| Summary: | <sys-fs/e2fsprogs-1.42.12 : input sanitization errors (CVE-2015-0247) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Kristian Fiskerstrand (RETIRED) <k_f> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | base-system |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://www.ocert.org/advisories/ocert-2015-002.html | ||
| Whiteboard: | A3 [glsa cve] | ||
| Package list: | Runtime testing required: | --- | |
| Bug Depends on: | 516988, 539226 | ||
| Bug Blocks: | |||
FYI: bug #516988 is blocking >=sys-fs/e2fsprogs-1.42.10 on uclibc profiles. The fix is ready to go as I stabilize =sys-libs/uclibc-0.9.33.2-r14. I know that < 1.42.12 has got to go, but please wait for a pingback from me before removing it. I should have this done in the next 2-3 days. Arches please test and mark stable the following packages: =sys-fs/e2fsptrogs-1.42.12 =sys-libs/e2fsprogs-libs-1.42.12 with target KEYWORDS: alpha amd64 arm ~arm64 hppa ia64 ~m68k ~mips ppc ppc64 ~s390 ~sh sparc x86 -x86-fbsd ~amd64-linux ~arm-linux ~x86-linux ~m68k-mint Damn typos... Arches please test and mark stable the following packages: =sys-fs/e2fsprogs-1.42.12 =sys-libs/e2fsprogs-libs-1.42.12 with target KEYWORDS: alpha amd64 arm ~arm64 hppa ia64 ~m68k ~mips ppc ppc64 ~s390 ~sh sparc x86 -x86-fbsd ~amd64-linux ~arm-linux ~x86-linux ~m68k-mint Stable for HPPA. (In reply to Anthony Basile from comment #1) > FYI: bug #516988 is blocking >=sys-fs/e2fsprogs-1.42.10 on uclibc profiles. > The fix is ready to go as I stabilize =sys-libs/uclibc-0.9.33.2-r14. I > know that < 1.42.12 has got to go, but please wait for a pingback from me > before removing it. I should have this done in the next 2-3 days. I'm waiting on mike to stabilize =sys-libs/uclibc-0.9.33.2-r14 for m68k, sh and sparc, and I've removed the mask on e2fsprogs for default/linux/uclibc. I can't do those last three arches, but I also don't care about them as far as uclibc goes. Hopeufully mike will move on this, but as far as I'm concerned, I don't need <sys-fs/e2fsprogs-1.42.12 in the tree. stable on arm, ppc and ppc64 amd64 stable x86 stable sparc stable alpha stable ia64 stable CVE-2015-0247 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0247): Heap-based buffer overflow in openfs.c in the libext2fs library in e2fsprogs before 1.42.12 allows local users to execute arbitrary code via crafted block group descriptor data in a filesystem image. Maintainer(s), Thank you for you for cleanup. New GLSA Request filed. Maintainer(s), please drop the vulnerable version(s). Please cleanup version: 1.42.10 Removed e2fsprogs{,-libs}-1.14.10 from the tree...
This issue was resolved and addressed in GLSA 201701-06 at https://security.gentoo.org/glsa/201701-06 by GLSA coordinator Thomas Deutschmann (whissi). |
From $URL: #2015-002 e2fsprogs input sanitization errors Description: The e2fsprogs package is a set of open source utilities for ext2, ext3 and ext4 filesytems. The libext2fs library, part of e2fsprogs and utilized by its utilities, is affected by a boundary check error on block group descriptor information, leading to a heap based buffer overflow. A specially crafted filesystem image can be used to trigger the vulnerability. Affected version: e2fsprogs < 1.42.12 Fixed version: e2fsprogs >= 1.42.12 Credit: vulnerability report from Jose Duart of Google Security Team <jduart AT google.com>. CVE: CVE-2015-0247 Timeline: 2015-01-19: vulnerability report received 2015-01-29: contacted affected vendors, assigned CVEs 2015-02-05: advisory release References: http://git.kernel.org/cgit/fs/ext2/e2fsprogs.git/commit/?id=f66e6ce4 Permalink: http://www.ocert.org/advisories/ocert-2015-002.html