An out-of-bounds read/write vulnerability was found in e2fsprogs which can lead to a segmentation fault and possibly arbitrary code execution via a specially crafted filesystem. The issue occurs in ext2fs_extent_delete() in lib/ext2fs/extent.c when path->left is equal to -1, resulting in a call to memmove() with invalid arguments.
Created e2fsprogs tracking bugs for this issue:
Affects: fedora-all [bug 2069727]
(In reply to Borja Tarraso from comment #0)
> A vulnerability was found in e2fsck. During the processing of the attached
> disk image via e2fsck -p -f /testcase an out-of-bounds write is triggered
> and causes a segmentation fault (SIGSEGV).
thanks for the report, however there are couple of things missing. I don't see a Fedora version for which this bug is supposed to be and I don't see the version of e2fsprogs which this problem applies to. Also there is no disk image attached. Please provide the missing information and the mentioned disk image.
> This bug allows an attacker to perform a denial of service and possibly
> opens up other attack vectors.
how does it allow to perform a DoS? What other attack vectors does it open?
In reply to comment #2:
> thanks for the report, however there are couple of things missing. I don't
> see a Fedora version for which this bug is supposed to be and I don't see
> the version of e2fsprogs which this problem applies to. Also there is no
> disk image attached. Please provide the missing information and the
> mentioned disk image.
You can find the original bug report with more information here: https://bugzilla.redhat.com/show_bug.cgi?id=2068113
> how does it allow to perform a DoS? What other attack vectors does it open?
We are still investigating this issue and that's not clear yet.
Indeed this is a bug and should be fixed. But as always when fuzzer images pop up, I don't consider it a security issue as it requires a physical access and an elaborate, non standard and not very smart setup to automatically run fsck on inserted USB.
Marking services-* and OSD affected/low/delegated for presence of affected code.
Couple items of note:
 Exploitation is highly unlikely.
 "Unfortunately, we were not able to reproduce the issue on RHEL UBI since it appears that `e2fsprogs` is not part of the standard repository."
Yet another argument for Red Hat to stop using non-UBI images in our managed services…
In reply to comment #5:
> Indeed this is a bug and should be fixed. But as always when fuzzer images
> pop up, I don't consider it a security issue as it requires a physical
> access and an elaborate, non standard and not very smart setup to
> automatically run fsck on inserted USB.
Hi Lukas, thank you for your input on this.
Although that is an attack scenario, that is not the only one. An attacker can corrupt a filesystem or prepare, distribute and force an user to run e2fsck on a crafted filesystem image.
Given the conditions to trigger this vulnerability, it has at most a moderate severity.