Fedora 31: e2fsprogs FEDORA-2020-a724cc7926

    Date 20 Jan 2020
    261
    Posted By LinuxSecurity Advisories
    Fixes ----- A maliciously corrupted file systems can trigger buffer overruns in the quota code used by e2fsck. (Addresses CVE-2019-5094) E2fsck now checks to make sure the casefold flag is only set on directories, and only when the casefold feature is enabled. E2fsck will not disable the low dtime checks when using a backup superblock where the last mount time is zero. This fixes a
    --------------------------------------------------------------------------------
    Fedora Update Notification
    FEDORA-2020-a724cc7926
    2020-01-21 01:37:55.769294
    --------------------------------------------------------------------------------
    
    Name        : e2fsprogs
    Product     : Fedora 31
    Version     : 1.45.5
    Release     : 1.fc31
    URL         : https://e2fsprogs.sourceforge.net/
    Summary     : Utilities for managing ext2, ext3, and ext4 file systems
    Description :
    The e2fsprogs package contains a number of utilities for creating,
    checking, modifying, and correcting any inconsistencies in second,
    third and fourth extended (ext2/ext3/ext4) file systems. E2fsprogs
    contains e2fsck (used to repair file system inconsistencies after an
    unclean shutdown), mke2fs (used to initialize a partition to contain
    an empty ext2 file system), debugfs (used to examine the internal
    structure of a file system, to manually repair a corrupted
    file system, or to create test cases for e2fsck), tune2fs (used to
    modify file system parameters), and most of the other core ext2fs
    file system utilities.
    
    You should install the e2fsprogs package if you need to manage the
    performance of an ext2, ext3, or ext4 file system.
    
    --------------------------------------------------------------------------------
    Update Information:
    
    Fixes -----  A maliciously corrupted file systems can trigger buffer overruns in
    the quota code used by e2fsck.  (Addresses CVE-2019-5094)  E2fsck now checks to
    make sure the casefold flag is only set on directories, and only when the
    casefold feature is enabled.  E2fsck will not disable the low dtime checks when
    using a backup superblock where the last mount time is zero.  This fixes a
    failure in xfstests ext4/007.  Fix e2fsck so that when it needs to recreate the
    root directory, the quota counts are correctly updated.  Fix e2scrub_all cron
    script so it checks to make sure e2scrub_all exists, since the crontab and cron
    script might stick around after the e2fsprogs package is removed.  (Addresses
    Debian Bug: #932622)  Fix e2scrub_all so that it works when the free space is
    exactly the snapshot size.  (Addresses Debian Bug: #935009)  Avoid spurious lvm
    warnings when e2scrub_all is run out of cron on non-systemd systems (Addresses
    Debian Bug: #940240)  Update the man pages to document the new fsverity feature,
    and improve the documentation for the casefold and encrypt features.  E2fsck
    will no longer force a full file system check if time-based forced checks are
    disabled and the last mount time or last write time in the superblock are in the
    future.  Fix a potential out of bounds write when checking a maliciously
    corrupted file system.  This is probably not exploitable on 64-bit platforms,
    but may be exploitable on 32-bit binaries depending on how the compiler lays out
    the stack variables.  (Addresses CVE-2019-5188)  Fixed spurious weekly e-mails
    when e2scrub_all is run via a cron job on non-systemd systems.  (Addresses
    Debian Bug: #944033)  Remove an unnecessary sleep in e2scrub which could add up
    to an additional two second delay during the boot up.  Also, avoid trying to
    reap aborted snapshots if it has been disabled via e2scrub.conf. (Addresses
    Debian Bug: #948193)  If a mischievous system administrator mounts a pseudo-file
    system such as tmpfs with a device name that duplicates another mounted file
    system, this could potentially confuse resize2fs when it needs to find the mount
    point of a mounted file system.  (Who would have guessed?)  Add some sanity
    checking so that we can make libext2fs more robust against such insanity, at
    least on Linux.  (GNU HURD doesn't support st_rdev.)  Tune2fs now prohibits
    enabling or disabling uninit_bg if the file system is mounted, since this could
    result in the file system getting corrupted, and there is an unfortunate
    AskUbuntu article suggesting this as a way to modify a file system's UUID on a
    live file system.  (Ext4 now has a way to do this safely, using the
    metadata_csum_seed feature, which was added in the 4.4 Linux kernel.)  Fix
    potential crash in e2fsck when rebuilding very large directories on file systems
    which have the new large_dir feature enable.  Fix support of 32-bit uid's and
    gid's in fuse2fs and in mke2fs -d.  Fix mke2fs's setting bad blocks to bigalloc
    file systems.  Fix a bug where fuse2fs would incorrectly report the i_blocks
    fields for bigalloc file systems.  Resize2fs's minimum size estimates (via
    resize2fs -M) estimates are now more accurate when run on mounted file systems.
    Fixed potential memory leak in read_bitmap() in libext2fs.  Fixed various UBsan
    failures found when fuzzing file system images. (Addresses Google Bug:
    #128130353)  Updated and clarified various man pages.  Performance, Internal
    Implementation, Development Support etc.
    --------------------------------------------------------------  Fixed various
    debian packaging issues.  (Addresses Debian Bug: #933247, #932874, #932876,
    #932855, #932859, #932861, #932881, #932888)  Fix false positive test failure in
    f_pre_1970_date_encoding on 32-bit systems with a 64-bit time_t.  (Addresses
    Debian Bug: #932906)  Fixed various compiler warnings.  (Addresses Google Bug
    #118836063)  Update the Czech, Dutch, French, German, Malay, Polish, Portuguese,
    Spanish, Swedish, Ukrainian, and Vietnamese translations from the Translation
    Project.  Speed up e2fsck on file systems with a very large number of inodes
    caused by repeated calls to gettext().  The inode_io io_manager can now support
    files which are greater than 2GB.  The ext2_off_t and ext2_off64_t are now
    signed types so that ext2fs_file_lseek() and ext2fs_file_llseek() can work
    correctly.  Reserve codepoint for the fast_commit feature.  Fixed various Debian
    packaging issues.  Fix portability problems for Illumous and on hurd/i386
    (Addresses Debian Bug: #944649)  Always compile the ext2fs_swap_* functions even
    on little-endian architectures, so that debian/libext2fs.symbols can be
    consistent across architectures.  Synchronized changes from Android's AOSP
    e2fsprogs tree.  Updated config.guess and config.sub with newer versions from
    the FSF.  Update the Chinese and Malay translations from the translation
    project.
    --------------------------------------------------------------------------------
    ChangeLog:
    
    * Wed Jan  8 2020 Lukas Czerner  - 1.45.5-1
    - New upstream release
    * Thu Oct  3 2019 Lukas Czerner  - 1.45.4-1
    - New upstream release
    --------------------------------------------------------------------------------
    References:
    
      [ 1 ] Bug #1768556 - CVE-2019-5094 e2fsprogs: crafted ext4 partition leads to out-of-bounds write [fedora-all]
            https://bugzilla.redhat.com/show_bug.cgi?id=1768556
      [ 2 ] Bug #1790049 - CVE-2019-5188 e2fsprogs: Out-of-bounds write in  e2fsck/rehash.c [fedora-all]
            https://bugzilla.redhat.com/show_bug.cgi?id=1790049
    --------------------------------------------------------------------------------
    
    This update can be installed with the "dnf" update program. Use
    su -c 'dnf upgrade --advisory FEDORA-2020-a724cc7926' at the command
    line. For more information, refer to the dnf documentation available at
    https://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
    
    All packages are signed with the Fedora Project GPG key. More details on the
    GPG keys used by the Fedora Project can be found at
    https://fedoraproject.org/keys
    --------------------------------------------------------------------------------
    _______________________________________________
    package-announce mailing list -- This email address is being protected from spambots. You need JavaScript enabled to view it.
    To unsubscribe send an email to This email address is being protected from spambots. You need JavaScript enabled to view it.
    Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
    List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
    List Archives: https://lists.fedoraproject.org/archives/list/This email address is being protected from spambots. You need JavaScript enabled to view it.
    

    LinuxSecurity Poll

    If you are using full-disk encryption: are you concerned about the resulting performance hit?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 2 answer(s).
    /main-polls/34-if-you-are-using-full-disk-encryption-are-you-concerned-about-the-resulting-performance-hit?task=poll.vote&format=json
    34
    radio
    [{"id":"120","title":"Yes","votes":"13","type":"x","order":"1","pct":61.9,"resources":[]},{"id":"121","title":"No ","votes":"8","type":"x","order":"2","pct":38.1,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350
    bottom 200

    Advisories

    Please enable / Bitte aktiviere JavaScript!
    Veuillez activer / Por favor activa el Javascript![ ? ]

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.