Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 918535 (CVE-2023-49298) - <sys-fs/zfs-{2.1.14,2.2.2}: data corruption
Summary: <sys-fs/zfs-{2.1.14,2.2.2}: data corruption
Status: RESOLVED FIXED
Alias: CVE-2023-49298
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL:
Whiteboard: A3 [noglsa]
Keywords:
Depends on: 917224
Blocks:
  Show dependency tree
 
Reported: 2023-11-25 16:58 UTC by Christopher Fore
Modified: 2024-01-07 19:20 UTC (History)
7 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Christopher Fore 2023-11-25 16:58:05 UTC
CVE-2023-49298 (https://github.com/openzfs/zfs/issues/15526):

OpenZFS through 2.1.13 and 2.2.x through 2.2.1, in certain scenarios involving applications that try to rely on efficient copying of file data, can replace file contents with zero-valued bytes and thus potentially disable security mechanisms. NOTE: this issue is not always security related, but can be security related in realistic situations. A possible example is cp, from a recent GNU Core Utilities (coreutils) version, when attempting to preserve a rule set for denying unauthorized access. (One might use cp when configuring access control, such as with the /etc/hosts.deny file specified in the IBM Support reference.) NOTE: this issue occurs less often in version 2.2.1, and in versions before 2.1.4, because of the default configuration in those versions.
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2023-11-25 20:19:21 UTC
I am unconvinced that this is worthy of a CVE..
Comment 2 Mike 2023-11-25 20:45:24 UTC
This tool can easily detect all the corrupted files:

https://github.com/0x5c/zfs-bclonecheck
Comment 3 Mike 2023-11-25 20:47:36 UTC
(In reply to Mike from comment #2)
> This tool can easily detect all the corrupted files:
> 
> https://github.com/0x5c/zfs-bclonecheck

Some of the detected corrupted files then can be re-created by Gentoo user by re-emerge:

equery b DETECTED_CORRUPTED_FILE_1
emerge -1 --usepkg=n PACKAGE
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2023-11-25 20:50:52 UTC
Please keep the discussion on the upstream bug for detection but that is NOT complete. Non cloned files may be affected.
Comment 5 Marc Schiffbauer gentoo-dev 2023-12-01 11:39:10 UTC
New versions of zfs have been released today which solve the corruption bug

https://github.com/openzfs/zfs/releases/download/zfs-2.2.2/zfs-2.2.2.tar.gz
https://github.com/openzfs/zfs/releases/download/zfs-2.1.14/zfs-2.1.14.tar.gz
Comment 6 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2024-01-07 00:14:21 UTC
I suppose we'll treat those as the fixed versions then. I'll vote no on a GLSA (but still wait for a second opinion).
Comment 7 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2024-01-07 07:08:25 UTC
I'd say no.