Bug 817696 (CVE-2012-2150)

Summary: CVE-2012-2150 xfsprogs: xfs_metadump information disclosure flaw
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: bressers, carnil, esandeen, jrusnack, scorneli, security-response-team
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: xfsprogs 3.2.4 Doc Type: Bug Fix
Doc Text:
It was discovered that the xfs_metadump tool of the xfsprogs suite did not fully adhere to the standards of obfuscation described in its man page. In case a user with the necessary privileges used xfs_metadump and relied on the advertised obfuscation, the generated data could contain unexpected traces of potentially sensitive information.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2015-11-20 14:59:58 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1251118    
Bug Blocks: 817699, 1210268    

Description Vincent Danen 2012-04-30 22:55:45 UTC 
Gabriel Vlasiu reported that xfs_metadump, part of the xfsprogs suite of tools for the XFS filesystem, did not properly obfuscate data.  xfs_metadump properly obfuscates active metadata, but the rest of the space within that fs block comes through in the clear.  This could lead to exposure of stale disk data via the produced metadump image.

The expectation of xfs_metadump is to obfuscate all but the shortest names in the metadata, as noted in the manpage:

By  default,  xfs_metadump  obfuscates  most  file (regular file, directory and
symbolic link) names and extended  attribute  names to  allow  the  dumps  to
be sent without revealing confidential information. Extended attribute values
are zeroed and no data  is copied.  The only exceptions are file or attribute
names that are 4 or less characters in length. Also file names that span
extents (this can only occur with the mkfs.xfs(8) options where -n size > -b
size) are not obfuscated.  Names between 5 and 8 characters  in length
inclusively are partially obfuscated.

While the xfs_metadump tool can be run by unprivileged users, it requires appropriate permissions to access block devices (such as root) where the sensitive data might be dumped.  An unprivileged user, without access to the block device, could not use this flaw to obtain sensitive data they would not otherwise have permission to access.
Comment 16 Kurt Seifried 2015-07-23 14:39:18 UTC 
Upstream patches will be available at  https://git.kernel.org/cgit/fs/xfs/xfsprogs-dev.git/
Comment 17 Tomas Hoger 2015-08-04 08:30:22 UTC 
Fixed upstream in xfsprogs v3.2.4:

http://oss.sgi.com/pipermail/xfs/2015-July/042726.html
Comment 18 Stefan Cornelius 2015-08-04 09:43:42 UTC 
This issue is not about local users being able to access restricted data via xfs metadumps. In order to be able to generate such a dump, local users need to have the appropriate access permissions to the block device, so this does not cross any security boundaries in that regard.

This issue is about users generating a metadump image via xfs_metadump and then sharing it with 3rd parties (for example for debugging purposes), relying on the xfs_metadump functionality to obfuscate potentially sensitive details. This obfuscation functionality did not work as advertised in the manpage, thus it may be possible that sensitive information is leaked as part of the metadata dump.

If in doubt, do not share xfs_metadump dumps with untrusted 3rd parties.
Comment 26 Fedora Update System 2015-08-12 07:02:20 UTC 
xfsprogs-3.2.2-2.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 27 Fedora Update System 2015-08-19 08:10:20 UTC 
xfsprogs-3.2.4-1.fc23 has been pushed to the Fedora 23 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 28 Fedora Update System 2015-08-19 08:11:22 UTC 
xfsprogs-3.2.2-2.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 29 errata-xmlrpc 2015-11-19 13:23:56 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:2151 https://rhn.redhat.com/errata/RHSA-2015-2151.html