[v3.0] e2fsprogs: input sanitization errors (CVE-2015-0247)
The e2fsprogs package is a set of open source utilities for ext2, ext3 and ext4 filesytems.
The libext2fs library, part of e2fsprogs and utilized by its utilities, is affected by a boundary check error on block group descriptor information, leading to a heap based buffer overflow.
A specially crafted filesystem image can be used to trigger the vulnerability.
Affected version: e2fsprogs < 1.42.12
Fixed version: e2fsprogs >= 1.42.12
Credit: vulnerability report from Jose Duart of Google Security Team
<jduart AT google.com>.
Timeline:
2015-01-19: vulnerability report received
2015-01-29: contacted affected vendors, assigned CVEs
2015-02-05: advisory release
References:
http://seclists.org/oss-sec/2015/q1/426
http://git.kernel.org/cgit/fs/ext2/e2fsprogs.git/commit/?id=f66e6ce4
Permalink:
http://www.ocert.org/advisories/ocert-2015-002.html
(from redmine: issue id 3945, created on 2015-02-18, closed on 2015-03-16)
- Relations:
- parent #3942 (closed)
- Changesets:
- Revision ec27ff40 by Natanael Copa on 2015-03-11T10:53:47Z:
main/e2fsprogs: security upgrade to 1.42.12 (CVE-2015-0247)
fixes #3945