An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.
Created e2fsprogs tracking bugs for this issue:
Affects: fedora-all [bug 1768556]
This is fixed by:
Author: Theodore Ts'o <email@example.com>
Date: Sun Sep 1 00:59:16 2019 -0400
libsupport: add checks to prevent buffer overrun bugs in quota code
A maliciously corrupted file systems can trigger buffer overruns in
the quota code used by e2fsck. To fix this, add sanity checks to the
quota header fields as well as to block number references in the quota
Signed-off-by: Theodore Ts'o <firstname.lastname@example.org>
This flaw is triggered by a malformed/specially-crafted ext2/3/4 partition. You need to run the e2fsck utility on the said partition in order to trigger the flaw. Since the e2fsck cannot only be run as a privileged user, the attacker will need to social engineer/convince the system administrator to run this utility on the corrupted partition. Also the corrupted partition will first need to exists on the system either via a locally attached hard drive or a network device.
Based on the above, it seems like exploiting this flaw will need some previous privileged access on the system by the attacker.
Upstream commit: https://git.kernel.org/pub/scm/fs/ext2/e2fsprogs.git/commit/?id=8dbe7b475ec5e91ed767239f0e85880f416fc384