From 18ad4ba0ebcee834ae4baa1c2ae449d2b9c25953 Mon Sep 17 00:00:00 2001 From: Eric Sandeen Date: Tue, 24 Feb 2015 11:16:17 -0600 Subject: CVE-2015-1572 and other bug fixes --- e2fsprogs-1.42.12-closefs-cve.patch | 51 ++++++++++++++++++++++++++ e2fsprogs-1.42.12-dumpe2fs-segfault.patch | 25 +++++++++++++ e2fsprogs-1.42.12-resize2fs-fsck.patch | 59 +++++++++++++++++++++++++++++++ e2fsprogs.spec | 17 +++++++-- 4 files changed, 149 insertions(+), 3 deletions(-) create mode 100644 e2fsprogs-1.42.12-closefs-cve.patch create mode 100644 e2fsprogs-1.42.12-dumpe2fs-segfault.patch create mode 100644 e2fsprogs-1.42.12-resize2fs-fsck.patch diff --git a/e2fsprogs-1.42.12-closefs-cve.patch b/e2fsprogs-1.42.12-closefs-cve.patch new file mode 100644 index 0000000..af219c4 --- /dev/null +++ b/e2fsprogs-1.42.12-closefs-cve.patch @@ -0,0 +1,51 @@ +commit 49d0fe2a14f2a23da2fe299643379b8c1d37df73 +Author: Theodore Ts'o +Date: Fri Feb 6 12:46:39 2015 -0500 + + libext2fs: fix potential buffer overflow in closefs() + + The bug fix in f66e6ce4446: "libext2fs: avoid buffer overflow if + s_first_meta_bg is too big" had a typo in the fix for + ext2fs_closefs(). In practice most of the security exposure was from + the openfs path, since this meant if there was a carefully crafted + file system, buffer overrun would be triggered when the file system was + opened. + + However, if corrupted file system didn't trip over some corruption + check, and then the file system was modified via tune2fs or debugfs, + such that the superblock was marked dirty and then written out via the + closefs() path, it's possible that the buffer overrun could be + triggered when the file system is closed. + + Also clear up a signed vs unsigned warning while we're at it. + + Thanks to Nick Kralevich for asking me to look at + compiler warning in the code in question, which led me to notice the + bug in f66e6ce4446. + + Addresses: CVE-2015-1572 + + Signed-off-by: Theodore Ts'o + +diff --git a/lib/ext2fs/closefs.c b/lib/ext2fs/closefs.c +index 1f99113..ab5b2fb 100644 +--- a/lib/ext2fs/closefs.c ++++ b/lib/ext2fs/closefs.c +@@ -287,7 +287,7 @@ errcode_t ext2fs_flush2(ext2_filsys fs, int flags) + dgrp_t j; + #endif + char *group_ptr; +- int old_desc_blocks; ++ blk64_t old_desc_blocks; + struct ext2fs_numeric_progress_struct progress; + + EXT2_CHECK_MAGIC(fs, EXT2_ET_MAGIC_EXT2FS_FILSYS); +@@ -346,7 +346,7 @@ errcode_t ext2fs_flush2(ext2_filsys fs, int flags) + group_ptr = (char *) group_shadow; + if (fs->super->s_feature_incompat & EXT2_FEATURE_INCOMPAT_META_BG) { + old_desc_blocks = fs->super->s_first_meta_bg; +- if (old_desc_blocks > fs->super->s_first_meta_bg) ++ if (old_desc_blocks > fs->desc_blocks) + old_desc_blocks = fs->desc_blocks; + } else + old_desc_blocks = fs->desc_blocks; diff --git a/e2fsprogs-1.42.12-dumpe2fs-segfault.patch b/e2fsprogs-1.42.12-dumpe2fs-segfault.patch new file mode 100644 index 0000000..439a00f --- /dev/null +++ b/e2fsprogs-1.42.12-dumpe2fs-segfault.patch @@ -0,0 +1,25 @@ +commit fecb231f6fc83cf4b4ddf7ec34ace3723803a499 +Author: Darrick J. Wong +Date: Fri Nov 7 21:26:14 2014 -0500 + + dumpe2fs: don't crash when the user provides no block device argument + + If the user doesn't provide any arguments, the guard fails to run and + the whole thing segfaults on ext2fs_open2(). Don't do that. + + Signed-off-by: Darrick J. Wong + Signed-off-by: Theodore Ts'o + +diff --git a/misc/dumpe2fs.c b/misc/dumpe2fs.c +index 1eae5a3..4185d6e 100644 +--- a/misc/dumpe2fs.c ++++ b/misc/dumpe2fs.c +@@ -575,7 +575,7 @@ int main (int argc, char ** argv) + usage(); + } + } +- if (argc - 1 > optind) { ++ if (optind != argc - 1) { + usage(); + exit(1); + } diff --git a/e2fsprogs-1.42.12-resize2fs-fsck.patch b/e2fsprogs-1.42.12-resize2fs-fsck.patch new file mode 100644 index 0000000..40f34e6 --- /dev/null +++ b/e2fsprogs-1.42.12-resize2fs-fsck.patch @@ -0,0 +1,59 @@ +commit 0462fd6db55de28d7e087d8d06ab20339acd8f67 +Author: Eric Sandeen +Date: Sun Dec 14 19:08:59 2014 -0500 + + resize2fs: don't require fsck to print min size + + My previous change ended up requiring that the filesystem + be fsck'd after the last mount, even if we are only querying + the minimum size. This is a bit draconian, and it burned + the Fedora installer, which wants to calculate minimum size + for every filesystem in the box at install time, which in turn + requires a full fsck of every filesystem. + + Try this one more time, and separate out the tests to make things + a bit more clear. If we're only printing the min size, don't + require the fsck, as this is a bit less dangerous/critical. + + Signed-off-by: Eric Sandeen + Signed-off-by: Theodore Ts'o + +diff --git a/resize/main.c b/resize/main.c +index 983d8c2..9a35af0 100644 +--- a/resize/main.c ++++ b/resize/main.c +@@ -321,10 +321,30 @@ int main (int argc, char ** argv) + } + fs->default_bitmap_type = EXT2FS_BMAP64_RBTREE; + +- if (!(mount_flags & EXT2_MF_MOUNTED)) { +- if (!force && ((fs->super->s_lastcheck < fs->super->s_mtime) || +- (fs->super->s_state & EXT2_ERROR_FS) || +- ((fs->super->s_state & EXT2_VALID_FS) == 0))) { ++ /* ++ * Before acting on an unmounted filesystem, make sure it's ok, ++ * unless the user is forcing it. ++ * ++ * We do ERROR and VALID checks even if we're only printing the ++ * minimimum size, because traversal of a badly damaged filesystem ++ * can cause issues as well. We don't require it to be fscked after ++ * the last mount time in this case, though, as this is a bit less ++ * risky. ++ */ ++ if (!force && !(mount_flags & EXT2_MF_MOUNTED)) { ++ int checkit = 0; ++ ++ if (fs->super->s_state & EXT2_ERROR_FS) ++ checkit = 1; ++ ++ if ((fs->super->s_state & EXT2_VALID_FS) == 0) ++ checkit = 1; ++ ++ if ((fs->super->s_lastcheck < fs->super->s_mtime) && ++ !print_min_size) ++ checkit = 1; ++ ++ if (checkit) { + fprintf(stderr, + _("Please run 'e2fsck -f %s' first.\n\n"), + device_name); diff --git a/e2fsprogs.spec b/e2fsprogs.spec index c600ad1..5d3a24e 100644 --- a/e2fsprogs.spec +++ b/e2fsprogs.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing ext2, ext3, and ext4 filesystems Name: e2fsprogs Version: 1.42.12 -Release: 3%{?dist} +Release: 4%{?dist} # License tags based on COPYING file distinctions for various components License: GPLv2 @@ -12,6 +12,9 @@ Source2: e2fsck.conf Patch1: e2fsprogs-1.40.4-sb_feature_check_ignore.patch Patch2: e2fsprogs-1.42.12-use-after-free-fix.patch +Patch3: e2fsprogs-1.42.12-closefs-cve.patch +Patch4: e2fsprogs-1.42.12-dumpe2fs-segfault.patch +Patch5: e2fsprogs-1.42.12-resize2fs-fsck.patch Url: http://e2fsprogs.sourceforge.net/ BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -152,6 +155,9 @@ It was originally inspired by the Multics SubSystem library. # after an selinux install... %patch1 -p1 -b .featurecheck %patch2 -p1 +%patch3 -p1 +%patch4 -p1 +%patch5 -p1 %build %configure --enable-elf-shlibs --enable-nls --disable-uuidd --disable-fsck \ @@ -333,13 +339,18 @@ exit 0 %{_libdir}/pkgconfig/ss.pc %changelog +* Tue Feb 24 2015 Eric Sandeen 1.42.12-4 +- Fix potential buffer overflow in closefs (#1193947, CVE-2015-1572) +- Fix dumpe2fs segfault with no arguments (#1194063) +- Don't require fsck prior to resize2fs -P (#1170803) + * Sat Feb 21 2015 Till Maas - 1.42.12-3 - Rebuilt for Fedora 23 Change https://fedoraproject.org/wiki/Changes/Harden_all_packages_with_position-independent_code * Tue Feb 17 2015 Eric Sandeen 1.42.12-2 -- Fix use after free -- Re-enable time-based fsck if set in superblock (e2fsck.conf) +- Fix use after free (#1192861) +- Fix time-based fsck if set in superblock (e2fsck.conf, #963283) * Fri Aug 29 2014 Eric Sandeen 1.42.12-1 - New upstream release -- cgit