--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2015-12406
2015-07-31 05:36:40
--------------------------------------------------------------------------------

Name        : xfsprogs
Product     : Fedora 21
Version     : 3.2.2
Release     : 2.fc21
URL         : Summary     : Utilities for managing the XFS filesystem
Description :
A set of commands to use the XFS filesystem, including mkfs.xfs.

XFS is a high performance journaling filesystem which originated
on the SGI IRIX platform.  It is completely multi-threaded, can
support large files and large filesystems, extended attributes,
variable block sizes, is extent based, and makes extensive use of
Btrees (directories, extents, free space) to aid both performance
and scalability.

Refer to the documentation at for complete details.  This implementation is on-disk compatible
with the IRIX version of XFS.

--------------------------------------------------------------------------------
Update Information:

Gabriel Vlasiu reported that xfs_metadump, part of the xfsprogs suite of tools for the XFS filesystem, did not properly obfuscate data.  xfs_metadump properly obfuscates active metadata, but the rest of the space within that fs block comes through in the clear.  This could lead to exposure of stale disk data via the produced metadump image.

The expectation of xfs_metadump is to obfuscate all but the shortest names in the metadata, as noted in the manpage:

By  default,  xfs_metadump  obfuscates  most  file (regular file, directory and symbolic link) names and extended  attribute  names to  allow  the  dumps  to be sent without revealing confidential information. Extended attribute values are zeroed and no data  is copied.  The only exceptions are file or attribute names that are 4 or less characters in length. Also file names that span extents (this can only occur with the mkfs.xfs(8) options where -n size > -b size) are not obfuscated.  Names between 5 and 8 characters  in length inclusively are partially obfuscated.

While the xfs_metadump tool can be run by unprivileged users, it requires appropriate permissions to access block devices (such as root) where the sensitive data might be dumped.  An unprivileged user, without access to the block device, could not use this flaw to obtain sensitive data they would not otherwise have permission to access.
--------------------------------------------------------------------------------
ChangeLog:

* Thu Jul 30 2015 Eric Sandeen  3.2.2-2
- Fix CVE-2012-2150
* Thu Dec  4 2014 Eric Sandeen  3.2.2-1
- New upstream release
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #817696 - CVE-2012-2150 xfsprogs: xfs_metadump information disclosure flaw
        https://bugzilla.redhat.com/show_bug.cgi?id=817696
--------------------------------------------------------------------------------

This update can be installed with the "yum" update program.  Use
su -c 'yum update xfsprogs' at the command line.
For more information, refer to "Managing Software with yum",
available at .

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
_______________________________________________
package-announce mailing list
package-announce@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/package-announce

Fedora 21: xfsprogs Security Update

August 19, 2015
Gabriel Vlasiu reported that xfs_metadump, part of the xfsprogs suite of tools for the XFS filesystem, did not properly obfuscate data

Summary

A set of commands to use the XFS filesystem, including mkfs.xfs.

XFS is a high performance journaling filesystem which originated

on the SGI IRIX platform. It is completely multi-threaded, can

support large files and large filesystems, extended attributes,

variable block sizes, is extent based, and makes extensive use of

Btrees (directories, extents, free space) to aid both performance

and scalability.

Refer to the documentation at for complete details. This implementation is on-disk compatible

with the IRIX version of XFS.

Update Information:

Gabriel Vlasiu reported that xfs_metadump, part of the xfsprogs suite of tools for the XFS filesystem, did not properly obfuscate data. xfs_metadump properly obfuscates active metadata, but the rest of the space within that fs block comes through in the clear. This could lead to exposure of stale disk data via the produced metadump image.

The expectation of xfs_metadump is to obfuscate all but the shortest names in the metadata, as noted in the manpage:

By default, xfs_metadump obfuscates most file (regular file, directory and symbolic link) names and extended attribute names to allow the dumps to be sent without revealing confidential information. Extended attribute values are zeroed and no data is copied. The only exceptions are file or attribute names that are 4 or less characters in length. Also file names that span extents (this can only occur with the mkfs.xfs(8) options where -n size > -b size) are not obfuscated. Names between 5 and 8 characters in length inclusively are partially obfuscated.

While the xfs_metadump tool can be run by unprivileged users, it requires appropriate permissions to access block devices (such as root) where the sensitive data might be dumped. An unprivileged user, without access to the block device, could not use this flaw to obtain sensitive data they would not otherwise have permission to access.

Change Log

* Thu Jul 30 2015 Eric Sandeen 3.2.2-2 - Fix CVE-2012-2150 * Thu Dec 4 2014 Eric Sandeen 3.2.2-1 - New upstream release

References

[ 1 ] Bug #817696 - CVE-2012-2150 xfsprogs: xfs_metadump information disclosure flaw https://bugzilla.redhat.com/show_bug.cgi?id=817696

Update Instructions

This update can be installed with the "yum" update program. Use su -c 'yum update xfsprogs' at the command line. For more information, refer to "Managing Software with yum", available at .

Severity
Name : xfsprogs
Product : Fedora 21
Version : 3.2.2
Release : 2.fc21
URL : Summary : Utilities for managing the XFS filesystem