CVE-2015-1572 and other bug fixes
This commit is contained in:
parent
8c974e07ff
commit
18ad4ba0eb
51
e2fsprogs-1.42.12-closefs-cve.patch
Normal file
51
e2fsprogs-1.42.12-closefs-cve.patch
Normal file
@ -0,0 +1,51 @@
|
||||
commit 49d0fe2a14f2a23da2fe299643379b8c1d37df73
|
||||
Author: Theodore Ts'o <tytso@mit.edu>
|
||||
Date: Fri Feb 6 12:46:39 2015 -0500
|
||||
|
||||
libext2fs: fix potential buffer overflow in closefs()
|
||||
|
||||
The bug fix in f66e6ce4446: "libext2fs: avoid buffer overflow if
|
||||
s_first_meta_bg is too big" had a typo in the fix for
|
||||
ext2fs_closefs(). In practice most of the security exposure was from
|
||||
the openfs path, since this meant if there was a carefully crafted
|
||||
file system, buffer overrun would be triggered when the file system was
|
||||
opened.
|
||||
|
||||
However, if corrupted file system didn't trip over some corruption
|
||||
check, and then the file system was modified via tune2fs or debugfs,
|
||||
such that the superblock was marked dirty and then written out via the
|
||||
closefs() path, it's possible that the buffer overrun could be
|
||||
triggered when the file system is closed.
|
||||
|
||||
Also clear up a signed vs unsigned warning while we're at it.
|
||||
|
||||
Thanks to Nick Kralevich <nnk@google.com> for asking me to look at
|
||||
compiler warning in the code in question, which led me to notice the
|
||||
bug in f66e6ce4446.
|
||||
|
||||
Addresses: CVE-2015-1572
|
||||
|
||||
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
||||
|
||||
diff --git a/lib/ext2fs/closefs.c b/lib/ext2fs/closefs.c
|
||||
index 1f99113..ab5b2fb 100644
|
||||
--- a/lib/ext2fs/closefs.c
|
||||
+++ b/lib/ext2fs/closefs.c
|
||||
@@ -287,7 +287,7 @@ errcode_t ext2fs_flush2(ext2_filsys fs, int flags)
|
||||
dgrp_t j;
|
||||
#endif
|
||||
char *group_ptr;
|
||||
- int old_desc_blocks;
|
||||
+ blk64_t old_desc_blocks;
|
||||
struct ext2fs_numeric_progress_struct progress;
|
||||
|
||||
EXT2_CHECK_MAGIC(fs, EXT2_ET_MAGIC_EXT2FS_FILSYS);
|
||||
@@ -346,7 +346,7 @@ errcode_t ext2fs_flush2(ext2_filsys fs, int flags)
|
||||
group_ptr = (char *) group_shadow;
|
||||
if (fs->super->s_feature_incompat & EXT2_FEATURE_INCOMPAT_META_BG) {
|
||||
old_desc_blocks = fs->super->s_first_meta_bg;
|
||||
- if (old_desc_blocks > fs->super->s_first_meta_bg)
|
||||
+ if (old_desc_blocks > fs->desc_blocks)
|
||||
old_desc_blocks = fs->desc_blocks;
|
||||
} else
|
||||
old_desc_blocks = fs->desc_blocks;
|
25
e2fsprogs-1.42.12-dumpe2fs-segfault.patch
Normal file
25
e2fsprogs-1.42.12-dumpe2fs-segfault.patch
Normal file
@ -0,0 +1,25 @@
|
||||
commit fecb231f6fc83cf4b4ddf7ec34ace3723803a499
|
||||
Author: Darrick J. Wong <darrick.wong@oracle.com>
|
||||
Date: Fri Nov 7 21:26:14 2014 -0500
|
||||
|
||||
dumpe2fs: don't crash when the user provides no block device argument
|
||||
|
||||
If the user doesn't provide any arguments, the guard fails to run and
|
||||
the whole thing segfaults on ext2fs_open2(). Don't do that.
|
||||
|
||||
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
|
||||
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
||||
|
||||
diff --git a/misc/dumpe2fs.c b/misc/dumpe2fs.c
|
||||
index 1eae5a3..4185d6e 100644
|
||||
--- a/misc/dumpe2fs.c
|
||||
+++ b/misc/dumpe2fs.c
|
||||
@@ -575,7 +575,7 @@ int main (int argc, char ** argv)
|
||||
usage();
|
||||
}
|
||||
}
|
||||
- if (argc - 1 > optind) {
|
||||
+ if (optind != argc - 1) {
|
||||
usage();
|
||||
exit(1);
|
||||
}
|
59
e2fsprogs-1.42.12-resize2fs-fsck.patch
Normal file
59
e2fsprogs-1.42.12-resize2fs-fsck.patch
Normal file
@ -0,0 +1,59 @@
|
||||
commit 0462fd6db55de28d7e087d8d06ab20339acd8f67
|
||||
Author: Eric Sandeen <sandeen@sandeen.net>
|
||||
Date: Sun Dec 14 19:08:59 2014 -0500
|
||||
|
||||
resize2fs: don't require fsck to print min size
|
||||
|
||||
My previous change ended up requiring that the filesystem
|
||||
be fsck'd after the last mount, even if we are only querying
|
||||
the minimum size. This is a bit draconian, and it burned
|
||||
the Fedora installer, which wants to calculate minimum size
|
||||
for every filesystem in the box at install time, which in turn
|
||||
requires a full fsck of every filesystem.
|
||||
|
||||
Try this one more time, and separate out the tests to make things
|
||||
a bit more clear. If we're only printing the min size, don't
|
||||
require the fsck, as this is a bit less dangerous/critical.
|
||||
|
||||
Signed-off-by: Eric Sandeen <sandeen@redhat.com>
|
||||
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
||||
|
||||
diff --git a/resize/main.c b/resize/main.c
|
||||
index 983d8c2..9a35af0 100644
|
||||
--- a/resize/main.c
|
||||
+++ b/resize/main.c
|
||||
@@ -321,10 +321,30 @@ int main (int argc, char ** argv)
|
||||
}
|
||||
fs->default_bitmap_type = EXT2FS_BMAP64_RBTREE;
|
||||
|
||||
- if (!(mount_flags & EXT2_MF_MOUNTED)) {
|
||||
- if (!force && ((fs->super->s_lastcheck < fs->super->s_mtime) ||
|
||||
- (fs->super->s_state & EXT2_ERROR_FS) ||
|
||||
- ((fs->super->s_state & EXT2_VALID_FS) == 0))) {
|
||||
+ /*
|
||||
+ * Before acting on an unmounted filesystem, make sure it's ok,
|
||||
+ * unless the user is forcing it.
|
||||
+ *
|
||||
+ * We do ERROR and VALID checks even if we're only printing the
|
||||
+ * minimimum size, because traversal of a badly damaged filesystem
|
||||
+ * can cause issues as well. We don't require it to be fscked after
|
||||
+ * the last mount time in this case, though, as this is a bit less
|
||||
+ * risky.
|
||||
+ */
|
||||
+ if (!force && !(mount_flags & EXT2_MF_MOUNTED)) {
|
||||
+ int checkit = 0;
|
||||
+
|
||||
+ if (fs->super->s_state & EXT2_ERROR_FS)
|
||||
+ checkit = 1;
|
||||
+
|
||||
+ if ((fs->super->s_state & EXT2_VALID_FS) == 0)
|
||||
+ checkit = 1;
|
||||
+
|
||||
+ if ((fs->super->s_lastcheck < fs->super->s_mtime) &&
|
||||
+ !print_min_size)
|
||||
+ checkit = 1;
|
||||
+
|
||||
+ if (checkit) {
|
||||
fprintf(stderr,
|
||||
_("Please run 'e2fsck -f %s' first.\n\n"),
|
||||
device_name);
|
@ -1,7 +1,7 @@
|
||||
Summary: Utilities for managing ext2, ext3, and ext4 filesystems
|
||||
Name: e2fsprogs
|
||||
Version: 1.42.12
|
||||
Release: 3%{?dist}
|
||||
Release: 4%{?dist}
|
||||
|
||||
# License tags based on COPYING file distinctions for various components
|
||||
License: GPLv2
|
||||
@ -12,6 +12,9 @@ Source2: e2fsck.conf
|
||||
|
||||
Patch1: e2fsprogs-1.40.4-sb_feature_check_ignore.patch
|
||||
Patch2: e2fsprogs-1.42.12-use-after-free-fix.patch
|
||||
Patch3: e2fsprogs-1.42.12-closefs-cve.patch
|
||||
Patch4: e2fsprogs-1.42.12-dumpe2fs-segfault.patch
|
||||
Patch5: e2fsprogs-1.42.12-resize2fs-fsck.patch
|
||||
|
||||
Url: http://e2fsprogs.sourceforge.net/
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
|
||||
@ -152,6 +155,9 @@ It was originally inspired by the Multics SubSystem library.
|
||||
# after an selinux install...
|
||||
%patch1 -p1 -b .featurecheck
|
||||
%patch2 -p1
|
||||
%patch3 -p1
|
||||
%patch4 -p1
|
||||
%patch5 -p1
|
||||
|
||||
%build
|
||||
%configure --enable-elf-shlibs --enable-nls --disable-uuidd --disable-fsck \
|
||||
@ -333,13 +339,18 @@ exit 0
|
||||
%{_libdir}/pkgconfig/ss.pc
|
||||
|
||||
%changelog
|
||||
* Tue Feb 24 2015 Eric Sandeen <sandeen@redhat.com> 1.42.12-4
|
||||
- Fix potential buffer overflow in closefs (#1193947, CVE-2015-1572)
|
||||
- Fix dumpe2fs segfault with no arguments (#1194063)
|
||||
- Don't require fsck prior to resize2fs -P (#1170803)
|
||||
|
||||
* Sat Feb 21 2015 Till Maas <opensource@till.name> - 1.42.12-3
|
||||
- Rebuilt for Fedora 23 Change
|
||||
https://fedoraproject.org/wiki/Changes/Harden_all_packages_with_position-independent_code
|
||||
|
||||
* Tue Feb 17 2015 Eric Sandeen <sandeen@redhat.com> 1.42.12-2
|
||||
- Fix use after free
|
||||
- Re-enable time-based fsck if set in superblock (e2fsck.conf)
|
||||
- Fix use after free (#1192861)
|
||||
- Fix time-based fsck if set in superblock (e2fsck.conf, #963283)
|
||||
|
||||
* Fri Aug 29 2014 Eric Sandeen <sandeen@redhat.com> 1.42.12-1
|
||||
- New upstream release
|
||||
|
Loading…
Reference in New Issue
Block a user