Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 838388 (CVE-2022-1304) - sys-fs/e2fsprogs: code execution via specially crafted filesystem
Summary: sys-fs/e2fsprogs: code execution via specially crafted filesystem
Status: CONFIRMED
Alias: CVE-2022-1304
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: A2 [upstream/ebuild]
Keywords:
Depends on:
Blocks:
 
Reported: 2022-04-15 00:32 UTC by John Helmert III
Modified: 2022-08-17 19:28 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-04-15 00:32:50 UTC
CVE-2022-1304 (https://bugzilla.redhat.com/show_bug.cgi?id=2069726):

An out-of-bounds read/write vulnerability was found in e2fsprogs 1.46.5. This issue leads to a segmentation fault and possibly arbitrary code execution via a specially crafted filesystem.
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-04-28 15:50:51 UTC
Ts'o says he's applied this, but I don't see it in git yet:

https://lore.kernel.org/linux-ext4/20220421173148.20193-1-lczerner@redhat.com/
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-17 19:28:04 UTC
Looks like there's a set of Ted patches for fuzzing issues:

https://lore.kernel.org/all/20220607042444.1798015-6-tytso@mit.edu/T/

Czerner's patch ended up in git as ab51d587bb9b229b1fade1afd02e1574c1ba5c76 unreleased afaict