From $URL: #2015-002 e2fsprogs input sanitization errors Description: The e2fsprogs package is a set of open source utilities for ext2, ext3 and ext4 filesytems. The libext2fs library, part of e2fsprogs and utilized by its utilities, is affected by a boundary check error on block group descriptor information, leading to a heap based buffer overflow. A specially crafted filesystem image can be used to trigger the vulnerability. Affected version: e2fsprogs < 1.42.12 Fixed version: e2fsprogs >= 1.42.12 Credit: vulnerability report from Jose Duart of Google Security Team <jduart AT google.com>. CVE: CVE-2015-0247 Timeline: 2015-01-19: vulnerability report received 2015-01-29: contacted affected vendors, assigned CVEs 2015-02-05: advisory release References: http://git.kernel.org/cgit/fs/ext2/e2fsprogs.git/commit/?id=f66e6ce4 Permalink: http://www.ocert.org/advisories/ocert-2015-002.html
FYI: bug #516988 is blocking >=sys-fs/e2fsprogs-1.42.10 on uclibc profiles. The fix is ready to go as I stabilize =sys-libs/uclibc-0.9.33.2-r14. I know that < 1.42.12 has got to go, but please wait for a pingback from me before removing it. I should have this done in the next 2-3 days.
Arches please test and mark stable the following packages: =sys-fs/e2fsptrogs-1.42.12 =sys-libs/e2fsprogs-libs-1.42.12 with target KEYWORDS: alpha amd64 arm ~arm64 hppa ia64 ~m68k ~mips ppc ppc64 ~s390 ~sh sparc x86 -x86-fbsd ~amd64-linux ~arm-linux ~x86-linux ~m68k-mint
Damn typos... Arches please test and mark stable the following packages: =sys-fs/e2fsprogs-1.42.12 =sys-libs/e2fsprogs-libs-1.42.12 with target KEYWORDS: alpha amd64 arm ~arm64 hppa ia64 ~m68k ~mips ppc ppc64 ~s390 ~sh sparc x86 -x86-fbsd ~amd64-linux ~arm-linux ~x86-linux ~m68k-mint
Stable for HPPA.
(In reply to Anthony Basile from comment #1) > FYI: bug #516988 is blocking >=sys-fs/e2fsprogs-1.42.10 on uclibc profiles. > The fix is ready to go as I stabilize =sys-libs/uclibc-0.9.33.2-r14. I > know that < 1.42.12 has got to go, but please wait for a pingback from me > before removing it. I should have this done in the next 2-3 days. I'm waiting on mike to stabilize =sys-libs/uclibc-0.9.33.2-r14 for m68k, sh and sparc, and I've removed the mask on e2fsprogs for default/linux/uclibc. I can't do those last three arches, but I also don't care about them as far as uclibc goes. Hopeufully mike will move on this, but as far as I'm concerned, I don't need <sys-fs/e2fsprogs-1.42.12 in the tree.
stable on arm, ppc and ppc64
amd64 stable
x86 stable
sparc stable
alpha stable
ia64 stable
CVE-2015-0247 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0247): Heap-based buffer overflow in openfs.c in the libext2fs library in e2fsprogs before 1.42.12 allows local users to execute arbitrary code via crafted block group descriptor data in a filesystem image.
Maintainer(s), Thank you for you for cleanup. New GLSA Request filed. Maintainer(s), please drop the vulnerable version(s).
Please cleanup version: 1.42.10
Removed e2fsprogs{,-libs}-1.14.10 from the tree...
This issue was resolved and addressed in GLSA 201701-06 at https://security.gentoo.org/glsa/201701-06 by GLSA coordinator Thomas Deutschmann (whissi).
