Date: Thu, 30 Jul 2015 12:25:12 +1000 From: Dave Chinner <david@...morbit.com> To: Kurt Seifried <kseifried@...hat.com> Cc: oss-security@...ts.openwall.com Subject: Re: CVE-2012-2150 xfsprogs: xfs_metadump information disclosure flaw On Thu, Jul 23, 2015 at 08:41:05AM -0600, Kurt Seifried wrote: > https://bugzilla.redhat.com/show_bug.cgi?id=817696 > > Gabriel Vlasiu reported that xfs_metadump, part of the xfsprogs suite of > tools for the XFS filesystem, did not properly obfuscate data. > xfs_metadump properly obfuscates active metadata, but the rest of the > space within that fs block comes through in the clear. This could lead > to exposure of stale disk data via the produced metadump image. > > The expectation of xfs_metadump is to obfuscate all but the shortest > names in the metadata, as noted in the manpage: > > By default, xfs_metadump obfuscates most file (regular file, > directory and symbolic link) names and extended attribute names to > allow the dumps to be sent without revealing confidential > information. Extended attribute values are zeroed and no data is > copied. The only exceptions are file or attribute names that are 4 or > less characters in length. Also file names that span extents (this can > only occur with the mkfs.xfs(8) options where -n size > -b size) are not > obfuscated. Names between 5 and 8 characters in length > inclusively are partially obfuscated. > > While the xfs_metadump tool can be run by unprivileged users, it > requires appropriate permissions to access block devices (such as root) > where the sensitive data might be dumped. An unprivileged user, without > access to the block device, could not use this flaw to obtain sensitive > data they would not otherwise have permission to access. > > Upstream patches will be available at > https://git.kernel.org/cgit/fs/xfs/xfsprogs-dev.git/ I have just released xfsprogs v3.2.4 to address these issues. Please see the release announcement here for details on where to find it: http://oss.sgi.com/pipermail/xfs/2015-July/042726.html -Dave. PS: A comment on the CVE disclosure process: please ensure that the upstream maintainer is informed of the CVE and the public disclosure plan *before* disclosure occurs. Apart from preventing co-ordinated release of the fixes, failing to inform the maintainer of the problem before public disclosure is impolite and disrespectful. -- Dave Chinner david@...morbit.com [ CONTENT OF TYPE application/pgp-signature SKIPPED ]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ