Arch Linux

Please read this before reporting a bug:
https://wiki.archlinux.org/index.php/Reporting_Bug_Guidelines

Do NOT report bugs when a package is just outdated, or it is in Unsupported. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!
Tasklist

FS#44015 - [e2fsprogs] CVE-2015-1572: buffer overflow in closefs()

Attached to Project: Arch Linux
Opened by Remi Gacogne (rgacogne) - Monday, 02 March 2015, 12:50 GMT
Last edited by Ronald van Haren (pressh) - Monday, 02 March 2015, 15:20 GMT
Task Type Bug Report
Category Security
Status Closed
Assigned To Ronald van Haren (pressh)
Architecture All
Severity High
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

A heap buffer overflow has been fixed in libext2fs, which allows arbitrary code execution when closing a carefully crafted filesystem. I think it would be wise to backport the fix [1], since it doesn't look like a new release will occur soon.

[1]: https://git.kernel.org/cgit/fs/ext2/e2fsprogs.git/commit/?id=49d0fe2a14f2a23da2fe299643379b8c1d37df73
This task depends upon

Closed by  Ronald van Haren (pressh)
Monday, 02 March 2015, 15:20 GMT
Reason for closing:  Implemented
Additional comments about closing:  e2fsprogs 1.42.12-2 in [testing]
Comment by Christian Hesse (eworm) - Monday, 02 March 2015, 13:05 GMT
No need to backport, this applies cleanly to v1.42.12. Patch against PKGBUILD attached.
Comment by Levente Polyak (anthraxx) - Monday, 02 March 2015, 13:42 GMT
I don't want to sound like a smart-ass, but small nitpicking: the pkgrel should maybe increased to 2 :)
Comment by Christian Hesse (eworm) - Monday, 02 March 2015, 13:59 GMT
Ah, sure. ;) But I do not have write access to svn, so Ronald should take care of that.
Comment by Ronald van Haren (pressh) - Monday, 02 March 2015, 15:19 GMT
Thanks

Loading...