Date: Thu, 30 Jul 2015 12:25:12 +1000 From: Dave Chinner <david@...morbit.com> To: Kurt Seifried <kseifried@...hat.com> Cc: oss-security@...ts.openwall.com Subject: Re: CVE-2012-2150 xfsprogs: xfs_metadump information disclosure flaw On Thu, Jul 23, 2015 at 08:41:05AM -0600, Kurt Seifried wrote: > https://bugzilla.redhat.com/show_bug.cgi?id=817696 > > Gabriel Vlasiu reported that xfs_metadump, part of the xfsprogs suite of > tools for the XFS filesystem, did not properly obfuscate data. > xfs_metadump properly obfuscates active metadata, but the rest of the > space within that fs block comes through in the clear. This could lead > to exposure of stale disk data via the produced metadump image. > > The expectation of xfs_metadump is to obfuscate all but the shortest > names in the metadata, as noted in the manpage: > > By default, xfs_metadump obfuscates most file (regular file, > directory and symbolic link) names and extended attribute names to > allow the dumps to be sent without revealing confidential > information. Extended attribute values are zeroed and no data is > copied. The only exceptions are file or attribute names that are 4 or > less characters in length. Also file names that span extents (this can > only occur with the mkfs.xfs(8) options where -n size > -b size) are not > obfuscated. Names between 5 and 8 characters in length > inclusively are partially obfuscated. > > While the xfs_metadump tool can be run by unprivileged users, it > requires appropriate permissions to access block devices (such as root) > where the sensitive data might be dumped. An unprivileged user, without > access to the block device, could not use this flaw to obtain sensitive > data they would not otherwise have permission to access. > > Upstream patches will be available at > https://git.kernel.org/cgit/fs/xfs/xfsprogs-dev.git/ I have just released xfsprogs v3.2.4 to address these issues. Please see the release announcement here for details on where to find it: http://oss.sgi.com/pipermail/xfs/2015-July/042726.html -Dave. PS: A comment on the CVE disclosure process: please ensure that the upstream maintainer is informed of the CVE and the public disclosure plan *before* disclosure occurs. Apart from preventing co-ordinated release of the fixes, failing to inform the maintainer of the problem before public disclosure is impolite and disrespectful. -- Dave Chinner david@...morbit.com Download attachment "signature.asc" of type "application/pgp-signature" (837 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.