The e2fsprogs package is a set of open source utilities for ext2, ext3 and ext4 filesytems. The libext2fs library, part of e2fsprogs and utilized by its utilities, is affected by a boundary check error on block group descriptor information, leading to a heap based buffer overflow. A specially crafted filesystem image can be used to trigger the vulnerability. Versions prior to 1.42.12 are affected.
f36fd29dba36b61b27140d5e0db103cf8b564838924976443f54919358a022f8
#2015-002 e2fsprogs input sanitization errors
Description:
The e2fsprogs package is a set of open source utilities for ext2, ext3 and
ext4 filesytems.
The libext2fs library, part of e2fsprogs and utilized by its utilities, is
affected by a boundary check error on block group descriptor information,
leading to a heap based buffer overflow.
A specially crafted filesystem image can be used to trigger the vulnerability.
Affected version:
e2fsprogs < 1.42.12
Fixed version:
e2fsprogs >= 1.42.12
Credit: vulnerability report from Jose Duart of Google Security Team
<jduart AT google.com>.
CVE: CVE-2015-0247
Timeline:
2015-01-19: vulnerability report received
2015-01-29: contacted affected vendors, assigned CVEs
2015-02-05: advisory release
References:
http://git.kernel.org/cgit/fs/ext2/e2fsprogs.git/commit/?id=f66e6ce4
Permalink:
http://www.ocert.org/advisories/ocert-2015-002.html
--
Andrea Barisani | Founder & Project Coordinator
oCERT | OSS Computer Security Incident Response Team
<lcars@ocert.org> http://www.ocert.org
0x864C9B9E 0A76 074A 02CD E989 CE7F AC3F DA47 578E 864C 9B9E
"Pluralitas non est ponenda sine necessitate"