CVE-2012-2150
CVSS5.0
发布时间 :2015-08-25 13:59:00
修订时间 :2016-12-06 22:00:06
NMCPS    

[原文]xfs_metadump in xfsprogs before 3.2.4 does not properly obfuscate file data, which allows remote attackers to obtain sensitive information by reading a generated image.


[CNNVD]xfsprogs 本地信息泄露漏洞(CNNVD-201507-790)

        

xfsprogs是一套高性能的日志文件系统。

xfsprogs中存在本地信息泄露漏洞。本地攻击者可利用该漏洞获取敏感信息。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: NETWORK [攻击者不需要获取内网访问权或本地访问权]
身份认证: NONE [漏洞利用无需身份认证]

- CWE (弱点类目)

CWE-200 [信息暴露]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2150
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2150
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-201507-790
(官方数据源) CNNVD

- 其它链接及资源

http://lists.fedoraproject.org/pipermail/package-announce/2015-August/163690.html
(UNKNOWN)  FEDORA  FEDORA-2015-12435
http://lists.fedoraproject.org/pipermail/package-announce/2015-August/164180.html
(UNKNOWN)  FEDORA  FEDORA-2015-12380
http://lists.fedoraproject.org/pipermail/package-announce/2015-August/164189.html
(UNKNOWN)  FEDORA  FEDORA-2015-12406
http://lists.opensuse.org/opensuse-updates/2015-08/msg00027.html
(UNKNOWN)  SUSE  openSUSE-SU-2015:1429
http://lists.opensuse.org/opensuse-updates/2016-01/msg00007.html
(UNKNOWN)  SUSE  openSUSE-SU-2016:0018
http://oss.sgi.com/pipermail/xfs/2015-July/042726.html
(UNKNOWN)  MLIST  [xfs] 20150729 [ANNOUNCE] xfsprogs: v3.2.4 released
http://www.openwall.com/lists/oss-security/2015/07/23/12
(UNKNOWN)  MLIST  [oss-security] 20150723 CVE-2012-2150 xfsprogs: xfs_metadump information disclosure flaw
http://www.openwall.com/lists/oss-security/2015/07/30/3
(UNKNOWN)  MLIST  [oss-security] 20150730 Re: CVE-2012-2150 xfsprogs: xfs_metadump information disclosure flaw
http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html
(UNKNOWN)  CONFIRM  http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html
http://www.securityfocus.com/bid/76013
(UNKNOWN)  BID  76013
https://bugzilla.redhat.com/show_bug.cgi?id=817696
(UNKNOWN)  CONFIRM  https://bugzilla.redhat.com/show_bug.cgi?id=817696

- 漏洞信息

xfsprogs 本地信息泄露漏洞
信息泄露
2015-07-29 00:00:00 2015-07-29 00:00:00
本地  
        

xfsprogs是一套高性能的日志文件系统。

xfsprogs中存在本地信息泄露漏洞。本地攻击者可利用该漏洞获取敏感信息。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复此安全问题,补丁获取链接:
        https://git.kernel.org/cgit/fs/xfs/xfsprogs-dev.git/

- 漏洞信息 (F134446)

Red Hat Security Advisory 2015-2151-01 (PacketStormID:F134446)
2015-11-20 00:00:00
Red Hat  
advisory
linux,redhat
CVE-2012-2150
[点击下载]

Red Hat Security Advisory 2015-2151-01 - The xfsprogs packages contain a set of commands to use the XFS file system, including the mkfs.xfs command to construct an XFS system. It was discovered that the xfs_metadump tool of the xfsprogs suite did not fully adhere to the standards of obfuscation described in its man page. In case a user with the necessary privileges used xfs_metadump and relied on the advertised obfuscation, the generated data could contain unexpected traces of potentially sensitive information. The xfsprogs packages have been upgraded to upstream version 3.2.2, which provides a number of bug fixes and enhancements over the previous version. This release also includes updates present in upstream version 3.2.3, although it omits the mkfs.xfs default disk format change which is present upstream.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Low: xfsprogs security, bug fix and enhancement update
Advisory ID:       RHSA-2015:2151-01
Product:           Red Hat Enterprise Linux
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2015-2151.html
Issue date:        2015-11-19
CVE Names:         CVE-2012-2150 
=====================================================================

1. Summary:

Updated xfsprogs packages that fix one security issue, several bugs, and
add various enhancements are now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having Low security
impact. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available from the CVE link in the
References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Client (v. 7) - x86_64
Red Hat Enterprise Linux Client Optional (v. 7) - x86_64
Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64
Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64
Red Hat Enterprise Linux Server (v. 7) - aarch64, ppc64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux Server Optional (v. 7) - aarch64, ppc64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux Workstation (v. 7) - x86_64
Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64

3. Description:

The xfsprogs packages contain a set of commands to use the XFS file system,
including the mkfs.xfs command to construct an XFS system.

It was discovered that the xfs_metadump tool of the xfsprogs suite did not
fully adhere to the standards of obfuscation described in its man page. In
case a user with the necessary privileges used xfs_metadump and relied on
the advertised obfuscation, the generated data could contain unexpected
traces of potentially sensitive information. (CVE-2012-2150)

The xfsprogs packages have been upgraded to upstream version 3.2.2, which
provides a number of bug fixes and enhancements over the previous version.
This release also includes updates present in upstream version 3.2.3,
although it omits the mkfs.xfs default disk format change (for metadata
checksumming) which is present upstream. (BZ#1223991)

Users of xfsprogs are advised to upgrade to these updated packages, which
fix these bugs and add these enhancements.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

817696 - CVE-2012-2150 xfsprogs: xfs_metadump information disclosure flaw
1201238 - xfs_repair verify the last secondary superblock corruption failed
1223991 - Rebase xfsprogs to 3.2.3 (pending upstream)

6. Package List:

Red Hat Enterprise Linux Client (v. 7):

Source:
xfsprogs-3.2.2-2.el7.src.rpm

x86_64:
xfsprogs-3.2.2-2.el7.i686.rpm
xfsprogs-3.2.2-2.el7.x86_64.rpm
xfsprogs-debuginfo-3.2.2-2.el7.i686.rpm
xfsprogs-debuginfo-3.2.2-2.el7.x86_64.rpm

Red Hat Enterprise Linux Client Optional (v. 7):

x86_64:
xfsprogs-debuginfo-3.2.2-2.el7.i686.rpm
xfsprogs-debuginfo-3.2.2-2.el7.x86_64.rpm
xfsprogs-devel-3.2.2-2.el7.i686.rpm
xfsprogs-devel-3.2.2-2.el7.x86_64.rpm
xfsprogs-qa-devel-3.2.2-2.el7.i686.rpm
xfsprogs-qa-devel-3.2.2-2.el7.x86_64.rpm

Red Hat Enterprise Linux ComputeNode (v. 7):

Source:
xfsprogs-3.2.2-2.el7.src.rpm

x86_64:
xfsprogs-3.2.2-2.el7.i686.rpm
xfsprogs-3.2.2-2.el7.x86_64.rpm
xfsprogs-debuginfo-3.2.2-2.el7.i686.rpm
xfsprogs-debuginfo-3.2.2-2.el7.x86_64.rpm

Red Hat Enterprise Linux ComputeNode Optional (v. 7):

x86_64:
xfsprogs-debuginfo-3.2.2-2.el7.i686.rpm
xfsprogs-debuginfo-3.2.2-2.el7.x86_64.rpm
xfsprogs-devel-3.2.2-2.el7.i686.rpm
xfsprogs-devel-3.2.2-2.el7.x86_64.rpm
xfsprogs-qa-devel-3.2.2-2.el7.i686.rpm
xfsprogs-qa-devel-3.2.2-2.el7.x86_64.rpm

Red Hat Enterprise Linux Server (v. 7):

Source:
xfsprogs-3.2.2-2.el7.src.rpm

aarch64:
xfsprogs-3.2.2-2.el7.aarch64.rpm
xfsprogs-debuginfo-3.2.2-2.el7.aarch64.rpm

ppc64:
xfsprogs-3.2.2-2.el7.ppc.rpm
xfsprogs-3.2.2-2.el7.ppc64.rpm
xfsprogs-debuginfo-3.2.2-2.el7.ppc.rpm
xfsprogs-debuginfo-3.2.2-2.el7.ppc64.rpm

ppc64le:
xfsprogs-3.2.2-2.el7.ppc64le.rpm
xfsprogs-debuginfo-3.2.2-2.el7.ppc64le.rpm

s390x:
xfsprogs-3.2.2-2.el7.s390.rpm
xfsprogs-3.2.2-2.el7.s390x.rpm
xfsprogs-debuginfo-3.2.2-2.el7.s390.rpm
xfsprogs-debuginfo-3.2.2-2.el7.s390x.rpm

x86_64:
xfsprogs-3.2.2-2.el7.i686.rpm
xfsprogs-3.2.2-2.el7.x86_64.rpm
xfsprogs-debuginfo-3.2.2-2.el7.i686.rpm
xfsprogs-debuginfo-3.2.2-2.el7.x86_64.rpm

Red Hat Enterprise Linux Server Optional (v. 7):

aarch64:
xfsprogs-debuginfo-3.2.2-2.el7.aarch64.rpm
xfsprogs-devel-3.2.2-2.el7.aarch64.rpm
xfsprogs-qa-devel-3.2.2-2.el7.aarch64.rpm

ppc64:
xfsprogs-debuginfo-3.2.2-2.el7.ppc.rpm
xfsprogs-debuginfo-3.2.2-2.el7.ppc64.rpm
xfsprogs-devel-3.2.2-2.el7.ppc.rpm
xfsprogs-devel-3.2.2-2.el7.ppc64.rpm
xfsprogs-qa-devel-3.2.2-2.el7.ppc.rpm
xfsprogs-qa-devel-3.2.2-2.el7.ppc64.rpm

ppc64le:
xfsprogs-debuginfo-3.2.2-2.el7.ppc64le.rpm
xfsprogs-devel-3.2.2-2.el7.ppc64le.rpm
xfsprogs-qa-devel-3.2.2-2.el7.ppc64le.rpm

s390x:
xfsprogs-debuginfo-3.2.2-2.el7.s390.rpm
xfsprogs-debuginfo-3.2.2-2.el7.s390x.rpm
xfsprogs-devel-3.2.2-2.el7.s390.rpm
xfsprogs-devel-3.2.2-2.el7.s390x.rpm
xfsprogs-qa-devel-3.2.2-2.el7.s390.rpm
xfsprogs-qa-devel-3.2.2-2.el7.s390x.rpm

x86_64:
xfsprogs-debuginfo-3.2.2-2.el7.i686.rpm
xfsprogs-debuginfo-3.2.2-2.el7.x86_64.rpm
xfsprogs-devel-3.2.2-2.el7.i686.rpm
xfsprogs-devel-3.2.2-2.el7.x86_64.rpm
xfsprogs-qa-devel-3.2.2-2.el7.i686.rpm
xfsprogs-qa-devel-3.2.2-2.el7.x86_64.rpm

Red Hat Enterprise Linux Workstation (v. 7):

Source:
xfsprogs-3.2.2-2.el7.src.rpm

x86_64:
xfsprogs-3.2.2-2.el7.i686.rpm
xfsprogs-3.2.2-2.el7.x86_64.rpm
xfsprogs-debuginfo-3.2.2-2.el7.i686.rpm
xfsprogs-debuginfo-3.2.2-2.el7.x86_64.rpm

Red Hat Enterprise Linux Workstation Optional (v. 7):

x86_64:
xfsprogs-debuginfo-3.2.2-2.el7.i686.rpm
xfsprogs-debuginfo-3.2.2-2.el7.x86_64.rpm
xfsprogs-devel-3.2.2-2.el7.i686.rpm
xfsprogs-devel-3.2.2-2.el7.x86_64.rpm
xfsprogs-qa-devel-3.2.2-2.el7.i686.rpm
xfsprogs-qa-devel-3.2.2-2.el7.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2012-2150
https://access.redhat.com/security/updates/classification/#low

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2015 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFWTkBJXlSAg2UNWIIRAoi8AJ9mZzQ69HHic+hbV8ddVnu35NaQfQCgm7+P
+WvUjZ8t7jpqpJFnwF8ZNhg=
=fF5T
-----END PGP SIGNATURE-----

--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
    

- 漏洞信息

xfsprogs Package CVE-2012-2150 Local Information Disclosure Vulnerability
Design Error 76013
No Yes
2015-07-23 12:00:00 2015-07-23 12:00:00
Gabriel Vlasiu

- 受影响的程序版本

- 漏洞讨论

xfsprogs package is prone to a local information-disclosure vulnerability.

Local attackers can exploit this issue to obtain sensitive information. Information obtained may lead to further attacks.

- 漏洞利用

Attackers require local interactive access to exploit this issue.

- 解决方案

Updates are available. Please see the references or vendor advisory for more information.

- 相关参考

     

     

    关于SCAP中文社区

    SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

    版权声明

    CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站