Bug 1768555 (CVE-2019-5094) - CVE-2019-5094 e2fsprogs: Crafted ext4 partition leads to out-of-bounds write
Summary: CVE-2019-5094 e2fsprogs: Crafted ext4 partition leads to out-of-bounds write
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-5094
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1768556 1768709 1768710 1783777 1792192
Blocks: 1768557
TreeView+ depends on / blocked
 
Reported: 2019-11-04 17:32 UTC by Guilherme de Almeida Suckevicz
Modified: 2021-02-16 21:06 UTC (History)
7 users (show)

Fixed In Version: e2fprogs 1.45.4
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-04-28 16:34:30 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:1913 0 None None None 2020-04-28 16:08:26 UTC
Red Hat Product Errata RHSA-2020:4011 0 None None None 2020-09-29 20:34:11 UTC

Description Guilherme de Almeida Suckevicz 2019-11-04 17:32:12 UTC 
An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.

Reference:
https://seclists.org/bugtraq/2019/Sep/58
https://talosintelligence.com/vulnerability_reports/TALOS-2019-0887
Comment 1 Guilherme de Almeida Suckevicz 2019-11-04 17:32:29 UTC 
Created e2fsprogs tracking bugs for this issue:

Affects: fedora-all [bug 1768556]
Comment 2 Eric Sandeen 2019-11-04 18:01:52 UTC 
This is fixed by:

commit 8dbe7b475ec5e91ed767239f0e85880f416fc384
Author: Theodore Ts'o <tytso>
Date:   Sun Sep 1 00:59:16 2019 -0400

    libsupport: add checks to prevent buffer overrun bugs in quota code
    
    A maliciously corrupted file systems can trigger buffer overruns in
    the quota code used by e2fsck.  To fix this, add sanity checks to the
    quota header fields as well as to block number references in the quota
    tree.
    
    Addresses: CVE-2019-5094
    Addresses: TALOS-2019-0887
    Signed-off-by: Theodore Ts'o <tytso>
Comment 4 Huzaifa S. Sidhpurwala 2019-11-05 04:09:29 UTC 
Analysis notes:

This flaw is triggered by a malformed/specially-crafted ext2/3/4 partition. You need to run the e2fsck utility on the said partition in order to trigger the flaw. Since the e2fsck cannot only be run as a privileged  user, the attacker will need to social engineer/convince the system administrator to run this utility on the corrupted partition. Also the corrupted partition will first need to exists on the system either via a locally attached hard drive or a network device.

Based on the above, it seems like exploiting this flaw will need some previous privileged access on the system by the attacker.
Comment 5 Huzaifa S. Sidhpurwala 2019-11-05 04:16:19 UTC 
Upstream commit: https://git.kernel.org/pub/scm/fs/ext2/e2fsprogs.git/commit/?id=8dbe7b475ec5e91ed767239f0e85880f416fc384
Comment 8 Huzaifa S. Sidhpurwala 2019-11-05 04:20:07 UTC 
External References:

https://talosintelligence.com/vulnerability_reports/TALOS-2019-0887
Comment 9 errata-xmlrpc 2020-04-28 16:08:24 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:1913 https://access.redhat.com/errata/RHSA-2020:1913
Comment 10 Product Security DevOps Team 2020-04-28 16:34:30 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-5094
Comment 11 errata-xmlrpc 2020-09-29 20:34:14 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:4011 https://access.redhat.com/errata/RHSA-2020:4011
Note You need to log in before you can comment on or make changes to this bug.