summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--system/e2fsprogs/APKBUILD10
-rw-r--r--system/e2fsprogs/CVE-2019-5094.patch211
2 files changed, 4 insertions, 217 deletions
diff --git a/system/e2fsprogs/APKBUILD b/system/e2fsprogs/APKBUILD
index ba7869fe8..741de2e38 100644
--- a/system/e2fsprogs/APKBUILD
+++ b/system/e2fsprogs/APKBUILD
@@ -1,8 +1,8 @@
# Contributor: Valery Kartel <valery.kartel@gmail.com>
# Maintainer: A. Wilcox <awilfox@adelielinux.org>
pkgname=e2fsprogs
-pkgver=1.45.3
-pkgrel=1
+pkgver=1.45.4
+pkgrel=0
pkgdesc="Standard ext2/3/4 filesystem utilities"
url="http://e2fsprogs.sourceforge.net"
arch="all"
@@ -13,7 +13,6 @@ makedepends="$depends_dev linux-headers"
subpackages="$pkgname-lang $pkgname-dev $pkgname-doc libcom_err $pkgname-libs"
source="https://www.kernel.org/pub/linux/kernel/people/tytso/$pkgname/v$pkgver/$pkgname-$pkgver.tar.xz
header-fix.patch
- CVE-2019-5094.patch
"
# secfixes:
@@ -59,6 +58,5 @@ libcom_err() {
mv "$pkgdir"/lib/libcom_err* "$subpkgdir"/lib/
}
-sha512sums="9f898d353af48a1d357cb01f64187b6dfef671bb2e0450438530fe4fa9454fccc6b755c9469d81e702e6d85a4defd02ae0a493897a4b3284cb112e8444c9bf52 e2fsprogs-1.45.3.tar.xz
-34ca45c64a132bb4b507cd4ffb763c6d1b7979eccfed20f63417e514871b47639d32f2a3ecff090713c21a0f02ac503d5093960c80401d64081c592d01af279d header-fix.patch
-f82cf01938eb150446a7014ba48d51578ace42aecd427e225a3640033a4d8f2ec5a29dd02a3c0dfa45d2140cb2187303397c2d0124a2f987304c25182cc9578a CVE-2019-5094.patch"
+sha512sums="408f093a6674ef2316c451173481851041957617c550308d2969b983e11d988ddfc120626cd957c0759648bc357edf1d9971e6d46bed109c2af5f8a09bdc5bda e2fsprogs-1.45.4.tar.xz
+34ca45c64a132bb4b507cd4ffb763c6d1b7979eccfed20f63417e514871b47639d32f2a3ecff090713c21a0f02ac503d5093960c80401d64081c592d01af279d header-fix.patch"
diff --git a/system/e2fsprogs/CVE-2019-5094.patch b/system/e2fsprogs/CVE-2019-5094.patch
deleted file mode 100644
index 21baf660a..000000000
--- a/system/e2fsprogs/CVE-2019-5094.patch
+++ /dev/null
@@ -1,211 +0,0 @@
-From 8dbe7b475ec5e91ed767239f0e85880f416fc384 Mon Sep 17 00:00:00 2001
-From: Theodore Ts'o <tytso@mit.edu>
-Date: Sun, 1 Sep 2019 00:59:16 -0400
-Subject: libsupport: add checks to prevent buffer overrun bugs in quota code
-
-A maliciously corrupted file systems can trigger buffer overruns in
-the quota code used by e2fsck. To fix this, add sanity checks to the
-quota header fields as well as to block number references in the quota
-tree.
-
-Addresses: CVE-2019-5094
-Addresses: TALOS-2019-0887
-Signed-off-by: Theodore Ts'o <tytso@mit.edu>
----
- lib/support/mkquota.c | 1 +
- lib/support/quotaio_tree.c | 71 ++++++++++++++++++++++++++++++----------------
- lib/support/quotaio_v2.c | 28 ++++++++++++++++++
- 3 files changed, 76 insertions(+), 24 deletions(-)
-
-diff --git a/lib/support/mkquota.c b/lib/support/mkquota.c
-index 0b9e7665..ddb53124 100644
---- a/lib/support/mkquota.c
-+++ b/lib/support/mkquota.c
-@@ -671,6 +671,7 @@ errcode_t quota_compare_and_update(quota_ctx_t qctx, enum quota_type qtype,
- err = qh.qh_ops->scan_dquots(&qh, scan_dquots_callback, &scan_data);
- if (err) {
- log_debug("Error scanning dquots");
-+ *usage_inconsistent = 1;
- goto out_close_qh;
- }
-
-diff --git a/lib/support/quotaio_tree.c b/lib/support/quotaio_tree.c
-index a7c2028c..6cc4fb5b 100644
---- a/lib/support/quotaio_tree.c
-+++ b/lib/support/quotaio_tree.c
-@@ -540,6 +540,17 @@ struct dquot *qtree_read_dquot(struct quota_handle *h, qid_t id)
- return dquot;
- }
-
-+static int check_reference(struct quota_handle *h, unsigned int blk)
-+{
-+ if (blk >= h->qh_info.u.v2_mdqi.dqi_qtree.dqi_blocks) {
-+ log_err("Illegal reference (%u >= %u) in %s quota file",
-+ blk, h->qh_info.u.v2_mdqi.dqi_qtree.dqi_blocks,
-+ quota_type2name(h->qh_type));
-+ return -1;
-+ }
-+ return 0;
-+}
-+
- /*
- * Scan all dquots in file and call callback on each
- */
-@@ -558,7 +569,7 @@ static int report_block(struct dquot *dquot, unsigned int blk, char *bitmap,
- int entries, i;
-
- if (!buf)
-- return 0;
-+ return -1;
-
- set_bit(bitmap, blk);
- read_blk(dquot->dq_h, blk, buf);
-@@ -580,23 +591,12 @@ static int report_block(struct dquot *dquot, unsigned int blk, char *bitmap,
- return entries;
- }
-
--static void check_reference(struct quota_handle *h, unsigned int blk)
--{
-- if (blk >= h->qh_info.u.v2_mdqi.dqi_qtree.dqi_blocks)
-- log_err("Illegal reference (%u >= %u) in %s quota file. "
-- "Quota file is probably corrupted.\n"
-- "Please run e2fsck (8) to fix it.",
-- blk,
-- h->qh_info.u.v2_mdqi.dqi_qtree.dqi_blocks,
-- quota_type2name(h->qh_type));
--}
--
- static int report_tree(struct dquot *dquot, unsigned int blk, int depth,
- char *bitmap,
- int (*process_dquot) (struct dquot *, void *),
- void *data)
- {
-- int entries = 0, i;
-+ int entries = 0, ret, i;
- dqbuf_t buf = getdqbuf();
- __le32 *ref = (__le32 *) buf;
-
-@@ -607,22 +607,40 @@ static int report_tree(struct dquot *dquot, unsigned int blk, int depth,
- if (depth == QT_TREEDEPTH - 1) {
- for (i = 0; i < QT_BLKSIZE >> 2; i++) {
- blk = ext2fs_le32_to_cpu(ref[i]);
-- check_reference(dquot->dq_h, blk);
-- if (blk && !get_bit(bitmap, blk))
-- entries += report_block(dquot, blk, bitmap,
-- process_dquot, data);
-+ if (check_reference(dquot->dq_h, blk)) {
-+ entries = -1;
-+ goto errout;
-+ }
-+ if (blk && !get_bit(bitmap, blk)) {
-+ ret = report_block(dquot, blk, bitmap,
-+ process_dquot, data);
-+ if (ret < 0) {
-+ entries = ret;
-+ goto errout;
-+ }
-+ entries += ret;
-+ }
- }
- } else {
- for (i = 0; i < QT_BLKSIZE >> 2; i++) {
- blk = ext2fs_le32_to_cpu(ref[i]);
- if (blk) {
-- check_reference(dquot->dq_h, blk);
-- entries += report_tree(dquot, blk, depth + 1,
-- bitmap, process_dquot,
-- data);
-+ if (check_reference(dquot->dq_h, blk)) {
-+ entries = -1;
-+ goto errout;
-+ }
-+ ret = report_tree(dquot, blk, depth + 1,
-+ bitmap, process_dquot,
-+ data);
-+ if (ret < 0) {
-+ entries = ret;
-+ goto errout;
-+ }
-+ entries += ret;
- }
- }
- }
-+errout:
- freedqbuf(buf);
- return entries;
- }
-@@ -642,6 +660,7 @@ int qtree_scan_dquots(struct quota_handle *h,
- int (*process_dquot) (struct dquot *, void *),
- void *data)
- {
-+ int ret;
- char *bitmap;
- struct v2_mem_dqinfo *v2info = &h->qh_info.u.v2_mdqi;
- struct qtree_mem_dqinfo *info = &v2info->dqi_qtree;
-@@ -655,10 +674,14 @@ int qtree_scan_dquots(struct quota_handle *h,
- ext2fs_free_mem(&dquot);
- return -1;
- }
-- v2info->dqi_used_entries = report_tree(dquot, QT_TREEOFF, 0, bitmap,
-- process_dquot, data);
-+ ret = report_tree(dquot, QT_TREEOFF, 0, bitmap, process_dquot, data);
-+ if (ret < 0)
-+ goto errout;
-+ v2info->dqi_used_entries = ret;
- v2info->dqi_data_blocks = find_set_bits(bitmap, info->dqi_blocks);
-+ ret = 0;
-+errout:
- ext2fs_free_mem(&bitmap);
- ext2fs_free_mem(&dquot);
-- return 0;
-+ return ret;
- }
-diff --git a/lib/support/quotaio_v2.c b/lib/support/quotaio_v2.c
-index 38be2a34..73906676 100644
---- a/lib/support/quotaio_v2.c
-+++ b/lib/support/quotaio_v2.c
-@@ -175,6 +175,8 @@ static int v2_check_file(struct quota_handle *h, int type, int fmt)
- static int v2_init_io(struct quota_handle *h)
- {
- struct v2_disk_dqinfo ddqinfo;
-+ struct v2_mem_dqinfo *info;
-+ __u64 filesize;
-
- h->qh_info.u.v2_mdqi.dqi_qtree.dqi_entry_size =
- sizeof(struct v2r1_disk_dqblk);
-@@ -185,6 +187,32 @@ static int v2_init_io(struct quota_handle *h)
- sizeof(ddqinfo)) != sizeof(ddqinfo))
- return -1;
- v2_disk2memdqinfo(&h->qh_info, &ddqinfo);
-+
-+ /* Check to make sure quota file info is sane */
-+ info = &h->qh_info.u.v2_mdqi;
-+ if (ext2fs_file_get_lsize(h->qh_qf.e2_file, &filesize))
-+ return -1;
-+ if ((filesize > (1U << 31)) ||
-+ (info->dqi_qtree.dqi_blocks >
-+ (filesize + QT_BLKSIZE - 1) >> QT_BLKSIZE_BITS)) {
-+ log_err("Quota inode %u corrupted: file size %llu; "
-+ "dqi_blocks %u", h->qh_qf.ino,
-+ filesize, info->dqi_qtree.dqi_blocks);
-+ return -1;
-+ }
-+ if (info->dqi_qtree.dqi_free_blk >= info->dqi_qtree.dqi_blocks) {
-+ log_err("Quota inode %u corrupted: free_blk %u; dqi_blocks %u",
-+ h->qh_qf.ino, info->dqi_qtree.dqi_free_blk,
-+ info->dqi_qtree.dqi_blocks);
-+ return -1;
-+ }
-+ if (info->dqi_qtree.dqi_free_entry >= info->dqi_qtree.dqi_blocks) {
-+ log_err("Quota inode %u corrupted: free_entry %u; "
-+ "dqi_blocks %u", h->qh_qf.ino,
-+ info->dqi_qtree.dqi_free_entry,
-+ info->dqi_qtree.dqi_blocks);
-+ return -1;
-+ }
- return 0;
- }
-
---
-cgit 1.2-0.3.lf.el7
-