Fedora has issued an advisory on September 28: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/3SZ4HMQKNI35NBWJI6XMJBGWPEKZRR72/ The issue is fixed upstream in 1.14.0. Mageia 7 is also affected.
Done for both Cauldron and mga7!
Advisory: ======================== Updated f2fs-tools packages fix security vulnerability: An exploitable code execution vulnerability exists in the file system checking functionality of fsck.f2fs 1.12.0. A specially crafted f2fs file can cause a logic flaw and out-of-bounds heap operations, resulting in code execution. An attacker can provide a malicious file to trigger this vulnerability (CVE-2020-6070). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6070 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/3SZ4HMQKNI35NBWJI6XMJBGWPEKZRR72/ ======================== Updated packages in core/updates_testing: ======================== f2fs-tools-1.14.0-1.mga7 libf2fs8-1.14.0-1.mga7 libf2fs_format7-1.14.0-1.mga7 libf2fs-devel-1.14.0-1.mga7 from f2fs-tools-1.14.0-1.mga7.src.rpm
CC: (none) => geiger.david68210Version: Cauldron => 7Assignee: geiger.david68210 => qa-bugs
MGA7-64 MATE on Peaq C1011 No installation issues Did some reading on NAND and NOR flash memory and concluded that USB sticks are probably all NAND types. So inserted one and went on umount /run/media/tester7/56bb5c6c-4844-4a99-b42b-11f0127e9835 This notebook has no rust drive, so the USB is sda, that's not a typo. # mkfs.f2fs /dev/sda F2FS-tools: mkfs.f2fs Ver: 1.14.0 (2020-08-24) Info: Disable heap-based policy Info: Debug level = 0 Info: Trim is enabled /dev/sda appears to contain an existing filesystem (xfs). Use the -f option to force overwrite. [root@mach6 ~]# mkfs.f2fs -f /dev/sda F2FS-tools: mkfs.f2fs Ver: 1.14.0 (2020-08-24) Info: Disable heap-based policy Info: Debug level = 0 Info: Trim is enabled Info: [/dev/sda] Disk Model: USB Flash Drive Info: Segments per section = 1 Info: Sections per zone = 1 Info: sector size = 512 Info: total sectors = 31258624 (15263 MB) Info: zone aligned segment0 blkaddr: 512 Info: format version with "Linux version 5.7.19-desktop-3.mga7 (iurt@ec2x1.mageia.org) (gcc version 8.4.0 (Mageia 8.4.0-1.mga7), GNU ld (GNU Binutils) 2.33.1) #1 SMP Sun Oct 18 15:46:00 UTC 2020" Info: [/dev/sda] Discarding device Info: This device doesn't support BLKSECDISCARD Info: This device doesn't support BLKDISCARD Info: Overprovision ratio = 1.630% Info: Overprovision segments = 251 (GC reserved = 130) Info: format successful # ls -als /run/media/tester7/c3418608-78b3-48b4-967f-767a4d9ed359/ total 4 4 drwxr-xr-x 2 root root 4096 Nov 23 10:58 ./ 0 drwxr-x---+ 3 root root 60 Nov 23 10:59 ../ # chmod 777 /run/media/tester7/c3418608-78b3-48b4-967f-767a4d9ed359/ So using caja, I wrote a text file on the stick, safely removed it, plugged it in my desktop PC, and accessed the device and read the file. Then reverted to the original status on the notebook. # umount /run/media/tester7/c3418608-78b3-48b4-967f-767a4d9ed359 # mkfs.vfat /dev/sda mkfs.fat 4.1 (2017-01-24) # fsck.vfat /dev/sda fsck.fat 4.1 (2017-01-24) /dev/sda: 0 files, 1/1951754 clusters Wrote again a text file on it and checked on the desktop PC, All OK
CC: (none) => herman.viaeneWhiteboard: (none) => MGA7-64-OK
Validating. Advisory pushed to SVN.
Keywords: (none) => advisory, validated_updateCC: (none) => ouaurelien, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0436.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED