Bug 1187032 (CVE-2015-0247)
|Summary:||CVE-2015-0247 e2fsprogs: ext2fs_open2() missing first_meta_bg boundary check leading to heap buffer overflow (oCERT-015-002)|
|Product:||[Other] Security Response||Reporter:||Vasyl Kaigorodov <vkaigoro>|
|Component:||vulnerability||Assignee:||Red Hat Product Security <security-response-team>|
|Status:||CLOSED WONTFIX||QA Contact:|
|Version:||unspecified||CC:||carnil, esandeen, mmilgram, sct, security-response-team, slawomir|
|Fixed In Version:||e2fsprogs 1.42.12||Doc Type:||Bug Fix|
A heap-based buffer overflow flaw was found in e2fsprogs. A specially crafted Ext2/3/4 file system could cause an application using the ext2fs library (for example, fsck) to crash or, possibly, execute arbitrary code.
|Last Closed:||2021-06-14 15:04:15 UTC||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Cloudforms Team:||---||Target Upstream Version:|
|Bug Depends On:||1189834|
Description Vasyl Kaigorodov 2015-01-29 08:40:35 UTC
A heap buffer overflow was found in e2fsprgos lib/ext2fs/openfs.c. It allows a trivial arbitrary memory write under certain conditions. Given that fsck is affected, and that an ext2/3/4 image can force a filesystem check on mount, this will allow code execution on systems that have automount enabled by just plugging a device. Acknowledgements: Red Hat would like to thank oCERT for reporting these issues. oCERT acknowledges Jose Duart of the Google Security Team as the original reporter.
Comment 1 Tomas Hoger 2015-01-29 09:37:15 UTC
(In reply to Vasyl Kaigorodov from comment #0) > A heap buffer overflow was found in e2fsprgos lib/ext2fs/openfs.c. The report actually mentions "a couple of heap overflows in e2fsprogs (fsck, dumpe2fs, e2image...)", only giving some example. According to the reporter, these are fixed upstream in 1.42.12 and upstream is not planning to provide any patches for older versions. So the info that was provided so far is "upgrade to 1.42.12 to fix unspecified number of issues". Also oCERT id oCERT-015-001 is incorrect, as it was already used for a different advisory.
Comment 2 Tomas Hoger 2015-01-29 10:10:21 UTC
The issue identified in the report is in ext2fs_open2(). fs->group_desc buffer is allocated to have space for fs->desc_blocks items: http://git.kernel.org/cgit/fs/ext2/e2fsprogs.git/tree/lib/ext2fs/openfs.c?id=de25d9c#n358 If EXT2_FEATURE_INCOMPAT_META_BG flag is set, first_meta_bg for the file system is used and not check against fs->desc_blocks: http://git.kernel.org/cgit/fs/ext2/e2fsprogs.git/tree/lib/ext2fs/openfs.c?id=de25d9c#n381 This reported leads to overflow in the subsequent io_channel_read_blk() call. It seem this issue was fixed upstream in: http://git.kernel.org/cgit/fs/ext2/e2fsprogs.git/commit/?id=f66e6ce4
Comment 4 Tomas Hoger 2015-02-03 14:44:42 UTC
Reporter clarified there is only one issue mentioned in comment 2, that can be triggered using various e2fsprogs tools.
Comment 8 Tomas Hoger 2015-02-05 15:04:17 UTC
Public now via oCERT-2015-002 advisory. External Reference: http://www.ocert.org/advisories/ocert-2015-002.html
Comment 9 Tomas Hoger 2015-02-05 15:04:59 UTC
Created e2fsprogs tracking bugs for this issue: Affects: fedora-all [bug 1189834]
Comment 10 Fedora Update System 2015-02-09 05:27:17 UTC
e2fsprogs-1.42.12-1.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
Comment 11 Fedora Update System 2015-02-21 04:24:33 UTC
e2fsprogs-1.42.12-2.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
Comment 12 Tomas Hoger 2015-03-24 08:11:54 UTC
Statement: This issue affects e2fsprogs packages as shipped with Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this issue as having Moderate security impact. A future update may address this issue. This issue affects e4fsprogs packages as shipped with Red Hat Enterprise Linux 5. The issue is not planned to be addressed in Red Hat Enterprise Linux 5. This issue did not affect e2fsprogs packages as shipped with Red Hat Enterprise Linux 5.
Comment 13 Product Security DevOps Team 2021-06-14 15:04:15 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2015-0247