TITLE: Multiple Integer Overflows in e2fsprogs 1.40.2 PRODUCT: e2fsprogs .. DESCRIPTION: Several integer overflows exist in memory allocations, based on sizes taken directly from filesystem information. In some systems, this information may be user-supplied. RESULTS: If a program using libext2fs (i.e., e2fsck, dumpe2fs, debugfs, pygrub) tries to examine or manipulate an untrusted filesystem created by a malicious attacker, this bug may result in a heap-based buffer overflow, that could possibly lead to the ability to execute code with the privileges of the libext2fs-using program. No exploits are known to exist, although sample filesystems which cause the libext2fs-using program to crash are relatively easy to construct. The most likely identified scenario to date which can cause security issues involves pygrub, which is used in Xen environments to boot a kernel contained in a filesystem image. If the attacker does not have privileged dom0 access, but does have privileged has domU access, it is possible that said attacker could modify the guest OS's filesystem image in such a way that could cause pygrub to crash or possibly execute code in the context of pygrub, which typically runs as root in the dom0 enviroment. Systems that contain /etc/fstab entries referencing removeable hard drives where the attacker is capable of replacing the hard drive with one containing a specially crafted fileststem image could also be vulnerable. (Of course, if the /etc/fstab entry doesn't have nosuid and nodev mount options for the removeable device, the system is vulnerable to a much simpler form of attack!) CREDIT: Many thanks to Rafal Wojtczuk of McAfee AVERT Research, who provided both notification of this potential vulnerability as well as the patches to address the defect.
Created attachment 137932 [details, diff] 0001-libext2fs-Add-checks-to-prevent-integer-overflows-p.patch
base-system, please apply the patch or bump to the release currently found here: http://userweb.kernel.org/~tytso/e2-pre-release/ marineam, cc'ing you as this affects xen with pygrub, but just for reference. nothing to do for you, except verify that in all cases, the external libext2fs is used. (Looking at my compile logs for xen-tools, it certainly seems so).
i dont like the idea of mirroring a file labeled as a "pre-release". it isnt on sf.net/projects/e2fsprogs either ...
1.40.3 was released officially and is now in the tree
Arches, please test and mark stable sys-fs/e2fsprogs-1.40.3, target: "alpha amd64 arm hppa ia64 m68k mips ppc ppc64 s390 sh sparc x86 ~x86-fbsd"
(In reply to comment #5) > Arches, please test and mark stable sys-fs/e2fsprogs-1.40.3, target: > "alpha amd64 arm hppa ia64 m68k mips ppc ppc64 s390 sh sparc x86 ~x86-fbsd" > Actually, you'll also need sys-libs/com_err-1.40.3 and sys-libs/ss-1.40.3 stable, thanks to welp for pointing that out :p
Fails tests: MK_CMDS std_rqs.c CC std_rqs.c GEN_LIB libss.a GEN_ELF_SOLIB libss.so.2.0 make: Leaving directory `/var/tmp/portage/sys-libs/ss-1.40.3/work/e2fsprogs-1.40 .3/lib/ss' >>> Source compiled. make: Entering directory `/var/tmp/portage/sys-libs/ss-1.40.3/work/e2fsprogs-1.4 0.3/lib/ss' CC test_ss.c MK_CMDS test_cmd.c CC test_cmd.c make: *** No rule to make target `../../lib/libext2fs.so', needed by `test_ss'. Stop. make: Leaving directory `/var/tmp/portage/sys-libs/ss-1.40.3/work/e2fsprogs-1.40 .3/lib/ss' * * ERROR: sys-libs/ss-1.40.3 failed. * Call stack: * ebuild.sh, line 1701: Called dyn_test * ebuild.sh, line 1102: Called qa_call 'src_test' * ebuild.sh, line 44: Called src_test
(In reply to comment #7) > Fails tests: I just reported those in bug #201762
while it sucks, it isnt a regression
ss-1.40.3 was updated. Please stabilize the three friends (comments 5 and 6), sorry for the bugspam.
amd64 is gone!
x86 says: LD_LIBRARY_PATH=../../lib DYLD_LIBRARY_PATH=../../lib ./tst_bitops ext2fs_test_bit appears to be correct ext2fs_set_bit test succeeded. ext2fs_clear_bit test succeed. Failed to allocate scratch memory! make[1]: *** [check] Error 1 make[1]: Leaving directory `/var/tmp/paludis/sys-fs/e2fsprogs-1.40.3/work/e2fsprogs-1.40.3/lib/ext2fs' make: *** [check-recursive] Error 1
(In reply to comment #12) > Failed to allocate scratch memory! No such error on x86 over here... Marking stable.
Hm, still happens to me: ACCEPT_KEYWORDS=x86 CFLAGS=-O2 -march=pentium-m -fomit-frame-pointer -pipe CBUILD=i686-pc-linux-gnu CHOST=i686-pc-linux-gnu CXXFLAGS=-O2 -march=pentium-m -fomit-frame-pointer -pipe
Stable for HPPA.
alpha/ia64/sparc stable
ppc stable
ppc64 stable
arm/m68k/s390/sh marked stable by Mike, mips missing, but all security supported arches are done, so changing status to [glsa]
SIGFILED
GLSA 200712-13, thanks everyone.
Does not affect current (2008.0) release. Removing release.
Looks like this bug is back (reopen?) LD_LIBRARY_PATH=../../lib DYLD_LIBRARY_PATH=../../lib ./tst_bitops ext2fs_test_bit appears to be correct ext2fs_set_bit test succeeded. ext2fs_clear_bit test succeed. Failed to allocate scratch memory! make[1]: *** [check] Error 1 make[1]: Leaving directory `/var/tmp/portage/sys-fs/e2fsprogs-1.41.9/work/e2fsprogs-1.41.9/lib/ext2fs' make: *** [check-recursive] Error 1 * * ERROR: sys-fs/e2fsprogs-1.41.9 failed. * Call stack: * ebuild.sh, line 49: Called src_test * environment, line 2599: Called _eapi0_src_test * ebuild.sh, line 607: Called die ---------------------------- vz377 ~ # emerge --info Portage 2.1.6.13 (hardened/linux/x86/10.0, gcc-4.3.4, glibc-2.9_p20081201-r2, 2.6.26.8 i686) ================================================================= System uname: Linux-2.6.26.8-i686-AMD_Athlon-tm-_II_X4_620_Processor-with-gentoo-1.12.13 Timestamp of tree: Thu, 03 Dec 2009 08:00:01 +0000 app-shells/bash: 4.0_p28 dev-lang/python: 2.6.2-r1 sys-apps/baselayout: 1.12.13 sys-apps/sandbox: 1.6-r2 sys-devel/autoconf: 2.13, 2.63-r1 sys-devel/automake: 1.10.2 sys-devel/binutils: 2.18-r3 sys-devel/gcc-config: 1.4.1 sys-devel/libtool: 2.2.6a virtual/os-headers: 2.6.27-r2 ACCEPT_KEYWORDS="x86" CBUILD="i486-pc-linux-gnu" CFLAGS="-O2 -mtune=i686 -pipe" CHOST="i486-pc-linux-gnu" CONFIG_PROTECT="/etc /sbin/rc" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/gconf /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/udev/rules.d" CXXFLAGS="-O2 -mtune=i686 -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="distlocks fixpackages parallel-fetch protect-owned sandbox sfperms strict stricter test unmerge-orphans userfetch" GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo" LDFLAGS="-Wl,-O1" LINGUAS="de" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="3dnow 3dnowext 3dnowprefetch acl bzip2 cli cracklib crypt gdbm gmp gpm hardened hpn iconv idn lzma mmx mudflap ncurses nls nptl nptlonly openmp pam pcre pic pth readline reflection skey smp spl sse sse2 sse3 sse4a ssl tcpd threads unicode x86 zlib" ELIBC="glibc" INPUT_DEVICES="keyboard" KERNEL="linux" LINGUAS="de" USERLAND="GNU" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LANG, LC_ALL, MAKEOPTS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY