Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 749318 (CVE-2020-6104, CVE-2020-6105, CVE-2020-6106, CVE-2020-6107, CVE-2020-6108) - <sys-fs/f2fs-tools-1.14.0: Multiple vulnerabilities (CVE-2020-{6104,6105,6106,6107,6108})
Summary: <sys-fs/f2fs-tools-1.14.0: Multiple vulnerabilities (CVE-2020-{6104,6105,6106...
Status: RESOLVED FIXED
Alias: CVE-2020-6104, CVE-2020-6105, CVE-2020-6106, CVE-2020-6107, CVE-2020-6108
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2 [glsa+]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-10-15 16:08 UTC by Sam James
Modified: 2021-01-26 00:33 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-10-15 16:08:33 UTC
* CVE-2020-6104

"An exploitable information disclosure vulnerability exists in the get_dnode_of_data functionality of F2fs-Tools F2fs.Fsck 1.13. A specially crafted f2fs filesystem can cause information disclosure resulting in a information disclosure. An attacker can provide a malicious file to trigger this vulnerability."

URL: https://talosintelligence.com/vulnerability_reports/TALOS-2020-1046

* CVE-2020-6105

"An exploitable code execution vulnerability exists in the multiple devices functionality of F2fs-Tools F2fs.Fsck 1.13. A specially crafted f2fs filesystem can cause Information overwrite resulting in a code execution. An attacker can provide a malicious file to trigger this vulnerability."

URL: https://talosintelligence.com/vulnerability_reports/TALOS-2020-1047 

* CVE-2020-6106

"An exploitable information disclosure vulnerability exists in the init_node_manager functionality of F2fs-Tools F2fs.Fsck 1.12 and 1.13. A specially crafted filesystem can be used to disclose information. An attacker can provide a malicious file to trigger this vulnerability."

URL: https://talosintelligence.com/vulnerability_reports/TALOS-2020-1048

* CVE-2020-6107

"An exploitable information disclosure vulnerability exists in the dev_read functionality of F2fs-Tools F2fs.Fsck 1.13. A specially crafted f2fs filesystem can cause an uninitialized read resulting in an information disclosure. An attacker can provide a malicious file to trigger this vulnerability."

https://talosintelligence.com/vulnerability_reports/TALOS-2020-1049

* CVE-2020-6108

"An exploitable code execution vulnerability exists in the fsck_chk_orphan_node functionality of F2fs-Tools F2fs.Fsck 1.13. A specially crafted f2fs filesystem can cause a heap buffer overflow resulting in a code execution. An attacker can provide a malicious file to trigger this vulnerability."

URL: https://talosintelligence.com/vulnerability_reports/TALOS-2020-1050
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-10-15 16:09:15 UTC
Not clear if fixed in 1.14.
Comment 2 Anthony Basile gentoo-dev 2020-10-27 18:16:50 UTC
(In reply to Sam James from comment #1)
> Not clear if fixed in 1.14.

Let's just stabilize 1.14.  It has been in the tree forever.

KEYWORDS="amd64 arm arm64 ppc ppc64 x86"
Comment 3 NATTkA bot gentoo-dev 2020-10-27 21:32:51 UTC
Unable to check for sanity:

> no match for package: sys-fs/f2fs-tools-1.14
Comment 4 NATTkA bot gentoo-dev 2020-10-27 21:40:55 UTC
All sanity-check issues have been resolved
Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev 2020-10-27 22:00:38 UTC
x86 stable
Comment 6 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-10-28 03:05:46 UTC
arm64 done
Comment 7 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-10-28 16:13:39 UTC
arm done
Comment 8 Sergei Trofimovich (RETIRED) gentoo-dev 2020-10-28 22:42:15 UTC
ppc/ppc64 stable
Comment 9 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2020-10-31 11:05:47 UTC
amd64 stable, though no idea about cleanup then.
Comment 10 Anthony Basile gentoo-dev 2020-11-09 17:58:16 UTC
(In reply to Mikle Kolyada from comment #9)
> amd64 stable, though no idea about cleanup then.

I've removed 1.13.0 from the tree.  The only remaining version is 1.14.0 which is the latest upstream.
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2021-01-26 00:22:18 UTC
This issue was resolved and addressed in
 GLSA 202101-26 at https://security.gentoo.org/glsa/202101-26
by GLSA coordinator Sam James (sam_c).