Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 538930 (CVE-2015-0247) - <sys-fs/e2fsprogs-1.42.12 : input sanitization errors (CVE-2015-0247)
Summary: <sys-fs/e2fsprogs-1.42.12 : input sanitization errors (CVE-2015-0247)
Status: RESOLVED FIXED
Alias: CVE-2015-0247
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://www.ocert.org/advisories/ocert...
Whiteboard: A3 [glsa cve]
Keywords:
Depends on: 516988 539226
Blocks:
  Show dependency tree
 
Reported: 2015-02-05 14:42 UTC by Kristian Fiskerstrand
Modified: 2017-01-01 15:45 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Kristian Fiskerstrand gentoo-dev Security 2015-02-05 14:42:38 UTC
From $URL:
#2015-002 e2fsprogs input sanitization errors

Description:

The e2fsprogs package is a set of open source utilities for ext2, ext3 and
ext4 filesytems.

The libext2fs library, part of e2fsprogs and utilized by its utilities, is
affected by a boundary check error on block group descriptor information,
leading to a heap based buffer overflow.

A specially crafted filesystem image can be used to trigger the vulnerability.

Affected version:

e2fsprogs < 1.42.12

Fixed version:

e2fsprogs >= 1.42.12

Credit: vulnerability report from Jose Duart of Google Security Team
       <jduart AT google.com>.

CVE: CVE-2015-0247

Timeline:

2015-01-19: vulnerability report received
2015-01-29: contacted affected vendors, assigned CVEs
2015-02-05: advisory release

References:
http://git.kernel.org/cgit/fs/ext2/e2fsprogs.git/commit/?id=f66e6ce4

Permalink:
http://www.ocert.org/advisories/ocert-2015-002.html
Comment 1 Anthony Basile gentoo-dev 2015-02-06 13:14:20 UTC
FYI: bug #516988 is blocking  >=sys-fs/e2fsprogs-1.42.10 on uclibc profiles.  The fix is ready to go as I stabilize  =sys-libs/uclibc-0.9.33.2-r14.  I know that < 1.42.12 has got to go, but please wait for a pingback from me before removing it.  I should have this done in the next 2-3 days.
Comment 2 Lars Wendler (Polynomial-C) gentoo-dev 2015-02-06 17:25:44 UTC
Arches please test and mark stable the following packages:

=sys-fs/e2fsptrogs-1.42.12
=sys-libs/e2fsprogs-libs-1.42.12

with target KEYWORDS:

alpha amd64 arm ~arm64 hppa ia64 ~m68k ~mips ppc ppc64 ~s390 ~sh sparc x86 -x86-fbsd ~amd64-linux ~arm-linux ~x86-linux ~m68k-mint
Comment 3 Lars Wendler (Polynomial-C) gentoo-dev 2015-02-06 17:26:16 UTC
Damn typos...

Arches please test and mark stable the following packages:

=sys-fs/e2fsprogs-1.42.12
=sys-libs/e2fsprogs-libs-1.42.12

with target KEYWORDS:

alpha amd64 arm ~arm64 hppa ia64 ~m68k ~mips ppc ppc64 ~s390 ~sh sparc x86 -x86-fbsd ~amd64-linux ~arm-linux ~x86-linux ~m68k-mint
Comment 4 Jeroen Roovers gentoo-dev 2015-02-06 20:44:05 UTC
Stable for HPPA.
Comment 5 Anthony Basile gentoo-dev 2015-02-07 13:21:11 UTC
(In reply to Anthony Basile from comment #1)
> FYI: bug #516988 is blocking  >=sys-fs/e2fsprogs-1.42.10 on uclibc profiles.
> The fix is ready to go as I stabilize  =sys-libs/uclibc-0.9.33.2-r14.  I
> know that < 1.42.12 has got to go, but please wait for a pingback from me
> before removing it.  I should have this done in the next 2-3 days.

I'm waiting on mike to stabilize =sys-libs/uclibc-0.9.33.2-r14 for m68k, sh and sparc, and I've removed the mask on e2fsprogs for default/linux/uclibc.  I can't do those last three arches, but I also don't care about them as far as uclibc goes.  Hopeufully mike will move on this, but as far as I'm concerned, I don't need <sys-fs/e2fsprogs-1.42.12 in the tree.
Comment 6 Anthony Basile gentoo-dev 2015-02-09 12:42:54 UTC
stable on arm, ppc and ppc64
Comment 7 Agostino Sarubbo gentoo-dev 2015-02-10 09:58:42 UTC
amd64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2015-02-10 09:59:16 UTC
x86 stable
Comment 9 Agostino Sarubbo gentoo-dev 2015-02-16 10:23:55 UTC
sparc stable
Comment 10 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2015-02-16 18:14:26 UTC
alpha stable
Comment 11 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2015-02-16 18:15:00 UTC
ia64 stable
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2015-04-22 20:32:36 UTC
CVE-2015-0247 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0247):
  Heap-based buffer overflow in openfs.c in the libext2fs library in e2fsprogs
  before 1.42.12 allows local users to execute arbitrary code via crafted
  block group descriptor data in a filesystem image.
Comment 13 Yury German Gentoo Infrastructure gentoo-dev Security 2015-04-22 20:35:30 UTC
Maintainer(s), Thank you for you for cleanup.

New GLSA Request filed.

Maintainer(s), please drop the vulnerable version(s).
Comment 14 Yury German Gentoo Infrastructure gentoo-dev Security 2015-07-06 13:03:23 UTC
Please cleanup version: 1.42.10
Comment 15 Lars Wendler (Polynomial-C) gentoo-dev 2015-07-07 11:46:42 UTC
Removed e2fsprogs{,-libs}-1.14.10 from the tree...
Comment 16 GLSAMaker/CVETool Bot gentoo-dev 2017-01-01 15:45:47 UTC
This issue was resolved and addressed in
 GLSA 201701-06 at https://security.gentoo.org/glsa/201701-06
by GLSA coordinator Thomas Deutschmann (whissi).