First Last Prev Next    This bug is not in your last search results.
Bug 1099613 - (CVE-2018-12928) VUL-1: CVE-2018-12928: kernel-source: hfs: In the Linux kernel 4.15.0, a NULL pointer dereference was discovered inhfs_ext_read_extent in hfs.ko. This can occur during a mount of a crafted hfsfilesystem.
(CVE-2018-12928)
VUL-1: CVE-2018-12928: kernel-source: hfs: In the Linux kernel 4.15.0, a NULL...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/209133/
CVSSv3:SUSE:CVE-2018-12928:3.3:(AV:L...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-06-29 05:33 UTC by Marcus Meissner
Modified: 2022-06-09 09:45 UTC (History)
9 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Blacklist for rarely-used local file systems (835 bytes, text/plain)
2018-10-23 14:02 UTC, Jeff Mahoney 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2018-06-29 05:33:34 UTC 
CVE-2018-12928

In the Linux kernel 4.15.0, a NULL pointer dereference was discovered in
hfs_ext_read_extent in hfs.ko. This can occur during a mount of a crafted hfs
filesystem.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-12928
https://marc.info/?l=linux-fsdevel&m=152407263325766&w=2
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1763384
Comment 3 Jeff Mahoney 2018-09-07 20:38:54 UTC 
I've disabled hfs.ko in stable and master.

Nobody is going to fix this bug.

Richard, I'd like to disable this in Leap 42.3 and 15.0.  It's unusual to disable a module in a maintenance update, but I doubt anyone is using this and I'm perfectly willing to deal with the bug reports that result from it.  I'm not sure who needs to approve this or if I should just do it unilaterally.
Comment 4 Richard Brown 2018-09-24 10:04:53 UTC 
(In reply to Jeff Mahoney from comment #3)
> I've disabled hfs.ko in stable and master.
> 
> Nobody is going to fix this bug.
> 
> Richard, I'd like to disable this in Leap 42.3 and 15.0.  It's unusual to
> disable a module in a maintenance update, but I doubt anyone is using this
> and I'm perfectly willing to deal with the bug reports that result from it. 
> I'm not sure who needs to approve this or if I should just do it
> unilaterally.

I don't know, I think it's more appropriate that this question is asked of Leap's release manager - Ludwig, what do you think?
Comment 5 Jeff Mahoney 2018-10-11 01:11:03 UTC 
Ping Ludwig.

Do you have an opinion on disabling hfs.ko in already released projects to fix this issue?

This is hfs.ko, the version of HFS that Apple deprecated in 1998.  It's not hfsplus.ko that implements HFS+ that was used until last year (and is still used on deployed systems.)
Comment 6 Takashi Iwai 2018-10-11 07:38:24 UTC 
I guess we can just follow the procedure as Nikolay recently disabled f2fs for Leap.
Comment 7 Ludwig Nussel 2018-10-22 14:37:58 UTC 
Sorry I must have missed this. I don't particularly mind, go ahead.
Although I think it's a pity that we have to disable those modules instead of marking them as discouraged and requiring explicit manual loading.
Comment 8 Jeff Mahoney 2018-10-23 14:02:21 UTC 
Created attachment 786884 [details]
Blacklist for rarely-used local file systems

I suppose in the HFS case it would make more sense in a maintenance update to do that. Ludwig, would you be comfortable doing this in a maintenance update?  Is there a release note process for openSUSE?
Comment 9 Ludwig Nussel 2018-10-24 07:59:43 UTC 
yes, you can either file a bug for the release notes component with your desired text or just file a pull request on https://github.com/openSUSE/release-notes-openSUSE yourself
Comment 10 Jeff Mahoney 2018-10-24 16:30:07 UTC 
Perfect.  Thanks.
Comment 12 Takashi Iwai 2022-05-23 09:03:17 UTC 
It was only for old TW, so it's done.  Let's reassign back to security team.
Comment 13 Carlos López 2022-06-09 09:45:10 UTC 
Done, closing.
First Last Prev Next    This bug is not in your last search results.