Bug 1193945 (CVE-2015-1572) - CVE-2015-1572 e2fsprogs: potential buffer overflow in closefs() (incomplete CVE-2015-0247 fix)
Summary: CVE-2015-1572 e2fsprogs: potential buffer overflow in closefs() (incomplete C...
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2015-1572
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1193947
Blocks: 1187035 1193946
TreeView+ depends on / blocked
 
Reported: 2015-02-18 15:36 UTC by Vasyl Kaigorodov
Modified: 2021-02-17 05:38 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
A heap-based buffer overflow flaw was found in e2fsprogs. A specially crafted Ext2/3/4 file system could cause an application using the ext2fs library (for example, fsck) to crash or, possibly, execute arbitrary code.
Clone Of:
Environment:
Last Closed: 2016-06-10 20:56:09 UTC
Embargoed:

Attachments (Terms of Use)

Description Vasyl Kaigorodov 2015-02-18 15:36:40 UTC 
From the upstream commit [1]:
"""
The bug fix in f66e6ce4446: "libext2fs: avoid buffer overflow if s_first_meta_bg is too big" had a typo in the fix for ext2fs_closefs(). In practice most of the security exposure was from the openfs path, since this meant if there was a carefully crafted file system, buffer overrun would be triggered when the file system was opened. However, if corrupted file system didn't trip over some corruption check, and then the file system was modified via tune2fs or debugfs, such that the superblock was marked dirty and then written out via the closefs() path, it's possible that the buffer overrun could be triggered when the file system is closed. 
"""

[1]: https://git.kernel.org/cgit/fs/ext2/e2fsprogs.git/commit/?id=49d0fe2a14f2a23da2fe299643379b8c1d37df73
Comment 1 Vasyl Kaigorodov 2015-02-18 15:37:39 UTC 
Created e2fsprogs tracking bugs for this issue:

Affects: fedora-all [bug 1193947]
Comment 2 Tomas Hoger 2015-02-19 07:56:32 UTC 
(In reply to Vasyl Kaigorodov from comment #0)
> The bug fix in f66e6ce4446: "libext2fs: avoid buffer overflow if
> s_first_meta_bg is too big" had a typo in the fix for ext2fs_closefs().

That commit is the fix for CVE-2015-0247 (see bug 1187032), so CVE-2015-1572 really is an incomplete / incorrect CVE-2015-0247 fix id.  The original issue has not yet been fixed in Red Hat Enterprise Linux.  Fixes for it are available in Fedora.

Compared to the original issue, this flaw requires few additional conditions that must be met to be exploited - see upstream commit comment (quoted in comment 0 above) for details.

There is no new upstream release yet.  Version 1.42.13 is probably going to be next, which should include the fix for this issue.
Comment 3 Fedora Update System 2015-03-04 10:23:05 UTC 
e2fsprogs-1.42.12-3.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 4 Fedora Update System 2015-03-04 10:34:31 UTC 
e2fsprogs-1.42.12-3.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Vincent Danen 2016-06-10 20:56:09 UTC 
Statement:

This issue affects e2fsprogs packages as shipped with Red Hat Enterprise Linux 6 and 7. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.

This issue affects e4fsprogs packages as shipped with Red Hat Enterprise Linux 5. The issue is not planned to be addressed in Red Hat Enterprise Linux 5.

This issue did not affect e2fsprogs packages as shipped with Red Hat Enterprise Linux 5.
Note You need to log in before you can comment on or make changes to this bug.