Bug 1160571 - (CVE-2019-5188) VUL-0: CVE-2019-5188: e2fsprogs: code execution vulnerability in the directory rehashing functionality of e2fsck
(CVE-2019-5188)
VUL-0: CVE-2019-5188: e2fsprogs: code execution vulnerability in the director...
Status: IN_PROGRESS
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/250590/
CVSSv3.1:SUSE:CVE-2019-5188:6.4:(AV:L...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-01-09 10:22 UTC by Wolfgang Frisch
Modified: 2020-06-09 19:47 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Wolfgang Frisch 2020-01-09 10:22:22 UTC
CVE-2019-5188

A code execution vulnerability exists in the directory rehashing functionality
of E2fsprogs e2fsck 1.45.4. A specially crafted ext4 directory can cause an
out-of-bounds write on the stack, resulting in code execution. An attacker can
corrupt a partition to trigger this vulnerability.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-5188
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5188
https://talosintelligence.com/vulnerability_reports/TALOS-2019-0973
Comment 1 Wolfgang Frisch 2020-01-09 10:46:00 UTC
This upstream patch should suffice:
https://git.kernel.org/pub/scm/fs/ext2/e2fsprogs.git/commit/?id=8dd73c149f418238f19791f9d666089ef9734dff
Comment 3 Jan Kara 2020-01-09 14:06:52 UTC
According to Ted (e2fsprogs maintainer), we actually need to actually pick up:

8dd73c14 - e2fsck: abort if there is a corrupted directory block when rehashing
71ba1375 - e2fsck: don't try to rehash a deleted directory
101e73e9 - e2fsck: fix use after free in calculate_tree()

I'll work on backporting these fixes.
Comment 4 Jan Kara 2020-01-09 14:48:02 UTC
OK, 101e73e9 - e2fsck: fix use after free in calculate_tree() is not relevant (the code with the bug does not exist yet) for any maintained version so we don't need to pick up that patch.
Comment 5 Jan Kara 2020-01-09 15:29:45 UTC
Wolfgang, as a clarification: SUSE:SLE-11-SP4:Update seems to be also a maintained codestream for e2fsprogs. Any reason why you didn't mention it in your comment 2?
Comment 6 Wolfgang Frisch 2020-01-09 15:37:04 UTC
(In reply to Jan Kara from comment #5)
> Wolfgang, as a clarification: SUSE:SLE-11-SP4:Update seems to be also a
> maintained codestream for e2fsprogs. Any reason why you didn't mention it in
> your comment 2?

Jan, that code stream is only used in one LTSS product nowadays, and because the CVSS score of this bug is below 7.0, an update for LTSS is not mandatory.

Nevertheless it won't hurt to update SUSE:SLE-11-SP4:Update as well.
Comment 8 Jan Kara 2020-01-09 16:05:48 UTC
OK, thanks for clarification! Since SUSE:SLE-11-SP4:Update is based on exactly the same e2fsprogs version as SUSE:SLE-11-SP2:Update, updating that branch is very simple. So I'll probably just do that.
Comment 10 Jan Kara 2020-01-09 17:43:23 UTC
OK, all is done from my side. Reassigning to security team for further handling.
Comment 11 Swamp Workflow Management 2020-01-13 17:12:15 UTC
SUSE-SU-2020:0086-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1160571
CVE References: CVE-2019-5188
Sources used:
SUSE CaaS Platform 3.0 (src):    e2fsprogs-1.42.11-16.6.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Swamp Workflow Management 2020-01-30 17:12:51 UTC
SUSE-SU-2020:0265-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1160571
CVE References: CVE-2019-5188
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    e2fsprogs-1.43.8-4.17.1
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    e2fsprogs-1.43.8-4.17.1
SUSE Linux Enterprise Module for Basesystem 15 (src):    e2fsprogs-1.43.8-4.17.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 13 Swamp Workflow Management 2020-02-04 23:11:10 UTC
openSUSE-SU-2020:0166-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1160571
CVE References: CVE-2019-5188
Sources used:
openSUSE Leap 15.1 (src):    e2fsprogs-1.43.8-lp151.5.12.1
Comment 14 Swamp Workflow Management 2020-02-07 14:15:58 UTC
SUSE-SU-2020:0360-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1160571
CVE References: CVE-2019-5188
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    e2fsprogs-1.43.8-3.11.1
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    e2fsprogs-1.43.8-3.11.1
SUSE Linux Enterprise Server 12-SP5 (src):    e2fsprogs-1.43.8-3.11.1
SUSE Linux Enterprise Server 12-SP4 (src):    e2fsprogs-1.43.8-3.11.1
SUSE Linux Enterprise Desktop 12-SP4 (src):    e2fsprogs-1.43.8-3.11.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.