oss-sec mailing list archives

Re: CVE-2012-2150 xfsprogs: xfs_metadump information disclosure flaw

From: Dave Chinner <david () fromorbit com>
Date: Thu, 30 Jul 2015 12:25:12 +1000

On Thu, Jul 23, 2015 at 08:41:05AM -0600, Kurt Seifried wrote:

https://bugzilla.redhat.com/show_bug.cgi?id=817696

Gabriel Vlasiu reported that xfs_metadump, part of the xfsprogs suite of
tools for the XFS filesystem, did not properly obfuscate data.
xfs_metadump properly obfuscates active metadata, but the rest of the
space within that fs block comes through in the clear.  This could lead
to exposure of stale disk data via the produced metadump image.

The expectation of xfs_metadump is to obfuscate all but the shortest
names in the metadata, as noted in the manpage:

By  default,  xfs_metadump  obfuscates  most  file (regular file,
directory and symbolic link) names and extended  attribute  names to
allow  the  dumps  to be sent without revealing confidential
information. Extended attribute values are zeroed and no data  is
copied.  The only exceptions are file or attribute names that are 4 or
less characters in length. Also file names that span extents (this can
only occur with the mkfs.xfs(8) options where -n size > -b size) are not
obfuscated.  Names between 5 and 8 characters  in length
inclusively are partially obfuscated.

While the xfs_metadump tool can be run by unprivileged users, it
requires appropriate permissions to access block devices (such as root)
where the sensitive data might be dumped.  An unprivileged user, without
access to the block device, could not use this flaw to obtain sensitive
data they would not otherwise have permission to access.

Upstream patches will be available at
https://git.kernel.org/cgit/fs/xfs/xfsprogs-dev.git/


I have just released xfsprogs v3.2.4 to address these issues. Please
see the release announcement here for details on where to find it:

http://oss.sgi.com/pipermail/xfs/2015-July/042726.html

-Dave.

PS: A comment on the CVE disclosure process: please ensure that the
upstream maintainer is informed of the CVE and the public disclosure
plan *before* disclosure occurs.  Apart from preventing co-ordinated
release of the fixes, failing to inform the maintainer of the
problem before public disclosure is impolite and disrespectful.

-- 
Dave Chinner
david () fromorbit com

Attachment: signature.asc
Description: Digital signature

Current thread:

CVE-2012-2150 xfsprogs: xfs_metadump information disclosure flaw Kurt Seifried (Jul 23)
- Re: CVE-2012-2150 xfsprogs: xfs_metadump information disclosure flaw Dave Chinner (Jul 29)