Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 709374 (CVE-2019-5188) - <sys-fs/e2fsprogs-1.45.5: out of bounds write on filesystem check (CVE-2019-5188)
Summary: <sys-fs/e2fsprogs-1.45.5: out of bounds write on filesystem check (CVE-2019-5...
Status: RESOLVED FIXED
Alias: CVE-2019-5188
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://e2fsprogs.sourceforge.net/e2fs...
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-02-12 12:19 UTC by Hanno Böck
Modified: 2020-06-20 00:43 UTC (History)
1 user (show)

See Also:
Package list:
sys-fs/e2fsprogs-1.45.5 sys-libs/e2fsprogs-libs-1.45.5
Runtime testing required: ---
stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Hanno Böck gentoo-dev 2020-02-12 12:19:23 UTC 
From upstream changelog:
"Fix a potential out of bounds write when checking a maliciously corrupted file system. This is probably not exploitable on 64-bit platforms, but may be exploitable on 32-bit binaries depending on how the compiler lays out the stack variables. (Addresses CVE-2019-5188)"

Likely low severity, but FWIW I wouldn't necessarily trust the "probably not exploitable".

We already have 1.45.5 in the tree, just needs to be stabilized.
Comment 1 Agostino Sarubbo gentoo-dev 2020-02-12 14:20:49 UTC 
amd64 stable
Comment 2 Agostino Sarubbo gentoo-dev 2020-02-12 18:22:48 UTC 
x86 stable
Comment 3 Rolf Eike Beer archtester 2020-02-12 20:06:30 UTC 
sparc stable
Comment 4 Agostino Sarubbo gentoo-dev 2020-02-13 09:20:04 UTC 
s390 stable
Comment 5 Agostino Sarubbo gentoo-dev 2020-02-13 12:10:28 UTC 
ppc64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2020-02-13 12:19:43 UTC 
arm stable
Comment 7 Agostino Sarubbo gentoo-dev 2020-02-13 12:27:41 UTC 
ia64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2020-02-13 12:39:14 UTC 
ppc stable
Comment 9 Rolf Eike Beer archtester 2020-02-13 20:56:20 UTC 
hppa stable
Comment 10 Mart Raudsepp gentoo-dev 2020-02-24 20:46:39 UTC 
arm64 stable
Comment 11 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2020-03-26 14:08:18 UTC 
SuperH port disbanded.
Comment 12 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-04-08 04:09:12 UTC 
[updating whiteboard.]

@m68k: ping.
Comment 13 Sergei Trofimovich (RETIRED) gentoo-dev 2020-04-21 07:16:06 UTC 
m68k dropped stable keywords
Comment 14 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-04-21 07:23:33 UTC 
@maintainer(s), please cleanup
Comment 15 Yury German Gentoo Infrastructure gentoo-dev 2020-04-26 02:05:52 UTC 
GLSA Vote: No

Maintainer(s), please drop the vulnerable version(s).
Comment 16 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-06-18 02:32:25 UTC 
@maintainer(s), ping, please cleanup
Comment 17 Larry the Git Cow gentoo-dev 2020-06-18 06:33:05 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=13c222380d8698c307298598498b97fffe91ab25

commit 13c222380d8698c307298598498b97fffe91ab25
Author:     Lars Wendler <polynomial-c@gentoo.org>
AuthorDate: 2020-06-18 06:32:51 +0000
Commit:     Lars Wendler <polynomial-c@gentoo.org>
CommitDate: 2020-06-18 06:33:00 +0000

    sys-libs/e2fsprogs-libs: Security cleanup
    
    Bug: https://bugs.gentoo.org/709374
    Package-Manager: Portage-2.3.101, Repoman-2.3.22
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>

 sys-libs/e2fsprogs-libs/Manifest                   |  1 -
 .../e2fsprogs-libs/e2fsprogs-libs-1.45.4.ebuild    | 94 ----------------------
 2 files changed, 95 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7a100d2e782b8f0f5dcbefeb4822cd5b22e08d5b

commit 7a100d2e782b8f0f5dcbefeb4822cd5b22e08d5b
Author:     Lars Wendler <polynomial-c@gentoo.org>
AuthorDate: 2020-06-18 06:31:46 +0000
Commit:     Lars Wendler <polynomial-c@gentoo.org>
CommitDate: 2020-06-18 06:32:59 +0000

    sys-fs/e2fsprogs: Security cleanup
    
    Bug: https://bugs.gentoo.org/709374
    Package-Manager: Portage-2.3.101, Repoman-2.3.22
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>

 sys-fs/e2fsprogs/Manifest                |   1 -
 sys-fs/e2fsprogs/e2fsprogs-1.45.4.ebuild | 143 -------------------------------
 2 files changed, 144 deletions(-)