A heap buffer overflow was found in e2fsprgos lib/ext2fs/openfs.c.
It allows a trivial arbitrary memory write under certain conditions.
Given that fsck is affected, and that an ext2/3/4 image can force a filesystem check on mount, this will allow code execution on systems that have automount enabled by just plugging a device.
Red Hat would like to thank oCERT for reporting these issues. oCERT acknowledges Jose Duart of the Google Security Team as the original reporter.
(In reply to Vasyl Kaigorodov from comment #0)
> A heap buffer overflow was found in e2fsprgos lib/ext2fs/openfs.c.
The report actually mentions "a couple of heap overflows in e2fsprogs (fsck, dumpe2fs, e2image...)", only giving some example. According to the reporter, these are fixed upstream in 1.42.12 and upstream is not planning to provide any patches for older versions. So the info that was provided so far is "upgrade to 1.42.12 to fix unspecified number of issues".
Also oCERT id oCERT-015-001 is incorrect, as it was already used for a different advisory.
The issue identified in the report is in ext2fs_open2(). fs->group_desc buffer is allocated to have space for fs->desc_blocks items:
If EXT2_FEATURE_INCOMPAT_META_BG flag is set, first_meta_bg for the file system is used and not check against fs->desc_blocks:
This reported leads to overflow in the subsequent io_channel_read_blk() call.
It seem this issue was fixed upstream in:
Reporter clarified there is only one issue mentioned in comment 2, that can be triggered using various e2fsprogs tools.
Public now via oCERT-2015-002 advisory.
Created e2fsprogs tracking bugs for this issue:
Affects: fedora-all [bug 1189834]
e2fsprogs-1.42.12-1.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
e2fsprogs-1.42.12-2.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
This issue affects e2fsprogs packages as shipped with Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this issue as having Moderate security impact. A future update may address this issue.
This issue affects e4fsprogs packages as shipped with Red Hat Enterprise Linux 5. The issue is not planned to be addressed in Red Hat Enterprise Linux 5.
This issue did not affect e2fsprogs packages as shipped with Red Hat Enterprise Linux 5.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):