Bug 1193945 (CVE-2015-1572)

Summary: CVE-2015-1572 e2fsprogs: potential buffer overflow in closefs() (incomplete CVE-2015-0247 fix)
Product: [Other] Security Response Reporter: Vasyl Kaigorodov <vkaigoro>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: esandeen, josef, kzak, mmilgram, oliver, sct, slawomir
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
A heap-based buffer overflow flaw was found in e2fsprogs. A specially crafted Ext2/3/4 file system could cause an application using the ext2fs library (for example, fsck) to crash or, possibly, execute arbitrary code.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2016-06-10 20:56:09 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1193947    
Bug Blocks: 1187035, 1193946    

Description Vasyl Kaigorodov 2015-02-18 15:36:40 UTC 
From the upstream commit [1]:
"""
The bug fix in f66e6ce4446: "libext2fs: avoid buffer overflow if s_first_meta_bg is too big" had a typo in the fix for ext2fs_closefs(). In practice most of the security exposure was from the openfs path, since this meant if there was a carefully crafted file system, buffer overrun would be triggered when the file system was opened. However, if corrupted file system didn't trip over some corruption check, and then the file system was modified via tune2fs or debugfs, such that the superblock was marked dirty and then written out via the closefs() path, it's possible that the buffer overrun could be triggered when the file system is closed. 
"""

[1]: https://git.kernel.org/cgit/fs/ext2/e2fsprogs.git/commit/?id=49d0fe2a14f2a23da2fe299643379b8c1d37df73
Comment 1 Vasyl Kaigorodov 2015-02-18 15:37:39 UTC 
Created e2fsprogs tracking bugs for this issue:

Affects: fedora-all [bug 1193947]
Comment 2 Tomas Hoger 2015-02-19 07:56:32 UTC 
(In reply to Vasyl Kaigorodov from comment #0)
> The bug fix in f66e6ce4446: "libext2fs: avoid buffer overflow if
> s_first_meta_bg is too big" had a typo in the fix for ext2fs_closefs().

That commit is the fix for CVE-2015-0247 (see bug 1187032), so CVE-2015-1572 really is an incomplete / incorrect CVE-2015-0247 fix id.  The original issue has not yet been fixed in Red Hat Enterprise Linux.  Fixes for it are available in Fedora.

Compared to the original issue, this flaw requires few additional conditions that must be met to be exploited - see upstream commit comment (quoted in comment 0 above) for details.

There is no new upstream release yet.  Version 1.42.13 is probably going to be next, which should include the fix for this issue.
Comment 3 Fedora Update System 2015-03-04 10:23:05 UTC 
e2fsprogs-1.42.12-3.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 4 Fedora Update System 2015-03-04 10:34:31 UTC 
e2fsprogs-1.42.12-3.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Vincent Danen 2016-06-10 20:56:09 UTC 
Statement:

This issue affects e2fsprogs packages as shipped with Red Hat Enterprise Linux 6 and 7. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.

This issue affects e4fsprogs packages as shipped with Red Hat Enterprise Linux 5. The issue is not planned to be addressed in Red Hat Enterprise Linux 5.

This issue did not affect e2fsprogs packages as shipped with Red Hat Enterprise Linux 5.