Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 30 Jul 2015 12:25:12 +1000
From: Dave Chinner <david@...morbit.com>
To: Kurt Seifried <kseifried@...hat.com>
Cc: oss-security@...ts.openwall.com
Subject: Re: CVE-2012-2150 xfsprogs: xfs_metadump information disclosure flaw

On Thu, Jul 23, 2015 at 08:41:05AM -0600, Kurt Seifried wrote:
> https://bugzilla.redhat.com/show_bug.cgi?id=817696
> 
> Gabriel Vlasiu reported that xfs_metadump, part of the xfsprogs suite of
> tools for the XFS filesystem, did not properly obfuscate data.
> xfs_metadump properly obfuscates active metadata, but the rest of the
> space within that fs block comes through in the clear.  This could lead
> to exposure of stale disk data via the produced metadump image.
> 
> The expectation of xfs_metadump is to obfuscate all but the shortest
> names in the metadata, as noted in the manpage:
> 
> By  default,  xfs_metadump  obfuscates  most  file (regular file,
> directory and symbolic link) names and extended  attribute  names to
> allow  the  dumps  to be sent without revealing confidential
> information. Extended attribute values are zeroed and no data  is
> copied.  The only exceptions are file or attribute names that are 4 or
> less characters in length. Also file names that span extents (this can
> only occur with the mkfs.xfs(8) options where -n size > -b size) are not
> obfuscated.  Names between 5 and 8 characters  in length
> inclusively are partially obfuscated.
> 
> While the xfs_metadump tool can be run by unprivileged users, it
> requires appropriate permissions to access block devices (such as root)
> where the sensitive data might be dumped.  An unprivileged user, without
> access to the block device, could not use this flaw to obtain sensitive
> data they would not otherwise have permission to access.
> 
> Upstream patches will be available at
> https://git.kernel.org/cgit/fs/xfs/xfsprogs-dev.git/

I have just released xfsprogs v3.2.4 to address these issues. Please
see the release announcement here for details on where to find it:

http://oss.sgi.com/pipermail/xfs/2015-July/042726.html

-Dave.

PS: A comment on the CVE disclosure process: please ensure that the
upstream maintainer is informed of the CVE and the public disclosure
plan *before* disclosure occurs.  Apart from preventing co-ordinated
release of the fixes, failing to inform the maintainer of the
problem before public disclosure is impolite and disrespectful.

-- 
Dave Chinner
david@...morbit.com

Download attachment "signature.asc" of type "application/pgp-signature" (837 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ