Re: [SECURITY] [DSA 1422-1] New e2fsprogs packages fix arbitrary code execution
Juan Gallego wrote: is sarge affected by this vulnerability? or has sarge been archived and i missed the announcement? The main attack vector - pygrub/xen - doesn't exist in Sarge. The other attacks are more or less theoretical and hardly justify modifications to an important core package like this. Cheers, Moritz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 1422-1] New e2fsprogs packages fix arbitrary code execution
Hi Steve, * Steve Kemp [EMAIL PROTECTED] [2007-12-07 20:26]: On Fri Dec 07, 2007 at 18:41:35 +0100, Nico Golde wrote: What about those, are they unimportant? They are still present in the etch code. I stumbled upon them while preparing a testing-security upload. Uknown. I used the patch provided by Theodore Tso, which he is/was planning on using for Sid/Ubuntu. If there are missing bits then we'll need to reissue the update, but right now I believed the patch was as complete as it needed to be. [...] I asked Ted about this, I just quote what he wrote: I don't consider that to be a high priority issue, since it's not likely that an attacker would be able to trick an administrator to run resize2fs on some random filesystem image while running as root. So decide on your own if this warrants an update of the DSA, he will include this in 1.40.4. Kind regards Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted. pgpccPMXo3kax.pgp Description: PGP signature
Re: [SECURITY] [DSA 1422-1] New e2fsprogs packages fix arbitrary code execution
Hi Steve, * Steve Kemp [EMAIL PROTECTED] [2007-12-07 20:26]: On Fri Dec 07, 2007 at 18:41:35 +0100, Nico Golde wrote: What about those, are they unimportant? They are still present in the etch code. I stumbled upon them while preparing a testing-security upload. Uknown. I used the patch provided by Theodore Tso, which he is/was planning on using for Sid/Ubuntu. Oh ok. If there are missing bits then we'll need to reissue the update, but right now I believed the patch was as complete as it needed to be. Ok, I am waiting for his reply, I attached my patch to the bug report in unstable. From what I see every multiplication with fs-blocksize needs to be checked, all of these are coming from the file system. Let's see what he does :) http://people.debian.org/~nion/nmu-diff/e2fsprogs-1.40.2-1_1.40.2-1+lenny1.patch YFYI this is the patch I used for testing-security. Cheers Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted. pgp7nInBmG6BX.pgp Description: PGP signature
Re: [SECURITY] [DSA 1422-1] New e2fsprogs packages fix arbitrary code execution
On 2007-12-07 13:21-, Steve Kemp [EMAIL PROTECTED] wrote: | For the stable distribution (etch), this problem has been fixed in version | 1.39+1.40-WIP-2006.11.14+dfsg-2etch1. | For the unstable distribution (sid), this problem will be fixed shortly. hi Steve and others, is sarge affected by this vulnerability? or has sarge been archived and i missed the announcement? tia, -- juan -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 1422-1] New e2fsprogs packages fix arbitrary code execution
On Fri Dec 07, 2007 at 09:46:21 -0500, Juan Gallego wrote: | For the stable distribution (etch), this problem has been fixed in version | 1.39+1.40-WIP-2006.11.14+dfsg-2etch1. | For the unstable distribution (sid), this problem will be fixed shortly. is sarge affected by this vulnerability? or has sarge been archived and i missed the announcement? Sarge is affected, but I don't yet have a working patch for that. There should be an update shortly, but this is pretty low-risk and it seemed sensible to release now, rather than waiting. Steve -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 1422-1] New e2fsprogs packages fix arbitrary code execution
Hi, * Nico Golde [EMAIL PROTECTED] [2007-12-07 18:32]: [...] Rafal Wojtczuk of McAfee AVERT Research discovered that e2fsprogs, ext2 file system utilities and libraries, contained multiple integer overflows in memory allocations, based on sizes taken directly from filesystem information. These could result in heap-based overflows potentially allowing the execution of arbitrary code. For the stable distribution (etch), this problem has been fixed in version 1.39+1.40-WIP-2006.11.14+dfsg-2etch1. [...] e2fsck/swapfs.c:retval = ext2fs_get_mem(fs-blocksize * fs-inode_blocks_per_group, resize/resize2fs.c: retval = ext2fs_get_mem(fs-blocksize * fs-inode_blocks_per_group, resize/resize2fs.c: retval = ext2fs_get_mem(fs-blocksize * resize/resize2fs.c: retval = ext2fs_get_mem(rfs-old_fs-blocksize * 3, block_buf); resize/extent.c:retval = ext2fs_get_mem(sizeof(struct ext2_extent_entry) * What about those, are they unimportant? They are still present in the etch code. I stumbled upon them while preparing a testing-security upload. Sorry, this mail was originally only addressed to Steve but since I also got this mail through the debian-security list it ended up here now :) Anyway, I looked again into these and from my point of view the released DSA is incomplete, I fixed those for testing-security by using get_mem_array as well. Kind regards Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted. pgpzvamUYiL2l.pgp Description: PGP signature
Re: [SECURITY] [DSA 1422-1] New e2fsprogs packages fix arbitrary code execution
On Fri Dec 07, 2007 at 18:41:35 +0100, Nico Golde wrote: What about those, are they unimportant? They are still present in the etch code. I stumbled upon them while preparing a testing-security upload. Uknown. I used the patch provided by Theodore Tso, which he is/was planning on using for Sid/Ubuntu. If there are missing bits then we'll need to reissue the update, but right now I believed the patch was as complete as it needed to be. Sorry, this mail was originally only addressed to Steve but since I also got this mail through the debian-security list it ended up here now :) Fair enough. Steve -- # The Debian Security Audit Project. http://www.debian.org/security/audit -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 1422-1] New e2fsprogs packages fix arbitrary code execution
Hi Steve, * Steve Kemp [EMAIL PROTECTED] [2007-12-07 14:32]: Debian Security Advisory DSA-1422[EMAIL PROTECTED] http://www.debian.org/security/ Steve Kemp December 07, 2007 http://www.debian.org/security/faq Package: e2fsprogs Vulnerability : integer overfows Problem type : local Debian-specific: no CVE Id(s) : CVE-2007-5497 Rafal Wojtczuk of McAfee AVERT Research discovered that e2fsprogs, ext2 file system utilities and libraries, contained multiple integer overflows in memory allocations, based on sizes taken directly from filesystem information. These could result in heap-based overflows potentially allowing the execution of arbitrary code. For the stable distribution (etch), this problem has been fixed in version 1.39+1.40-WIP-2006.11.14+dfsg-2etch1. [...] e2fsck/swapfs.c:retval = ext2fs_get_mem(fs-blocksize * fs-inode_blocks_per_group, resize/resize2fs.c: retval = ext2fs_get_mem(fs-blocksize * fs-inode_blocks_per_group, resize/resize2fs.c: retval = ext2fs_get_mem(fs-blocksize * resize/resize2fs.c: retval = ext2fs_get_mem(rfs-old_fs-blocksize * 3, block_buf); resize/extent.c:retval = ext2fs_get_mem(sizeof(struct ext2_extent_entry) * What about those, are they unimportant? They are still present in the etch code. I stumbled upon them while preparing a testing-security upload. Kind regards Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted. pgp3qie05eItu.pgp Description: PGP signature