Rafal Wojtczuk of McAfee AVERT Research discovered multiple integer overflows in e2fsprogs. These flaws could result in the execution of arbitrary code if a program using libext2fs (e2fsck, dumpe2fs, pygrub) is used to process a malicious filesystem. Under normal conditions this practice is not common. The most plausible attack would be to leverage this flaw in a virtualized environment to gain access to dom0. Acknowledgements: Red Hat would like to thank Rafal Wojtczuk of McAfee Avert Research for responsibly disclosing these issues.
Created attachment 271731 [details] Proposed upstream patch
This is public now: https://bugs.launchpad.net/ubuntu/+source/e2fsprogs/+bug/174174 http://www.novell.com/linux/security/advisories/2007_25_sr.html
Created attachment 280781 [details] Final upstream patch
This issue was addressed in: Red Hat Enterprise Linux: http://rhn.redhat.com/errata/RHSA-2008-0003.html Fedora: https://admin.fedoraproject.org/updates/F7/FEDORA-2007-4461 https://admin.fedoraproject.org/updates/F8/FEDORA-2007-4447