Bug 1187032 (CVE-2015-0247)
| Summary: | CVE-2015-0247 e2fsprogs: ext2fs_open2() missing first_meta_bg boundary check leading to heap buffer overflow (oCERT-015-002) | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Vasyl Kaigorodov <vkaigoro> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED WONTFIX | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | carnil, esandeen, mmilgram, sct, security-response-team, slawomir |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | e2fsprogs 1.42.12 | Doc Type: | Bug Fix |
| Doc Text: |
A heap-based buffer overflow flaw was found in e2fsprogs. A specially crafted Ext2/3/4 file system could cause an application using the ext2fs library (for example, fsck) to crash or, possibly, execute arbitrary code.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-06-14 15:04:15 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1189834 | ||
| Bug Blocks: | 1187035 | ||
|
Description
Vasyl Kaigorodov
2015-01-29 08:40:35 UTC
(In reply to Vasyl Kaigorodov from comment #0) > A heap buffer overflow was found in e2fsprgos lib/ext2fs/openfs.c. The report actually mentions "a couple of heap overflows in e2fsprogs (fsck, dumpe2fs, e2image...)", only giving some example. According to the reporter, these are fixed upstream in 1.42.12 and upstream is not planning to provide any patches for older versions. So the info that was provided so far is "upgrade to 1.42.12 to fix unspecified number of issues". Also oCERT id oCERT-015-001 is incorrect, as it was already used for a different advisory. The issue identified in the report is in ext2fs_open2(). fs->group_desc buffer is allocated to have space for fs->desc_blocks items: http://git.kernel.org/cgit/fs/ext2/e2fsprogs.git/tree/lib/ext2fs/openfs.c?id=de25d9c#n358 If EXT2_FEATURE_INCOMPAT_META_BG flag is set, first_meta_bg for the file system is used and not check against fs->desc_blocks: http://git.kernel.org/cgit/fs/ext2/e2fsprogs.git/tree/lib/ext2fs/openfs.c?id=de25d9c#n381 This reported leads to overflow in the subsequent io_channel_read_blk() call. It seem this issue was fixed upstream in: http://git.kernel.org/cgit/fs/ext2/e2fsprogs.git/commit/?id=f66e6ce4 Reporter clarified there is only one issue mentioned in comment 2, that can be triggered using various e2fsprogs tools. Public now via oCERT-2015-002 advisory. External Reference: http://www.ocert.org/advisories/ocert-2015-002.html Created e2fsprogs tracking bugs for this issue: Affects: fedora-all [bug 1189834] e2fsprogs-1.42.12-1.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report. e2fsprogs-1.42.12-2.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. Statement: This issue affects e2fsprogs packages as shipped with Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this issue as having Moderate security impact. A future update may address this issue. This issue affects e4fsprogs packages as shipped with Red Hat Enterprise Linux 5. The issue is not planned to be addressed in Red Hat Enterprise Linux 5. This issue did not affect e2fsprogs packages as shipped with Red Hat Enterprise Linux 5. This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2015-0247 |