Bug#1010264: CVE-2022-28391

[Moritz Muehlenhoff]

Package: e2fsprogs
Version: 1.46.5-2
Severity: important

This issue was found by Alpine:
https://gitlab.alpinelinux.org/alpine/aports/-/issues/13661

Details and the patches they used are in the report above, but the
patches are not yet merged upstream, might be worth to wait until
that's fixed since the impact is rather low.

Cheers,
Moritz

[Theodore Ts'o]

Um, going to that link results in the (closed) alpine bug from three
weeks ago:

"netstat is vulnerable to escape sequence injection (busybox)"

"Alpine ships BusyBox with the netstat applet enabled. This is
vulnerable to escape sequence injection when used from an VT
compatible terminal. To exploit this vulnerability the PTR for a
remote host must contain a escape sequence and the victim has to
execute netstat. I've set up an example at [elided] with the PTR
resolving to \027[33\;46mlocalhost."

The string "e2fsprogs" appears nowhere in on the page.

I've done a search on Alpine/aports looking for "e2fsprogs" and could
only find:

e2fsprogs can be uninstalled manually on systems that depend on it
#13584 · created 1 month ago by Álvaro Torralba


updated 1 month ago
modloop verification fails with apline usb drive when local disk partition has a alpine installation
#11136 · created 2 years ago by nico

Neither seems to be security related. Are you sure this was correctly
filed against e2fsprogs?

- Ted

[Moritz Muehlenhoff]

On Wed, Apr 27, 2022 at 11:29:00PM -0400, Theodore Ts'o wrote:
> Neither seems to be security related. Are you sure this was correctly
> filed against e2fsprogs?

Apologies, I reported multiple incoming new issues from the CVE feed
and I must have mis-pasted the wrong Emacs buffer into the report.

The correct references are
https://bugzilla.redhat.com/show_bug.cgi?id=2069726
https://bugzilla.redhat.com/show_bug.cgi?id=2068113

And the proposed patch was already posted at:
https://lore.kernel.org/linux-ext4/20220421173148....@redhat.com/T/#u

Cheers,
Moritz

[Salvatore Bonaccorso]

Hi,

Theodore, btw the BTS reference for the e2fsprogs issue is #1010263
and the CVE id CVE-2022-1304.

#1010264 and CVE-2022-28391 is respectively for busybox. the bug
already reassigned accordingly earlier.

Regards,
Salvatore

[Theodore Ts'o]

On Thu, Apr 28, 2022 at 09:30:45AM +0200, Salvatore Bonaccorso wrote:
>
> Theodore, btw the BTS reference for the e2fsprogs issue is #1010263
> and the CVE id CVE-2022-1304.

Yes, I've noted that already.

> #1010264 and CVE-2022-28391 is respectively for busybox. the bug
> already reassigned accordingly earlier.

Apologies, I didn't get an e-mail notification for the bug getting
reassigned; I should have double checked the BTS web page for the bug
before replying.

Regards,

- Ted

[Nobuhiro Iwamatsu]

Package: busybox
Version: 1:1.35.0-1
Tags: patch
Followup-For: Bug #1010264

Dear Maintainer,

I created a patch which corect this issue.
The correction contained in this patch was taken from the following
posts.
http://lists.busybox.net/pipermail/busybox/2022-June/089751.html
Could you check this?

Best regards,
Nobuhiro

-- System Information:
Debian Release: bookworm/sid
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: armhf, arm64, i386

Kernel: Linux 5.17.0-1-amd64 (SMP w/16 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=ja_JP.UTF-8, LC_CTYPE=ja_JP.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages busybox depends on:
ii libc6 2.33-7

busybox recommends no packages.

busybox suggests no packages.

-- no debconf information