Bug 2069726 (CVE-2022-1304)
|Summary:||CVE-2022-1304 e2fsprogs: out-of-bounds read/write via crafted filesystem|
|Product:||[Other] Security Response||Reporter:||Borja Tarraso <btarraso>|
|Component:||vulnerability||Assignee:||Red Hat Product Security <security-response-team>|
|Status:||CLOSED ERRATA||QA Contact:|
|Version:||unspecified||CC:||ajak, bdettelb, bxue, esandeen, jburrell, josef, jwong, kasal, kaycoth, kzak, lczerner, oliver, sct, vkumar|
|Fixed In Version:||Doc Type:||If docs needed, set a value|
An out-of-bounds read/write vulnerability was found in e2fsprogs. This issue leads to a segmentation fault and possibly arbitrary code execution via a specially crafted filesystem.
|Last Closed:||2022-12-06 15:03:42 UTC||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Cloudforms Team:||---||Target Upstream Version:|
|Bug Depends On:||2069727, 2073546, 2073547, 2073548, 2073549|
|Bug Blocks:||2069728, 2074172|
Description Borja Tarraso 2022-03-29 14:52:39 UTC
An out-of-bounds read/write vulnerability was found in e2fsprogs which can lead to a segmentation fault and possibly arbitrary code execution via a specially crafted filesystem. The issue occurs in ext2fs_extent_delete() in lib/ext2fs/extent.c when path->left is equal to -1, resulting in a call to memmove() with invalid arguments. Reference: https://bugzilla.redhat.com/show_bug.cgi?id=2068113
Comment 1 Borja Tarraso 2022-03-29 14:52:59 UTC
Created e2fsprogs tracking bugs for this issue: Affects: fedora-all [bug 2069727]
Comment 2 Lukáš Czerner 2022-03-30 08:26:57 UTC
(In reply to Borja Tarraso from comment #0) > A vulnerability was found in e2fsck. During the processing of the attached > disk image via e2fsck -p -f /testcase an out-of-bounds write is triggered > and causes a segmentation fault (SIGSEGV). Hello, thanks for the report, however there are couple of things missing. I don't see a Fedora version for which this bug is supposed to be and I don't see the version of e2fsprogs which this problem applies to. Also there is no disk image attached. Please provide the missing information and the mentioned disk image. > > This bug allows an attacker to perform a denial of service and possibly > opens up other attack vectors. how does it allow to perform a DoS? What other attack vectors does it open? Thanks! -Lukas
Comment 3 Guilherme de Almeida Suckevicz 2022-04-01 20:28:54 UTC
In reply to comment #2: > Hello, > > thanks for the report, however there are couple of things missing. I don't > see a Fedora version for which this bug is supposed to be and I don't see > the version of e2fsprogs which this problem applies to. Also there is no > disk image attached. Please provide the missing information and the > mentioned disk image. Hi Lukas, You can find the original bug report with more information here: https://bugzilla.redhat.com/show_bug.cgi?id=2068113 > how does it allow to perform a DoS? What other attack vectors does it open? We are still investigating this issue and that's not clear yet. Thanks.
Comment 5 Lukáš Czerner 2022-04-11 08:32:57 UTC
Indeed this is a bug and should be fixed. But as always when fuzzer images pop up, I don't consider it a security issue as it requires a physical access and an elaborate, non standard and not very smart setup to automatically run fsck on inserted USB.
Comment 6 juneau 2022-04-11 14:16:39 UTC
Marking services-* and OSD affected/low/delegated for presence of affected code. Couple items of note:  Exploitation is highly unlikely.  "Unfortunately, we were not able to reproduce the issue on RHEL UBI since it appears that `e2fsprogs` is not part of the standard repository." Yet another argument for Red Hat to stop using non-UBI images in our managed services… --- services-ansible-automation-hub/automation-hub/automation-hub-ansible-test:latest/e2fsprogs-1.44.1-1ubuntu1.3 https://quay.io/cloudservices/automation-hub-ansible-test:latest services-managed-kafka/cos-fleet-manager/cos-fleet-catalog-camel:latest/e2fsprogs-1.44.5-1+deb10u3 https://quay.io/rhoas/cos-fleet-catalog-camel:latest services-managed-kafka/strimzi/prometheus-kafka-consumer-group-exporter:latest/e2fsprogs-1.44.5-1+deb10u3 https://quay.io/app-sre/prometheus-kafka-consumer-group-exporter:latest services-openshift-cluster-manager/ocm/golangci-lint:latest/e2fsprogs-1.46.2-2 https://quay.io/app-sre/golangci-lint:latest services-openshift-cluster-manager/ocm/selenium-standalone-chrome-debug:latest/e2fsprogs-1.45.5-2ubuntu1 https://quay.io/app-sre/selenium-standalone-chrome-debug:latest services-openshift-cluster-manager/ocm/selenium-standalone-firefox-debug:latest/e2fsprogs-1.45.5-2ubuntu1 https://quay.io/app-sre/selenium-standalone-firefox-debug:latest
Comment 8 Guilherme de Almeida Suckevicz 2022-04-11 17:59:45 UTC
In reply to comment #5: > Indeed this is a bug and should be fixed. But as always when fuzzer images > pop up, I don't consider it a security issue as it requires a physical > access and an elaborate, non standard and not very smart setup to > automatically run fsck on inserted USB. Hi Lukas, thank you for your input on this. Although that is an attack scenario, that is not the only one. An attacker can corrupt a filesystem or prepare, distribute and force an user to run e2fsck on a crafted filesystem image. Given the conditions to trigger this vulnerability, it has at most a moderate severity. Thanks.
Comment 9 errata-xmlrpc 2022-11-08 10:17:08 UTC
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:7720 https://access.redhat.com/errata/RHSA-2022:7720
Comment 10 errata-xmlrpc 2022-11-15 11:02:29 UTC
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2022:8361 https://access.redhat.com/errata/RHSA-2022:8361
Comment 11 Product Security DevOps Team 2022-12-06 15:03:40 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-1304