Bugzilla Bug 201546

TITLE: Multiple Integer Overflows in e2fsprogs 1.40.2

PRODUCT: e2fsprogs

..
DESCRIPTION:
Several integer overflows exist in memory allocations, based on sizes
taken directly from filesystem information.  In some systems, this
information may be user-supplied.

RESULTS: If a program using libext2fs (i.e., e2fsck, dumpe2fs,
debugfs, pygrub) tries to examine or manipulate an untrusted
filesystem created by a malicious attacker, this bug may result in a
heap-based buffer overflow, that could possibly lead to the ability to
execute code with the privileges of the libext2fs-using program.  No
exploits are known to exist, although sample filesystems which cause
the libext2fs-using program to crash are relatively easy to construct.

The most likely identified scenario to date which can cause security
issues involves pygrub, which is used in Xen environments to boot a
kernel contained in a filesystem image.  If the attacker does not have
privileged dom0 access, but does have privileged has domU access, it
is possible that said attacker could modify the guest OS's filesystem
image in such a way that could cause pygrub to crash or possibly
execute code in the context of pygrub, which typically runs as root in
the dom0 enviroment.

Systems that contain /etc/fstab entries referencing removeable hard
drives where the attacker is capable of replacing the hard drive with
one containing a specially crafted fileststem image could also be
vulnerable.  (Of course, if the /etc/fstab entry doesn't have nosuid
and nodev mount options for the removeable device, the system is
vulnerable to a much simpler form of attack!)

CREDIT:
Many thanks to Rafal Wojtczuk of McAfee AVERT Research, who provided
both notification of this potential vulnerability as well as the patches
to address the defect.

Created an attachment (id=137932) [details]
0001-libext2fs-Add-checks-to-prevent-integer-overflows-p.patch

base-system, please apply the patch or bump to the release currently found
here:
  http://userweb.kernel.org/~tytso/e2-pre-release/

marineam, cc'ing you as this affects xen with pygrub, but just for reference.
nothing to do for you, except verify that in all cases, the external libext2fs
is used. (Looking at my compile logs for xen-tools, it certainly seems so).

i dont like the idea of mirroring a file labeled as a "pre-release".  it isnt
on sf.net/projects/e2fsprogs either ...

1.40.3 was released officially and is now in the tree

Arches, please test and mark stable sys-fs/e2fsprogs-1.40.3, target:
"alpha amd64 arm hppa ia64 m68k mips ppc ppc64 s390 sh sparc x86 ~x86-fbsd"

(In reply to comment #5)
> Arches, please test and mark stable sys-fs/e2fsprogs-1.40.3, target:
> "alpha amd64 arm hppa ia64 m68k mips ppc ppc64 s390 sh sparc x86 ~x86-fbsd"
> 
Actually, you'll also need sys-libs/com_err-1.40.3 and sys-libs/ss-1.40.3
stable, thanks to welp for pointing that out :p

Fails tests:

        MK_CMDS std_rqs.c
        CC std_rqs.c
        GEN_LIB libss.a
        GEN_ELF_SOLIB libss.so.2.0
make: Leaving directory
`/var/tmp/portage/sys-libs/ss-1.40.3/work/e2fsprogs-1.40
.3/lib/ss'
>>> Source compiled.
make: Entering directory
`/var/tmp/portage/sys-libs/ss-1.40.3/work/e2fsprogs-1.4
0.3/lib/ss'
        CC test_ss.c
        MK_CMDS test_cmd.c
        CC test_cmd.c
make: *** No rule to make target `../../lib/libext2fs.so', needed by `test_ss'. 
 Stop.
make: Leaving directory
`/var/tmp/portage/sys-libs/ss-1.40.3/work/e2fsprogs-1.40
.3/lib/ss'
 * 
 * ERROR: sys-libs/ss-1.40.3 failed.
 * Call stack:
 *          ebuild.sh, line 1701:  Called dyn_test
 *          ebuild.sh, line 1102:  Called qa_call 'src_test'
 *          ebuild.sh, line   44:  Called src_test

(In reply to comment #7)
> Fails tests:

I just reported those in bug #201762

while it sucks, it isnt a regression

ss-1.40.3 was updated.

Please stabilize the three friends (comments 5 and 6), sorry for the bugspam.

amd64 is gone!

x86 says:

LD_LIBRARY_PATH=../../lib DYLD_LIBRARY_PATH=../../lib ./tst_bitops
ext2fs_test_bit appears to be correct
ext2fs_set_bit test succeeded.
ext2fs_clear_bit test succeed.
Failed to allocate scratch memory!
make[1]: *** [check] Error 1
make[1]: Leaving directory
`/var/tmp/paludis/sys-fs/e2fsprogs-1.40.3/work/e2fsprogs-1.40.3/lib/ext2fs'
make: *** [check-recursive] Error 1

(In reply to comment #12)
> Failed to allocate scratch memory!

No such error on x86 over here... Marking stable.

Hm, still happens to me:

ACCEPT_KEYWORDS=x86
CFLAGS=-O2 -march=pentium-m -fomit-frame-pointer -pipe
CBUILD=i686-pc-linux-gnu
CHOST=i686-pc-linux-gnu
CXXFLAGS=-O2 -march=pentium-m -fomit-frame-pointer -pipe

Stable for HPPA.

alpha/ia64/sparc stable

ppc stable

ppc64 stable

arm/m68k/s390/sh marked stable by Mike, mips missing, but all security
supported arches are done, so changing status to [glsa]

SIGFILED

GLSA 200712-13, thanks everyone.

Does not affect current (2008.0) release. Removing release.

Looks like this bug is back (reopen?)

LD_LIBRARY_PATH=../../lib DYLD_LIBRARY_PATH=../../lib ./tst_bitops
ext2fs_test_bit appears to be correct
ext2fs_set_bit test succeeded.
ext2fs_clear_bit test succeed.
Failed to allocate scratch memory!
make[1]: *** [check] Error 1
make[1]: Leaving directory
`/var/tmp/portage/sys-fs/e2fsprogs-1.41.9/work/e2fsprogs-1.41.9/lib/ext2fs'
make: *** [check-recursive] Error 1
 * 
 * ERROR: sys-fs/e2fsprogs-1.41.9 failed.
 * Call stack:
 *               ebuild.sh, line   49:  Called src_test
 *             environment, line 2599:  Called _eapi0_src_test
 *               ebuild.sh, line  607:  Called die

----------------------------

vz377 ~ # emerge --info
Portage 2.1.6.13 (hardened/linux/x86/10.0, gcc-4.3.4, glibc-2.9_p20081201-r2,
2.6.26.8 i686)
=================================================================
System uname:
Linux-2.6.26.8-i686-AMD_Athlon-tm-_II_X4_620_Processor-with-gentoo-1.12.13
Timestamp of tree: Thu, 03 Dec 2009 08:00:01 +0000
app-shells/bash:     4.0_p28
dev-lang/python:     2.6.2-r1
sys-apps/baselayout: 1.12.13
sys-apps/sandbox:    1.6-r2
sys-devel/autoconf:  2.13, 2.63-r1
sys-devel/automake:  1.10.2
sys-devel/binutils:  2.18-r3
sys-devel/gcc-config: 1.4.1
sys-devel/libtool:   2.2.6a
virtual/os-headers:  2.6.27-r2
ACCEPT_KEYWORDS="x86"
CBUILD="i486-pc-linux-gnu"
CFLAGS="-O2 -mtune=i686 -pipe"
CHOST="i486-pc-linux-gnu"
CONFIG_PROTECT="/etc /sbin/rc"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/gconf
/etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/udev/rules.d"
CXXFLAGS="-O2 -mtune=i686 -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="distlocks fixpackages parallel-fetch protect-owned sandbox sfperms
strict stricter test unmerge-orphans userfetch"
GENTOO_MIRRORS="http://distfiles.gentoo.org
http://distro.ibiblio.org/pub/linux/distributions/gentoo"
LDFLAGS="-Wl,-O1"
LINGUAS="de"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress
--force --whole-file --delete --stats --timeout=180 --exclude=/distfiles
--exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="3dnow 3dnowext 3dnowprefetch acl bzip2 cli cracklib crypt gdbm gmp gpm
hardened hpn iconv idn lzma mmx mudflap ncurses nls nptl nptlonly openmp pam
pcre pic pth readline reflection skey smp spl sse sse2 sse3 sse4a ssl tcpd
threads unicode x86 zlib" ELIBC="glibc" INPUT_DEVICES="keyboard" KERNEL="linux"
LINGUAS="de" USERLAND="GNU"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LANG,
LC_ALL, MAKEOPTS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS,
PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY