Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 749318 (CVE-2020-6104, CVE-2020-6105, CVE-2020-6106, CVE-2020-6107, CVE-2020-6108) - sys-fs/f2fs-tools: Multiple vulnerabilities (CVE-2020-{6104,6105,6106,6107,6108})
Summary: sys-fs/f2fs-tools: Multiple vulnerabilities (CVE-2020-{6104,6105,6106,6107,61...
Status: IN_PROGRESS
Alias: CVE-2020-6104, CVE-2020-6105, CVE-2020-6106, CVE-2020-6107, CVE-2020-6108
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2 [glsa cleanup]
Keywords: CC-ARCHES, STABLEREQ
Depends on:
Blocks:
 
Reported: 2020-10-15 16:08 UTC by Sam James
Modified: 2020-11-09 17:58 UTC (History)
2 users (show)

See Also:
Package list:
sys-fs/f2fs-tools-1.14.0 amd64 arm arm64 ppc ppc64 x86
Runtime testing required: ---
nattka: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester gentoo-dev Security 2020-10-15 16:08:33 UTC
* CVE-2020-6104

"An exploitable information disclosure vulnerability exists in the get_dnode_of_data functionality of F2fs-Tools F2fs.Fsck 1.13. A specially crafted f2fs filesystem can cause information disclosure resulting in a information disclosure. An attacker can provide a malicious file to trigger this vulnerability."

URL: https://talosintelligence.com/vulnerability_reports/TALOS-2020-1046

* CVE-2020-6105

"An exploitable code execution vulnerability exists in the multiple devices functionality of F2fs-Tools F2fs.Fsck 1.13. A specially crafted f2fs filesystem can cause Information overwrite resulting in a code execution. An attacker can provide a malicious file to trigger this vulnerability."

URL: https://talosintelligence.com/vulnerability_reports/TALOS-2020-1047 

* CVE-2020-6106

"An exploitable information disclosure vulnerability exists in the init_node_manager functionality of F2fs-Tools F2fs.Fsck 1.12 and 1.13. A specially crafted filesystem can be used to disclose information. An attacker can provide a malicious file to trigger this vulnerability."

URL: https://talosintelligence.com/vulnerability_reports/TALOS-2020-1048

* CVE-2020-6107

"An exploitable information disclosure vulnerability exists in the dev_read functionality of F2fs-Tools F2fs.Fsck 1.13. A specially crafted f2fs filesystem can cause an uninitialized read resulting in an information disclosure. An attacker can provide a malicious file to trigger this vulnerability."

https://talosintelligence.com/vulnerability_reports/TALOS-2020-1049

* CVE-2020-6108

"An exploitable code execution vulnerability exists in the fsck_chk_orphan_node functionality of F2fs-Tools F2fs.Fsck 1.13. A specially crafted f2fs filesystem can cause a heap buffer overflow resulting in a code execution. An attacker can provide a malicious file to trigger this vulnerability."

URL: https://talosintelligence.com/vulnerability_reports/TALOS-2020-1050
Comment 1 Sam James archtester gentoo-dev Security 2020-10-15 16:09:15 UTC
Not clear if fixed in 1.14.
Comment 2 Anthony Basile gentoo-dev 2020-10-27 18:16:50 UTC
(In reply to Sam James from comment #1)
> Not clear if fixed in 1.14.

Let's just stabilize 1.14.  It has been in the tree forever.

KEYWORDS="amd64 arm arm64 ppc ppc64 x86"
Comment 3 NATTkA bot gentoo-dev 2020-10-27 21:32:51 UTC
Unable to check for sanity:

> no match for package: sys-fs/f2fs-tools-1.14
Comment 4 NATTkA bot gentoo-dev 2020-10-27 21:40:55 UTC
All sanity-check issues have been resolved
Comment 5 Thomas Deutschmann gentoo-dev Security 2020-10-27 22:00:38 UTC
x86 stable
Comment 6 Sam James archtester gentoo-dev Security 2020-10-28 03:05:46 UTC
arm64 done
Comment 7 Sam James archtester gentoo-dev Security 2020-10-28 16:13:39 UTC
arm done
Comment 8 Sergei Trofimovich gentoo-dev 2020-10-28 22:42:15 UTC
ppc/ppc64 stable
Comment 9 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2020-10-31 11:05:47 UTC
amd64 stable, though no idea about cleanup then.
Comment 10 Anthony Basile gentoo-dev 2020-11-09 17:58:16 UTC
(In reply to Mikle Kolyada from comment #9)
> amd64 stable, though no idea about cleanup then.

I've removed 1.13.0 from the tree.  The only remaining version is 1.14.0 which is the latest upstream.