Discover Government News

--------------------------------------------------------------------------------Fedora Update Notification
FEDORA-2020-a724cc7926
2020-01-21 01:37:55.769294
--------------------------------------------------------------------------------Name        : e2fsprogs
Product     : Fedora 31
Version     : 1.45.5
Release     : 1.fc31
URL         : https://e2fsprogs.sourceforge.net/
Summary     : Utilities for managing ext2, ext3, and ext4 file systems
Description :
The e2fsprogs package contains a number of utilities for creating,
checking, modifying, and correcting any inconsistencies in second,
third and fourth extended (ext2/ext3/ext4) file systems. E2fsprogs
contains e2fsck (used to repair file system inconsistencies after an
unclean shutdown), mke2fs (used to initialize a partition to contain
an empty ext2 file system), debugfs (used to examine the internal
structure of a file system, to manually repair a corrupted
file system, or to create test cases for e2fsck), tune2fs (used to
modify file system parameters), and most of the other core ext2fs
file system utilities.

You should install the e2fsprogs package if you need to manage the
performance of an ext2, ext3, or ext4 file system.

--------------------------------------------------------------------------------Update Information:

Fixes -----  A maliciously corrupted file systems can trigger buffer overruns in
the quota code used by e2fsck.  (Addresses CVE-2019-5094)  E2fsck now checks to
make sure the casefold flag is only set on directories, and only when the
casefold feature is enabled.  E2fsck will not disable the low dtime checks when
using a backup superblock where the last mount time is zero.  This fixes a
failure in xfstests ext4/007.  Fix e2fsck so that when it needs to recreate the
root directory, the quota counts are correctly updated.  Fix e2scrub_all cron
script so it checks to make sure e2scrub_all exists, since the crontab and cron
script might stick around after the e2fsprogs package is removed.  (Addresses
Debian Bug: #932622)  Fix e2scrub_all so that it works when the free space is
exactly the snapshot size.  (Addresses Debian Bug: #935009)  Avoid spurious lvm
warnings when e2scrub_all is run out of cron on non-systemd systems (Addresses
Debian Bug: #940240)  Update the man pages to document the new fsverity feature,
and improve the documentation for the casefold and encrypt features.  E2fsck
will no longer force a full file system check if time-based forced checks are
disabled and the last mount time or last write time in the superblock are in the
future.  Fix a potential out of bounds write when checking a maliciously
corrupted file system.  This is probably not exploitable on 64-bit platforms,
but may be exploitable on 32-bit binaries depending on how the compiler lays out
the stack variables.  (Addresses CVE-2019-5188)  Fixed spurious weekly e-mails
when e2scrub_all is run via a cron job on non-systemd systems.  (Addresses
Debian Bug: #944033)  Remove an unnecessary sleep in e2scrub which could add up
to an additional two second delay during the boot up.  Also, avoid trying to
reap aborted snapshots if it has been disabled via e2scrub.conf. (Addresses
Debian Bug: #948193)  If a mischievous system administrator mounts a pseudo-file
system such as tmpfs with a device name that duplicates another mounted file
system, this could potentially confuse resize2fs when it needs to find the mount
point of a mounted file system.  (Who would have guessed?)  Add some sanity
checking so that we can make libext2fs more robust against such insanity, at
least on Linux.  (GNU HURD doesn't support st_rdev.)  Tune2fs now prohibits
enabling or disabling uninit_bg if the file system is mounted, since this could
result in the file system getting corrupted, and there is an unfortunate
AskUbuntu article suggesting this as a way to modify a file system's UUID on a
live file system.  (Ext4 now has a way to do this safely, using the
metadata_csum_seed feature, which was added in the 4.4 Linux kernel.)  Fix
potential crash in e2fsck when rebuilding very large directories on file systems
which have the new large_dir feature enable.  Fix support of 32-bit uid's and
gid's in fuse2fs and in mke2fs -d.  Fix mke2fs's setting bad blocks to bigalloc
file systems.  Fix a bug where fuse2fs would incorrectly report the i_blocks
fields for bigalloc file systems.  Resize2fs's minimum size estimates (via
resize2fs -M) estimates are now more accurate when run on mounted file systems.
Fixed potential memory leak in read_bitmap() in libext2fs.  Fixed various UBsan
failures found when fuzzing file system images. (Addresses Google Bug:
#128130353)  Updated and clarified various man pages.  Performance, Internal
Implementation, Development Support etc.
--------------------------------------------------------------  Fixed various
debian packaging issues.  (Addresses Debian Bug: #933247, #932874, #932876,
#932855, #932859, #932861, #932881, #932888)  Fix false positive test failure in
f_pre_1970_date_encoding on 32-bit systems with a 64-bit time_t.  (Addresses
Debian Bug: #932906)  Fixed various compiler warnings.  (Addresses Google Bug
#118836063)  Update the Czech, Dutch, French, German, Malay, Polish, Portuguese,
Spanish, Swedish, Ukrainian, and Vietnamese translations from the Translation
Project.  Speed up e2fsck on file systems with a very large number of inodes
caused by repeated calls to gettext().  The inode_io io_manager can now support
files which are greater than 2GB.  The ext2_off_t and ext2_off64_t are now
signed types so that ext2fs_file_lseek() and ext2fs_file_llseek() can work
correctly.  Reserve codepoint for the fast_commit feature.  Fixed various Debian
packaging issues.  Fix portability problems for Illumous and on hurd/i386
(Addresses Debian Bug: #944649)  Always compile the ext2fs_swap_* functions even
on little-endian architectures, so that debian/libext2fs.symbols can be
consistent across architectures.  Synchronized changes from Android's AOSP
e2fsprogs tree.  Updated config.guess and config.sub with newer versions from
the FSF.  Update the Chinese and Malay translations from the translation
project.
--------------------------------------------------------------------------------ChangeLog:

* Wed Jan  8 2020 Lukas Czerner  - 1.45.5-1
- New upstream release
* Thu Oct  3 2019 Lukas Czerner  - 1.45.4-1
- New upstream release
--------------------------------------------------------------------------------References:

  [ 1 ] Bug #1768556 - CVE-2019-5094 e2fsprogs: crafted ext4 partition leads to out-of-bounds write [fedora-all]
        https://bugzilla.redhat.com/show_bug.cgi?id=1768556
  [ 2 ] Bug #1790049 - CVE-2019-5188 e2fsprogs: Out-of-bounds write in  e2fsck/rehash.c [fedora-all]
        https://bugzilla.redhat.com/show_bug.cgi?id=1790049
--------------------------------------------------------------------------------This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2020-a724cc7926' at the command
line. For more information, refer to the dnf documentation available at
https://dnf.readthedocs.io/en/latest/command_ref.html

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/security/
--------------------------------------------------------------------------------_______________________________________________
package-announce mailing list -- package-announce@lists.fedoraproject.org
To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/

Fedora 31: e2fsprogs FEDORA-2020-a724cc7926

January 20, 2020
Fixes ----- A maliciously corrupted file systems can trigger buffer overruns in the quota code used by e2fsck

Summary

The e2fsprogs package contains a number of utilities for creating,

checking, modifying, and correcting any inconsistencies in second,

third and fourth extended (ext2/ext3/ext4) file systems. E2fsprogs

contains e2fsck (used to repair file system inconsistencies after an

unclean shutdown), mke2fs (used to initialize a partition to contain

an empty ext2 file system), debugfs (used to examine the internal

structure of a file system, to manually repair a corrupted

file system, or to create test cases for e2fsck), tune2fs (used to

modify file system parameters), and most of the other core ext2fs

file system utilities.

You should install the e2fsprogs package if you need to manage the

performance of an ext2, ext3, or ext4 file system.

Fixes ----- A maliciously corrupted file systems can trigger buffer overruns in

the quota code used by e2fsck. (Addresses CVE-2019-5094) E2fsck now checks to

make sure the casefold flag is only set on directories, and only when the

casefold feature is enabled. E2fsck will not disable the low dtime checks when

using a backup superblock where the last mount time is zero. This fixes a

failure in xfstests ext4/007. Fix e2fsck so that when it needs to recreate the

root directory, the quota counts are correctly updated. Fix e2scrub_all cron

script so it checks to make sure e2scrub_all exists, since the crontab and cron

script might stick around after the e2fsprogs package is removed. (Addresses

Debian Bug: #932622) Fix e2scrub_all so that it works when the free space is

exactly the snapshot size. (Addresses Debian Bug: #935009) Avoid spurious lvm

warnings when e2scrub_all is run out of cron on non-systemd systems (Addresses

Debian Bug: #940240) Update the man pages to document the new fsverity feature,

and improve the documentation for the casefold and encrypt features. E2fsck

will no longer force a full file system check if time-based forced checks are

disabled and the last mount time or last write time in the superblock are in the

future. Fix a potential out of bounds write when checking a maliciously

corrupted file system. This is probably not exploitable on 64-bit platforms,

but may be exploitable on 32-bit binaries depending on how the compiler lays out

the stack variables. (Addresses CVE-2019-5188) Fixed spurious weekly e-mails

when e2scrub_all is run via a cron job on non-systemd systems. (Addresses

Debian Bug: #944033) Remove an unnecessary sleep in e2scrub which could add up

to an additional two second delay during the boot up. Also, avoid trying to

reap aborted snapshots if it has been disabled via e2scrub.conf. (Addresses

Debian Bug: #948193) If a mischievous system administrator mounts a pseudo-file

system such as tmpfs with a device name that duplicates another mounted file

system, this could potentially confuse resize2fs when it needs to find the mount

point of a mounted file system. (Who would have guessed?) Add some sanity

checking so that we can make libext2fs more robust against such insanity, at

least on Linux. (GNU HURD doesn't support st_rdev.) Tune2fs now prohibits

enabling or disabling uninit_bg if the file system is mounted, since this could

result in the file system getting corrupted, and there is an unfortunate

AskUbuntu article suggesting this as a way to modify a file system's UUID on a

live file system. (Ext4 now has a way to do this safely, using the

metadata_csum_seed feature, which was added in the 4.4 Linux kernel.) Fix

potential crash in e2fsck when rebuilding very large directories on file systems

which have the new large_dir feature enable. Fix support of 32-bit uid's and

gid's in fuse2fs and in mke2fs -d. Fix mke2fs's setting bad blocks to bigalloc

file systems. Fix a bug where fuse2fs would incorrectly report the i_blocks

fields for bigalloc file systems. Resize2fs's minimum size estimates (via

resize2fs -M) estimates are now more accurate when run on mounted file systems.

Fixed potential memory leak in read_bitmap() in libext2fs. Fixed various UBsan

failures found when fuzzing file system images. (Addresses Google Bug:

#128130353) Updated and clarified various man pages. Performance, Internal

Implementation, Development Support etc.

debian packaging issues. (Addresses Debian Bug: #933247, #932874, #932876,

#932855, #932859, #932861, #932881, #932888) Fix false positive test failure in

f_pre_1970_date_encoding on 32-bit systems with a 64-bit time_t. (Addresses

Debian Bug: #932906) Fixed various compiler warnings. (Addresses Google Bug

#118836063) Update the Czech, Dutch, French, German, Malay, Polish, Portuguese,

Spanish, Swedish, Ukrainian, and Vietnamese translations from the Translation

Project. Speed up e2fsck on file systems with a very large number of inodes

caused by repeated calls to gettext(). The inode_io io_manager can now support

files which are greater than 2GB. The ext2_off_t and ext2_off64_t are now

signed types so that ext2fs_file_lseek() and ext2fs_file_llseek() can work

correctly. Reserve codepoint for the fast_commit feature. Fixed various Debian

packaging issues. Fix portability problems for Illumous and on hurd/i386

(Addresses Debian Bug: #944649) Always compile the ext2fs_swap_* functions even

on little-endian architectures, so that debian/libext2fs.symbols can be

consistent across architectures. Synchronized changes from Android's AOSP

e2fsprogs tree. Updated config.guess and config.sub with newer versions from

the FSF. Update the Chinese and Malay translations from the translation

project.

* Wed Jan 8 2020 Lukas Czerner - 1.45.5-1

- New upstream release

* Thu Oct 3 2019 Lukas Czerner - 1.45.4-1

- New upstream release

[ 1 ] Bug #1768556 - CVE-2019-5094 e2fsprogs: crafted ext4 partition leads to out-of-bounds write [fedora-all]

https://bugzilla.redhat.com/show_bug.cgi?id=1768556

[ 2 ] Bug #1790049 - CVE-2019-5188 e2fsprogs: Out-of-bounds write in e2fsck/rehash.c [fedora-all]

https://bugzilla.redhat.com/show_bug.cgi?id=1790049

su -c 'dnf upgrade --advisory FEDORA-2020-a724cc7926' at the command

line. For more information, refer to the dnf documentation available at

https://dnf.readthedocs.io/en/latest/command_ref.html

All packages are signed with the Fedora Project GPG key. More details on the

GPG keys used by the Fedora Project can be found at

https://fedoraproject.org/security/

package-announce mailing list -- package-announce@lists.fedoraproject.org

To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org

Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/

List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines

List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/

FEDORA-2020-a724cc7926 2020-01-21 01:37:55.769294 Product : Fedora 31 Version : 1.45.5 Release : 1.fc31 URL : https://e2fsprogs.sourceforge.net/ Summary : Utilities for managing ext2, ext3, and ext4 file systems Description : The e2fsprogs package contains a number of utilities for creating, checking, modifying, and correcting any inconsistencies in second, third and fourth extended (ext2/ext3/ext4) file systems. E2fsprogs contains e2fsck (used to repair file system inconsistencies after an unclean shutdown), mke2fs (used to initialize a partition to contain an empty ext2 file system), debugfs (used to examine the internal structure of a file system, to manually repair a corrupted file system, or to create test cases for e2fsck), tune2fs (used to modify file system parameters), and most of the other core ext2fs file system utilities. You should install the e2fsprogs package if you need to manage the performance of an ext2, ext3, or ext4 file system. Fixes ----- A maliciously corrupted file systems can trigger buffer overruns in the quota code used by e2fsck. (Addresses CVE-2019-5094) E2fsck now checks to make sure the casefold flag is only set on directories, and only when the casefold feature is enabled. E2fsck will not disable the low dtime checks when using a backup superblock where the last mount time is zero. This fixes a failure in xfstests ext4/007. Fix e2fsck so that when it needs to recreate the root directory, the quota counts are correctly updated. Fix e2scrub_all cron script so it checks to make sure e2scrub_all exists, since the crontab and cron script might stick around after the e2fsprogs package is removed. (Addresses Debian Bug: #932622) Fix e2scrub_all so that it works when the free space is exactly the snapshot size. (Addresses Debian Bug: #935009) Avoid spurious lvm warnings when e2scrub_all is run out of cron on non-systemd systems (Addresses Debian Bug: #940240) Update the man pages to document the new fsverity feature, and improve the documentation for the casefold and encrypt features. E2fsck will no longer force a full file system check if time-based forced checks are disabled and the last mount time or last write time in the superblock are in the future. Fix a potential out of bounds write when checking a maliciously corrupted file system. This is probably not exploitable on 64-bit platforms, but may be exploitable on 32-bit binaries depending on how the compiler lays out the stack variables. (Addresses CVE-2019-5188) Fixed spurious weekly e-mails when e2scrub_all is run via a cron job on non-systemd systems. (Addresses Debian Bug: #944033) Remove an unnecessary sleep in e2scrub which could add up to an additional two second delay during the boot up. Also, avoid trying to reap aborted snapshots if it has been disabled via e2scrub.conf. (Addresses Debian Bug: #948193) If a mischievous system administrator mounts a pseudo-file system such as tmpfs with a device name that duplicates another mounted file system, this could potentially confuse resize2fs when it needs to find the mount point of a mounted file system. (Who would have guessed?) Add some sanity checking so that we can make libext2fs more robust against such insanity, at least on Linux. (GNU HURD doesn't support st_rdev.) Tune2fs now prohibits enabling or disabling uninit_bg if the file system is mounted, since this could result in the file system getting corrupted, and there is an unfortunate AskUbuntu article suggesting this as a way to modify a file system's UUID on a live file system. (Ext4 now has a way to do this safely, using the metadata_csum_seed feature, which was added in the 4.4 Linux kernel.) Fix potential crash in e2fsck when rebuilding very large directories on file systems which have the new large_dir feature enable. Fix support of 32-bit uid's and gid's in fuse2fs and in mke2fs -d. Fix mke2fs's setting bad blocks to bigalloc file systems. Fix a bug where fuse2fs would incorrectly report the i_blocks fields for bigalloc file systems. Resize2fs's minimum size estimates (via resize2fs -M) estimates are now more accurate when run on mounted file systems. Fixed potential memory leak in read_bitmap() in libext2fs. Fixed various UBsan failures found when fuzzing file system images. (Addresses Google Bug: #128130353) Updated and clarified various man pages. Performance, Internal Implementation, Development Support etc. debian packaging issues. (Addresses Debian Bug: #933247, #932874, #932876, #932855, #932859, #932861, #932881, #932888) Fix false positive test failure in f_pre_1970_date_encoding on 32-bit systems with a 64-bit time_t. (Addresses Debian Bug: #932906) Fixed various compiler warnings. (Addresses Google Bug #118836063) Update the Czech, Dutch, French, German, Malay, Polish, Portuguese, Spanish, Swedish, Ukrainian, and Vietnamese translations from the Translation Project. Speed up e2fsck on file systems with a very large number of inodes caused by repeated calls to gettext(). The inode_io io_manager can now support files which are greater than 2GB. The ext2_off_t and ext2_off64_t are now signed types so that ext2fs_file_lseek() and ext2fs_file_llseek() can work correctly. Reserve codepoint for the fast_commit feature. Fixed various Debian packaging issues. Fix portability problems for Illumous and on hurd/i386 (Addresses Debian Bug: #944649) Always compile the ext2fs_swap_* functions even on little-endian architectures, so that debian/libext2fs.symbols can be consistent across architectures. Synchronized changes from Android's AOSP e2fsprogs tree. Updated config.guess and config.sub with newer versions from the FSF. Update the Chinese and Malay translations from the translation project. * Wed Jan 8 2020 Lukas Czerner - 1.45.5-1 - New upstream release * Thu Oct 3 2019 Lukas Czerner - 1.45.4-1 - New upstream release [ 1 ] Bug #1768556 - CVE-2019-5094 e2fsprogs: crafted ext4 partition leads to out-of-bounds write [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1768556 [ 2 ] Bug #1790049 - CVE-2019-5188 e2fsprogs: Out-of-bounds write in e2fsck/rehash.c [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1790049 su -c 'dnf upgrade --advisory FEDORA-2020-a724cc7926' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ package-announce mailing list -- package-announce@lists.fedoraproject.org To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/

Change Log

References

Update Instructions

Severity
Product : Fedora 31
Version : 1.45.5
Release : 1.fc31
URL : https://e2fsprogs.sourceforge.net/
Summary : Utilities for managing ext2, ext3, and ext4 file systems

Related News