Bug 915402 - (CVE-2015-0247) VUL-1: CVE-2015-0247: e2fsprogs: couple of heap overflows in e2fsprogs (fsck, dumpe2fs, e2image...)
(CVE-2015-0247)
VUL-1: CVE-2015-0247: e2fsprogs: couple of heap overflows in e2fsprogs (fsck,...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Minor
: ---
Assigned To: Security Team bot
Security Team bot
maint:running:62120:low maint:release...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2015-01-29 15:04 UTC by Victor Pereira
Modified: 2018-12-20 07:41 UTC (History)
8 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Victor Pereira 2015-01-29 15:04:37 UTC
------------------------------------------------------------------------

I found a couple of heap overflows in e2fsprogs (fsck, dumpe2fs,
e2image...). The issues affect versions lower than the last version
(1.42.12). There issues were "fixed" in the last version due to a code
refactor.

The version 1.42.12 has been out for quite a while, but Debian and Ubuntu
(not sure about RedHat) have a vulnerable version on their stable releases.

Since I think there's not going to be a patch for older versions, I was
wondering if you can help coordinating an update that brings 1.42.12 to
stable.

------------------------------------------------------------------------

...the upstream developer (Ted Tso) works in Google too. I've been in
contact with him and recommended to update since patches may have unexpected
side effects on something as complex as e2fsprogs. Even he is wary to patch
odler versions, so I think upgrading would be the best option.

That said, if you need something to show the different distros as an
argument for upgrading, here's a nasty bug in lib/ext2fs/openfs.c:

fs->desc_blocks = ext2fs_div_ceil(fs->group_desc_count,
  EXT2_DESC_PER_BLOCK(fs->super));
retval = ext2fs_get_array(fs->desc_blocks, fs->blocksize,
&fs->group_desc);
if (retval)
goto cleanup;
if (!group_block)
group_block = fs->super->s_first_data_block;
dest = (char *) fs->group_desc;
groups_per_block = EXT2_DESC_PER_BLOCK(fs->super);
if (fs->super->s_feature_incompat & EXT2_FEATURE_INCOMPAT_META_BG)
first_meta_bg = fs->super->s_first_meta_bg;
else
first_meta_bg = fs->desc_blocks;
if (first_meta_bg) {
retval = io_channel_read_blk(fs->io, group_block+1,
     first_meta_bg, dest);

This code allocates an array stored in fs->group_desc based on the values
of fs->desc_blocks and fs->blocksize (I think desc_blocks*blocksize).
However if the EXT2_FEATURE_INCOMPAT_META_BG flag is set we can set an
arbitrary first_meta_bg that will cause an overflow in io_channel_read_blk.

I found this before the holidays so my memory is a bit blurred, but the bug
would be the equivalent to something on the lines:

dest = malloc(size*count);
if (flags & EXT2_FEATURE_INCOMPAT_META_BG)
  first = first_meta_bg;
else
  first = count;
memcpy(dest, src+first, count);

At least on Ubuntu 14.04, this allows a "av->top" heap overwrite (see
"house of force" in the malloc maleficarum), that allows a trivial
arbitrary memory write if the attacker controls a size passed to malloc
after the overflow. I didn't work on a full exploit but should be doable.

Given that fsck is affected, and that an ext2/3/4 image can force a
filesystem check on mount, this will allow code execution on systems that
have automount enabled by just plugging a device.

I hope this is a good explanation/reason to push for the upgrade, please
let me know what they think."
Comment 2 Jan Kara 2015-01-29 15:36:41 UTC
Hum, IMO the reporter is wrong that we do filesystem check on automount. We just try mounting and if the filesystem is corrupted, we refuse to work with it. fsck is called only on boot. So I don't think these bugs have any security impact (at least for SUSE).

We do have 1.42.12 in Factory so my position would be to just don't do anything. If you guys think I should submit 1.42.12 to some other distros, just tell me. Otherwise I'd just close this.
Comment 3 Swamp Workflow Management 2015-01-29 23:01:19 UTC
bugbot adjusting priority
Comment 4 Johannes Segitz 2015-01-30 08:26:21 UTC
(In reply to Jan Kara from comment #2)
I think it is security relevant. You could provide someone with an USB stick with a prepared filesystem, chances are that he runs fsck on it. So this should be fixed even if it's not exploitable on automount. But since accepting USB sticks from untrusted sources is a risk by itself without this issue we could maybe tag it as VUL-1. I'll follow the discussion on distros and decide next week.
Comment 6 Johannes Segitz 2015-02-05 08:55:08 UTC
CRD: 2015-02-05 15:00 CET
Comment 7 Johannes Segitz 2015-02-05 14:13:04 UTC
Public on oss. Because of the low probability we will handle this as VUL-1
Comment 8 Jan Kara 2015-02-18 11:06:39 UTC
So I was investigating this somewhat more. I don't think pushing 1.42.12 to older distros is really an option (I would consider the risk of breaking something with version update too high given the security risk of this bug).

The disclosure is pretty general so I'm not sure about all the overflows that were found. So what I can do is that I'll backport commit f66e6ce4 from e2fsprogs repo to our maintained distros and be done with this. Opinions?
Comment 9 Johannes Segitz 2015-02-18 12:20:49 UTC
(In reply to Jan Kara from comment #8)
sounds like a plan. Please include bnc#918346
Comment 10 Jan Kara 2015-05-26 12:05:07 UTC
OK, I have prepared updates for openSUSE-13.1, openSUSE-13.2, SLE12, SLE11-SP3, SLE11-SP4 (for this bug and bsc#918346). When should I submit them to the respective projects?
Comment 11 Leonardo Chiquitto 2015-05-26 14:23:22 UTC
If possible, please postpone the update for 11-SP3. For 11-SP4, as e2fsprogs was branched, you can just submit to SUSE:SLE-11-SP4:GA (sooner the better for the release managers).

For SLE 12 it's up to the Security Team. Both bugs we have in the planned updates list are security related.
Comment 12 Jan Kara 2015-05-27 06:54:53 UTC
OK, submitted for 11-SP4. Also for openSUSE-13.1 and openSUSE-13.2 since there's no point in waiting there. Waiting for the rest.
Comment 13 Bernhard Wiedemann 2015-05-27 07:00:07 UTC
This is an autogenerated message for OBS integration:
This bug (915402) was mentioned in
https://build.opensuse.org/request/show/308845 13.2 / e2fsprogs
https://build.opensuse.org/request/show/308846 13.1 / e2fsprogs
Comment 17 Swamp Workflow Management 2015-06-05 10:05:48 UTC
openSUSE-SU-2015:1006-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 915402,918346
CVE References: CVE-2015-0247,CVE-2015-1572
Sources used:
openSUSE 13.1 (src):    e2fsprogs-1.42.8-2.8.1
Comment 20 Swamp Workflow Management 2015-06-23 14:03:14 UTC
SUSE-SU-2015:1103-1: An update that contains security fixes can now be installed.

Category: security (important)
Bug References: 915402,918346
CVE References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    e2fsprogs-1.41.9-2.14.2
SUSE Linux Enterprise Server 11-SP4 (src):    e2fsprogs-1.41.9-2.14.2
SUSE Linux Enterprise Desktop 11-SP4 (src):    e2fsprogs-1.41.9-2.14.2
Comment 21 Swamp Workflow Management 2015-06-25 21:02:27 UTC
An update workflow for this issue was started.
This issue was rated as low.
Please submit fixed packages until 2015-07-23.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/62120
Comment 22 Swamp Workflow Management 2015-06-25 21:02:39 UTC
An update workflow for this issue was started.
This issue was rated as low.
Please submit fixed packages until 2015-07-23.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/62121
Comment 26 Jan Kara 2015-06-26 09:47:15 UTC
I've submitted the fix for SLE12 as maintenance request 61120.

I've added the security fixes to SLE11-SP1 version and submitted the result as request 61122.

SLE10-SP3 code looks different so originally I thought the CVE doesn't apply there. Now when I looked again, I think it does (at least to some extent) but the fix will need some massage. I'll submit later today.
Comment 29 Jan Kara 2015-06-26 12:39:58 UTC
OK, submitted fixes for SLE10-SP4 as request 61150. And to SLE10-SP3 as request 61160.
Comment 31 Jan Kara 2015-07-10 11:10:24 UTC
Is there anything to be done or can we just close this?
Comment 32 Johannes Segitz 2015-07-10 11:50:49 UTC
looks like we're fine. Please don't close security bugs, just assign them to us.
Comment 33 Swamp Workflow Management 2015-08-04 08:09:34 UTC
SUSE-SU-2015:1341-1: An update that fixes two vulnerabilities is now available.

Category: security (low)
Bug References: 915402,918346
CVE References: CVE-2015-0247,CVE-2015-1572
Sources used:
SUSE Linux Enterprise Software Development Kit 12 (src):    e2fsprogs-1.42.11-7.1
SUSE Linux Enterprise Server 12 (src):    e2fsprogs-1.42.11-7.1
SUSE Linux Enterprise Desktop 12 (src):    e2fsprogs-1.42.11-7.1
Comment 34 Marcus Meissner 2015-08-07 14:46:07 UTC
released
Comment 35 Swamp Workflow Management 2015-08-07 19:13:11 UTC
SUSE-SU-2015:1364-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (low)
Bug References: 915402,918346,932539
CVE References: CVE-2015-0247,CVE-2015-1572
Sources used:
SUSE Linux Enterprise Software Development Kit 11 SP3 (src):    e2fsprogs-1.41.9-2.10.11.1, util-linux-2.19.1-6.62.7
SUSE Linux Enterprise Server 11 SP3 for VMware (src):    e2fsprogs-1.41.9-2.10.11.1, util-linux-2.19.1-6.62.7
SUSE Linux Enterprise Server 11 SP3 (src):    e2fsprogs-1.41.9-2.10.11.1, util-linux-2.19.1-6.62.7
SUSE Linux Enterprise Desktop 11 SP3 (src):    e2fsprogs-1.41.9-2.10.11.1, util-linux-2.19.1-6.62.7
Comment 38 Swamp Workflow Management 2018-07-19 13:08:59 UTC
SUSE-SU-2018:1987-1: An update that solves two vulnerabilities and has three fixes is now available.

Category: security (moderate)
Bug References: 1009532,1038194,915402,918346,960273
CVE References: CVE-2015-0247,CVE-2015-1572
Sources used:
SUSE Linux Enterprise Module for Basesystem 15 (src):    e2fsprogs-1.43.8-4.3.1
Comment 39 Swamp Workflow Management 2018-07-28 14:05:59 UTC
openSUSE-SU-2018:2133-1: An update that solves two vulnerabilities and has three fixes is now available.

Category: security (moderate)
Bug References: 1009532,1038194,915402,918346,960273
CVE References: CVE-2015-0247,CVE-2015-1572
Sources used:
openSUSE Leap 15.0 (src):    e2fsprogs-1.43.8-lp150.3.3.1