfsprogs-3.1.8-0.7.1
SUSE Linux Enterprise Software Development Kit 11-SP3 (src):    xfsprogs-3.1.8-0.7.1
SUSE Linux Enterprise Server for VMWare 11-SP3 (src):    xfsprogs-3.1.8-0.7.1
SUSE Linux Enterprise Server 11-SP4 (src):    xfsprogs-3.1.8-0.7.1
SUSE Linux Enterprise Server 11-SP3 (src):    xfsprogs-3.1.8-0.7.1
SUSE Linux Enterprise Desktop 11-SP4 (src):    xfsprogs-3.1.8-0.7.1
SUSE Linux Enterprise Desktop 11-SP3 (src):    xfsprogs-3.1.8-0.7.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    xfsprogs-3.1.8-0.7.1
Comment 19 Swamp Workflow Management 2015-12-28 20:11:36 UTC
SUSE-SU-2015:2384-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 939367
CVE References: CVE-2012-2150
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    xfsprogs-3.2.1-3.5
SUSE Linux Enterprise Software Development Kit 12 (src):    xfsprogs-3.2.1-3.5
SUSE Linux Enterprise Server 12-SP1 (src):    xfsprogs-3.2.1-3.5
SUSE Linux Enterprise Server 12 (src):    xfsprogs-3.2.1-3.5
SUSE Linux Enterprise Desktop 12-SP1 (src):    xfsprogs-3.2.1-3.5
SUSE Linux Enterprise Desktop 12 (src):    xfsprogs-3.2.1-3.5
Comment 20 Victor Pereira 2015-12-30 07:42:33 UTC
fixed and released to all affected products.
Comment 21 Swamp Workflow Management 2016-01-04 23:11:00 UTC
openSUSE-SU-2016:0018-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 939367
CVE References: CVE-2012-2150
Sources used:
openSUSE Leap 42.1 (src):    xfsprogs-3.2.1-5.1