A security issue in xfsprogs has been announced: http://openwall.com/lists/oss-security/2015/07/23/12 Apparently upstream is planning to fix it some time soon. Mageia 4 and Mageia 5 are also affected. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA5TOO, MGA4TOO
xfsprogs 3.2.4 has been released, fixing this issue: http://openwall.com/lists/oss-security/2015/07/30/3 http://oss.sgi.com/pipermail/xfs/2015-July/042726.html
Fedora has issued an advisory for this on July 31: https://lists.fedoraproject.org/pipermail/package-announce/2015-August/163690.html
URL: (none) => http://lwn.net/Vulnerabilities/654288/
xfsprogs-3.2.4-1.mga6 uploaded for Cauldron.
Version: Cauldron => 5Whiteboard: MGA5TOO, MGA4TOO => MGA4TOO
Ping. If we're going to release this for Mageia 4, we should get it to QA soon.
I'll have a look at this. Fedora seems to use this patch for 3.2.2: http://pkgs.fedoraproject.org/cgit/xfsprogs.git/tree/xfsprogs-xfs_metadump-CVE-2012-2150.patch?h=f21 Hopefully it can be used with 3.2.1 too in Mageia 5. Mageia 4 has 3.1.11, I'll see how it looks like.
Assignee: tmb => rverschelde
For the reference, Thomas had already updated the mga5 branch to 3.2.4 in SVN, but it fails to build due to the presence of libuuid.la (but the absence of libuuid.a). We could nuke the former in bug 16641.
It looks like Debian does not hurry to fix it in stable [1], so I would suggest pushing an update for Mageia 5 and ignoring Mageia 4 (since the EOL is in two weeks and Fedora's patch does not apply at all on 3.1.11). [1] https://security-tracker.debian.org/tracker/CVE-2012-2150
CC: (none) => tmb
We can call this WONTFIX for Mageia 4 then, that's fine.
Dropping the MGA4TOO as discussed above (WONTFIX for Mageia 4, unless someone else wants to work on it before the EOL).
Hardware: i586 => AllWhiteboard: MGA4TOO => (none)
Advisory: ======================== Updated xfsprogs packages fix security vulnerability: xfs_metadump in xfsprogs before 3.2.4 does not properly obfuscate file data, which allows remote attackers to obtain sensitive information by reading a generated image (CVE-2012-2150). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2150 http://oss.sgi.com/pipermail/xfs/2015-July/042726.html https://lists.fedoraproject.org/pipermail/package-announce/2015-August/163690.html ======================== Updated packages in core/updates_testing: ======================== xfsprogs-3.2.4-1.mga5 libxfs1-3.2.4-1.mga5 libxfs-devel-3.2.4-1.mga5 libxfs-static-devel-3.2.4-1.mga5 from xfsprogs-3.2.4-1.mga5.src.rpm
CC: (none) => rverscheldeAssignee: rverschelde => qa-bugs
Created attachment 7003 [details] xfsprogs test script
CC: (none) => yann.cantin
As I haven't find a test procedure, I've adapted fedora's squashfs testcase (see attachment). What does it do : - create a simple directory structure with files - create a xfs image file - loop mount - copy the files - diff to check integrity It can easily be adapted to other filesystem. ========== mga5 x86_64 Installed packages : lib64xfs1-3.2.4-1.mga5 xfsprogs-3.2.4-1.mga5 libxfs1-3.2.4-1.mga5 Run the xfsprogs test script : No error. Update OK.
Whiteboard: (none) => MGA5-64-OK
Well done Yann Validating. Advisory uploaded. Please push to 5 updates Thanks
Keywords: (none) => validated_updateWhiteboard: MGA5-64-OK => has_procedure advisory MGA5-64-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0361.html
Status: NEW => RESOLVEDResolution: (none) => FIXED