Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 556318 (CVE-2012-2150) - <sys-fs/xfsprogs-3.2.4: xfs_metadump information disclosure flaw (CVE-2012-2150)
Summary: <sys-fs/xfsprogs-3.2.4: xfs_metadump information disclosure flaw (CVE-2012-2150)
Status: RESOLVED FIXED
Alias: CVE-2012-2150
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2015-07-30 12:09 UTC by Agostino Sarubbo
Modified: 2016-07-06 04:29 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2015-07-30 12:09:41 UTC
From ${URL} :

Gabriel Vlasiu reported that xfs_metadump, part of the xfsprogs suite of tools for the XFS filesystem, did not properly obfuscate data.  xfs_metadump properly obfuscates active metadata, but the rest of the space within that fs block comes through in the clear.  
This could lead to exposure of stale disk data via the produced metadump image.

The expectation of xfs_metadump is to obfuscate all but the shortest names in the metadata, as noted in the manpage:

By  default,  xfs_metadump  obfuscates  most  file (regular file, directory and
symbolic link) names and extended  attribute  names to  allow  the  dumps  to
be sent without revealing confidential information. Extended attribute values
are zeroed and no data  is copied.  The only exceptions are file or attribute
names that are 4 or less characters in length. Also file names that span
extents (this can only occur with the mkfs.xfs(8) options where -n size > -b
size) are not obfuscated.  Names between 5 and 8 characters  in length
inclusively are partially obfuscated.

While the xfs_metadump tool can be run by unprivileged users, it requires appropriate permissions to access block devices (such as root) where the sensitive data might be dumped.  An unprivileged user, without access to the block device, could not use this flaw 
to obtain sensitive data they would not otherwise have permission to access.


Fixed in 3.2.4


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2015-07-30 15:50:25 UTC
+  30 Jul 2015; Lars Wendler <polynomial-c@gentoo.org> -xfsprogs-3.2.1.ebuild,
+  +xfsprogs-3.2.4.ebuild:
+  Security bump (bug #556318). Removed old.
+
Comment 2 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-07-30 17:53:00 UTC
Arches, please stabilize:
=sys-fs/xfsprogs-3.2.4
Stable targets: alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
Comment 3 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2015-07-30 18:13:52 UTC
amd64 stable
Comment 4 Tobias Klausmann (RETIRED) gentoo-dev 2015-07-31 15:28:12 UTC
Stable on alpha.
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2015-08-05 06:03:00 UTC
Stable for HPPA PPC64.
Comment 6 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2015-08-05 11:57:54 UTC
ia64 stable
Comment 7 Markus Meier gentoo-dev 2015-08-06 04:56:41 UTC
arm stable
Comment 8 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2015-08-09 18:06:18 UTC
x86 stable
Comment 9 Agostino Sarubbo gentoo-dev 2015-08-26 07:30:19 UTC
ppc stable
Comment 10 Agostino Sarubbo gentoo-dev 2015-09-06 08:34:06 UTC
sparc stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 11 Stefan Behte (RETIRED) gentoo-dev Security 2015-11-09 22:08:35 UTC
Vote: NO.
Comment 12 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-11-09 22:15:30 UTC
GLSA Vote: No