Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 201546 (CVE-2007-5497)

Summary: sys-fs/e2fsprogs < 1.40.3 Multiple buffer overflows (CVE-2007-5497)
Product: Gentoo Security Reporter: Robert Buchholz (RETIRED) <rbu>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: as.gentoo, base-system, cla, xen
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://secunia.com/advisories/27889/
Whiteboard: A2 [glsa]
Package list:
Runtime testing required: ---
Attachments:
Description Flags
0001-libext2fs-Add-checks-to-prevent-integer-overflows-p.patch none

Description Robert Buchholz (RETIRED) gentoo-dev 2007-12-07 00:32:34 UTC
TITLE: Multiple Integer Overflows in e2fsprogs 1.40.2

PRODUCT: e2fsprogs

..
DESCRIPTION:
Several integer overflows exist in memory allocations, based on sizes
taken directly from filesystem information.  In some systems, this
information may be user-supplied.

RESULTS: If a program using libext2fs (i.e., e2fsck, dumpe2fs,
debugfs, pygrub) tries to examine or manipulate an untrusted
filesystem created by a malicious attacker, this bug may result in a
heap-based buffer overflow, that could possibly lead to the ability to
execute code with the privileges of the libext2fs-using program.  No
exploits are known to exist, although sample filesystems which cause
the libext2fs-using program to crash are relatively easy to construct.

The most likely identified scenario to date which can cause security
issues involves pygrub, which is used in Xen environments to boot a
kernel contained in a filesystem image.  If the attacker does not have
privileged dom0 access, but does have privileged has domU access, it
is possible that said attacker could modify the guest OS's filesystem
image in such a way that could cause pygrub to crash or possibly
execute code in the context of pygrub, which typically runs as root in
the dom0 enviroment.

Systems that contain /etc/fstab entries referencing removeable hard
drives where the attacker is capable of replacing the hard drive with
one containing a specially crafted fileststem image could also be
vulnerable.  (Of course, if the /etc/fstab entry doesn't have nosuid
and nodev mount options for the removeable device, the system is
vulnerable to a much simpler form of attack!)

CREDIT:
Many thanks to Rafal Wojtczuk of McAfee AVERT Research, who provided
both notification of this potential vulnerability as well as the patches
to address the defect.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2007-12-07 00:33:25 UTC
Created attachment 137932 [details, diff]
0001-libext2fs-Add-checks-to-prevent-integer-overflows-p.patch
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2007-12-07 00:36:09 UTC
base-system, please apply the patch or bump to the release currently found here:
  http://userweb.kernel.org/~tytso/e2-pre-release/

marineam, cc'ing you as this affects xen with pygrub, but just for reference. nothing to do for you, except verify that in all cases, the external libext2fs is used. (Looking at my compile logs for xen-tools, it certainly seems so).
Comment 3 SpanKY gentoo-dev 2007-12-07 21:59:01 UTC
i dont like the idea of mirroring a file labeled as a "pre-release".  it isnt on sf.net/projects/e2fsprogs either ...
Comment 4 SpanKY gentoo-dev 2007-12-08 21:15:27 UTC
1.40.3 was released officially and is now in the tree
Comment 5 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-12-08 22:36:23 UTC
Arches, please test and mark stable sys-fs/e2fsprogs-1.40.3, target:
"alpha amd64 arm hppa ia64 m68k mips ppc ppc64 s390 sh sparc x86 ~x86-fbsd"
Comment 6 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-12-08 22:52:06 UTC
(In reply to comment #5)
> Arches, please test and mark stable sys-fs/e2fsprogs-1.40.3, target:
> "alpha amd64 arm hppa ia64 m68k mips ppc ppc64 s390 sh sparc x86 ~x86-fbsd"
> 
Actually, you'll also need sys-libs/com_err-1.40.3 and sys-libs/ss-1.40.3 stable, thanks to welp for pointing that out :p
Comment 7 Raúl Porcel (RETIRED) gentoo-dev 2007-12-09 12:48:38 UTC
Fails tests:

        MK_CMDS std_rqs.c
        CC std_rqs.c
        GEN_LIB libss.a
        GEN_ELF_SOLIB libss.so.2.0
make: Leaving directory `/var/tmp/portage/sys-libs/ss-1.40.3/work/e2fsprogs-1.40
.3/lib/ss'
>>> Source compiled.
make: Entering directory `/var/tmp/portage/sys-libs/ss-1.40.3/work/e2fsprogs-1.4
0.3/lib/ss'
        CC test_ss.c
        MK_CMDS test_cmd.c
        CC test_cmd.c
make: *** No rule to make target `../../lib/libext2fs.so', needed by `test_ss'. 
 Stop.
make: Leaving directory `/var/tmp/portage/sys-libs/ss-1.40.3/work/e2fsprogs-1.40
.3/lib/ss'
 * 
 * ERROR: sys-libs/ss-1.40.3 failed.
 * Call stack:
 *          ebuild.sh, line 1701:  Called dyn_test
 *          ebuild.sh, line 1102:  Called qa_call 'src_test'
 *          ebuild.sh, line   44:  Called src_test
Comment 8 Andrej Kacian (RETIRED) gentoo-dev 2007-12-09 13:23:53 UTC
(In reply to comment #7)
> Fails tests:

I just reported those in bug #201762
Comment 9 SpanKY gentoo-dev 2007-12-09 22:47:56 UTC
while it sucks, it isnt a regression
Comment 10 Robert Buchholz (RETIRED) gentoo-dev 2007-12-09 23:16:41 UTC
ss-1.40.3 was updated.

Please stabilize the three friends (comments 5 and 6), sorry for the bugspam.
Comment 11 Peter Weller (RETIRED) gentoo-dev 2007-12-10 00:11:58 UTC
amd64 is gone!
Comment 12 Dawid Węgliński (RETIRED) gentoo-dev 2007-12-10 00:18:19 UTC
x86 says:

LD_LIBRARY_PATH=../../lib DYLD_LIBRARY_PATH=../../lib ./tst_bitops
ext2fs_test_bit appears to be correct
ext2fs_set_bit test succeeded.
ext2fs_clear_bit test succeed.
Failed to allocate scratch memory!
make[1]: *** [check] Error 1
make[1]: Leaving directory `/var/tmp/paludis/sys-fs/e2fsprogs-1.40.3/work/e2fsprogs-1.40.3/lib/ext2fs'
make: *** [check-recursive] Error 1
Comment 13 Andrej Kacian (RETIRED) gentoo-dev 2007-12-10 00:21:50 UTC
(In reply to comment #12)
> Failed to allocate scratch memory!

No such error on x86 over here... Marking stable.
Comment 14 Dawid Węgliński (RETIRED) gentoo-dev 2007-12-10 00:30:32 UTC
Hm, still happens to me:

ACCEPT_KEYWORDS=x86
CFLAGS=-O2 -march=pentium-m -fomit-frame-pointer -pipe
CBUILD=i686-pc-linux-gnu
CHOST=i686-pc-linux-gnu
CXXFLAGS=-O2 -march=pentium-m -fomit-frame-pointer -pipe
Comment 15 Jeroen Roovers (RETIRED) gentoo-dev 2007-12-10 01:50:51 UTC
Stable for HPPA.
Comment 16 Raúl Porcel (RETIRED) gentoo-dev 2007-12-10 11:49:01 UTC
alpha/ia64/sparc stable
Comment 17 Tobias Scherbaum (RETIRED) gentoo-dev 2007-12-10 19:33:27 UTC
ppc stable
Comment 18 Brent Baude (RETIRED) gentoo-dev 2007-12-12 02:03:09 UTC
ppc64 stable
Comment 19 Christian Faulhammer (RETIRED) gentoo-dev 2007-12-12 06:55:05 UTC
arm/m68k/s390/sh marked stable by Mike, mips missing, but all security supported arches are done, so changing status to [glsa]
Comment 20 Robert Buchholz (RETIRED) gentoo-dev 2007-12-12 09:56:24 UTC
SIGFILED
Comment 21 Robert Buchholz (RETIRED) gentoo-dev 2007-12-18 20:58:13 UTC
GLSA 200712-13, thanks everyone.
Comment 22 Peter Volkov (RETIRED) gentoo-dev 2008-03-06 09:57:18 UTC
Does not affect current (2008.0) release. Removing release.
Comment 23 Attila Stehr 2009-12-04 00:43:46 UTC
Looks like this bug is back (reopen?)

LD_LIBRARY_PATH=../../lib DYLD_LIBRARY_PATH=../../lib ./tst_bitops
ext2fs_test_bit appears to be correct
ext2fs_set_bit test succeeded.
ext2fs_clear_bit test succeed.
Failed to allocate scratch memory!
make[1]: *** [check] Error 1
make[1]: Leaving directory `/var/tmp/portage/sys-fs/e2fsprogs-1.41.9/work/e2fsprogs-1.41.9/lib/ext2fs'
make: *** [check-recursive] Error 1
 * 
 * ERROR: sys-fs/e2fsprogs-1.41.9 failed.
 * Call stack:
 *               ebuild.sh, line   49:  Called src_test
 *             environment, line 2599:  Called _eapi0_src_test
 *               ebuild.sh, line  607:  Called die

----------------------------

vz377 ~ # emerge --info
Portage 2.1.6.13 (hardened/linux/x86/10.0, gcc-4.3.4, glibc-2.9_p20081201-r2, 2.6.26.8 i686)
=================================================================
System uname: Linux-2.6.26.8-i686-AMD_Athlon-tm-_II_X4_620_Processor-with-gentoo-1.12.13
Timestamp of tree: Thu, 03 Dec 2009 08:00:01 +0000
app-shells/bash:     4.0_p28
dev-lang/python:     2.6.2-r1
sys-apps/baselayout: 1.12.13
sys-apps/sandbox:    1.6-r2
sys-devel/autoconf:  2.13, 2.63-r1
sys-devel/automake:  1.10.2
sys-devel/binutils:  2.18-r3
sys-devel/gcc-config: 1.4.1
sys-devel/libtool:   2.2.6a
virtual/os-headers:  2.6.27-r2
ACCEPT_KEYWORDS="x86"
CBUILD="i486-pc-linux-gnu"
CFLAGS="-O2 -mtune=i686 -pipe"
CHOST="i486-pc-linux-gnu"
CONFIG_PROTECT="/etc /sbin/rc"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/gconf /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/udev/rules.d"
CXXFLAGS="-O2 -mtune=i686 -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="distlocks fixpackages parallel-fetch protect-owned sandbox sfperms strict stricter test unmerge-orphans userfetch"
GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo"
LDFLAGS="-Wl,-O1"
LINGUAS="de"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="3dnow 3dnowext 3dnowprefetch acl bzip2 cli cracklib crypt gdbm gmp gpm hardened hpn iconv idn lzma mmx mudflap ncurses nls nptl nptlonly openmp pam pcre pic pth readline reflection skey smp spl sse sse2 sse3 sse4a ssl tcpd threads unicode x86 zlib" ELIBC="glibc" INPUT_DEVICES="keyboard" KERNEL="linux" LINGUAS="de" USERLAND="GNU"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LANG, LC_ALL, MAKEOPTS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY