Debian Bug report logs - #793496
xfsprogs: CVE-2012-2150: xfs_metadump information disclosure flaw

version graph

Package: xfsprogs; Maintainer for xfsprogs is XFS Development Team <linux-xfs@vger.kernel.org>; Source for xfsprogs is src:xfsprogs (PTS, buildd, popcon).

Reported by: Raphael Hertzog <hertzog@debian.org>

Date: Fri, 24 Jul 2015 15:57:02 UTC

Severity: important

Tags: fixed-upstream, security, upstream

Merged with 793495

Found in version xfsprogs/3.2.3

Fixed in version xfsprogs/3.2.4

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, XFS Development Team <xfs@oss.sgi.com>:
Bug#793496; Package src:xfsprogs. (Fri, 24 Jul 2015 15:57:05 GMT) (full text, mbox, link).

Acknowledgement sent to Raphael Hertzog <hertzog@debian.org>:
New Bug report received and forwarded. Copy sent to XFS Development Team <xfs@oss.sgi.com>. (Fri, 24 Jul 2015 15:57:05 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Raphael Hertzog <hertzog@debian.org>
To: submit@bugs.debian.org
Subject: xfsprogs: CVE-2012-2150: xfs_metadump information disclosure flaw
Date: Fri, 24 Jul 2015 17:53:50 +0200
Source: xfsprogs
Severity: important
Tags: security

Hi,

the following vulnerability was published for xfsprogs.

CVE-2012-2150[0]:
xfs_metadump information disclosure flaw

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2012-2150
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2150
Please adjust the affected versions in the BTS as needed.

There are no upstream patches yet but they should be published shortly
according to https://marc.info/?l=oss-security&m=143766249112576&w=2

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/

Information forwarded to debian-bugs-dist@lists.debian.org, XFS Development Team <xfs@oss.sgi.com>:
Bug#793496; Package src:xfsprogs. (Fri, 24 Jul 2015 16:00:07 GMT) (full text, mbox, link).

Acknowledgement sent to Raphael Hertzog <hertzog@debian.org>:
Extra info received and forwarded to list. Copy sent to XFS Development Team <xfs@oss.sgi.com>. (Fri, 24 Jul 2015 16:00:07 GMT) (full text, mbox, link).

Message #10 received at 793496@bugs.debian.org (full text, mbox, reply):

From: Raphael Hertzog <hertzog@debian.org>
To: Nathan Scott <nathans@debian.org>
Cc: debian-lts@lists.debian.org, 793496@bugs.debian.org
Subject: About the security issues affecting xfsprogs in Squeeze
Date: Fri, 24 Jul 2015 17:57:44 +0200
Hello Nathan,

the Debian LTS team recently reviewed the security issue(s) affecting your
package in Squeeze:
https://security-tracker.debian.org/tracker/CVE-2012-2150

We decided that we would not prepare a squeeze security update (usually
because the security impact is low and that we concentrate our limited
resources on higher severity issues and on the most widely used packages).
That said the squeeze users would most certainly benefit from a fixed
package.

If you want to work on such an update, you're welcome to do so. Please
try to follow the workflow we have defined here:
http://wiki.debian.org/LTS/Development

If that workflow is a burden to you, feel free to just prepare an
updated source package and send it to debian-lts@lists.debian.org
(via a debdiff, or with an URL pointing to the the source package,
or even with a pointer to your packaging repository), and the members
of the LTS team will take care of the rest. However please make sure to
submit a tested package.

Thank you very much.

Raphaël Hertzog,
  on behalf of the Debian LTS team.
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/

Information forwarded to debian-bugs-dist@lists.debian.org, XFS Development Team <xfs@oss.sgi.com>:
Bug#793496; Package src:xfsprogs. (Fri, 24 Jul 2015 16:09:12 GMT) (full text, mbox, link).

Acknowledgement sent to Raphael Hertzog <hertzog@debian.org>:
Extra info received and forwarded to list. Copy sent to XFS Development Team <xfs@oss.sgi.com>. (Fri, 24 Jul 2015 16:09:12 GMT) (full text, mbox, link).

Message #15 received at 793496@bugs.debian.org (full text, mbox, reply):

From: Raphael Hertzog <hertzog@debian.org>
To: 793496@bugs.debian.org
Subject: Merging duplicate bug
Date: Fri, 24 Jul 2015 18:07:24 +0200
Control: forcemerge 793495 -1

Sorry, it's a duplicate. Merging it with the other.

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/

Bug reassigned from package 'src:xfsprogs' to 'xfsprogs'. Request was from Raphaël Hertzog <hertzog@debian.org> to control@bugs.debian.org. (Fri, 24 Jul 2015 16:27:03 GMT) (full text, mbox, link).

Marked as found in versions xfsprogs/3.2.3. Request was from Raphaël Hertzog <hertzog@debian.org> to control@bugs.debian.org. (Fri, 24 Jul 2015 16:27:04 GMT) (full text, mbox, link).

Merged 793495 793496 Request was from Raphaël Hertzog <hertzog@debian.org> to control@bugs.debian.org. (Fri, 24 Jul 2015 16:27:06 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, XFS Development Team <xfs@oss.sgi.com>:
Bug#793496; Package xfsprogs. (Mon, 27 Jul 2015 03:27:03 GMT) (full text, mbox, link).

Acknowledgement sent to Nathan Scott <nathans@debian.org>:
Extra info received and forwarded to list. Copy sent to XFS Development Team <xfs@oss.sgi.com>. (Mon, 27 Jul 2015 03:27:03 GMT) (full text, mbox, link).

Message #26 received at 793496@bugs.debian.org (full text, mbox, reply):

From: Nathan Scott <nathans@debian.org>
To: Raphael Hertzog <hertzog@debian.org>, 793496@bugs.debian.org
Cc: debian-lts@lists.debian.org
Subject: Re: Bug#793496: About the security issues affecting xfsprogs in Squeeze
Date: Sun, 26 Jul 2015 23:25:10 -0400 (EDT)
Hi Raphaël,

----- Original Message -----
> [...]
> We decided that we would not prepare a squeeze security update (usually
> because the security impact is low and that we concentrate our limited
> resources on higher severity issues and on the most widely used packages).
> That said the squeeze users would most certainly benefit from a fixed
> package.

I tend to agree - seems like a fairly minor issue & I don't have a huge
amount of spare time either.  I'll concentrate on getting next upstream
release with the fix uploaded to unstable as soon as possible though -
but I'm not likely to get to backporting this one.

Thanks for the heads-up!

cheers.

--
Nathan

Added tag(s) fixed-upstream and upstream. Request was from Salvatore Bonaccorso <carnil@debian.org> to 793495-submit@bugs.debian.org. (Thu, 30 Jul 2015 05:03:11 GMT) (full text, mbox, link).

Marked as fixed in versions xfsprogs/3.2.4. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Fri, 31 Jul 2015 04:57:05 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Oct 11 11:58:18 2017; Machine Name: beach

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.