FS#44015 : [e2fsprogs] CVE-2015-1572: buffer overflow in closefs()

FS#44015 - [e2fsprogs] CVE-2015-1572: buffer overflow in closefs()

Attached to Project: Arch Linux
Opened by Remi Gacogne (rgacogne) - Monday, 02 March 2015, 12:50 GMT
Last edited by Ronald van Haren (pressh) - Monday, 02 March 2015, 15:20 GMT

Task Type	Bug Report
Category	Security
Status	Closed
Assigned To	Ronald van Haren (pressh)
Architecture	All
Severity	High
Priority	Normal
Reported Version
Due in Version	Undecided
Due Date	Undecided
Percent Complete
Votes	0
Private	No

Details

A heap buffer overflow has been fixed in libext2fs, which allows arbitrary code execution when closing a carefully crafted filesystem. I think it would be wise to backport the fix [1], since it doesn't look like a new release will occur soon.

[1]: https://git.kernel.org/cgit/fs/ext2/e2fsprogs.git/commit/?id=49d0fe2a14f2a23da2fe299643379b8c1d37df73

This task depends upon

Closed by Ronald van Haren (pressh)
Monday, 02 March 2015, 15:20 GMT
Reason for closing: Implemented
Additional comments about closing: e2fsprogs 1.42.12-2 in [testing]

Comment by Christian Hesse (eworm) - Monday, 02 March 2015, 13:05 GMT

No need to backport, this applies cleanly to v1.42.12. Patch against PKGBUILD attached.

e2fsprogs.patch (0.9 KiB)

Comment by Levente Polyak (anthraxx) - Monday, 02 March 2015, 13:42 GMT

I don't want to sound like a smart-ass, but small nitpicking: the pkgrel should maybe increased to 2 :)

Comment by Christian Hesse (eworm) - Monday, 02 March 2015, 13:59 GMT

Ah, sure. ;) But I do not have write access to svn, so Ronald should take care of that.

Comment by Ronald van Haren (pressh) - Monday, 02 March 2015, 15:19 GMT

Thanks

	Tasks related to this task (0)

Duplicate tasks of this task (0)

Arch Linux

FS#44015 - [e2fsprogs] CVE-2015-1572: buffer overflow in closefs()

Details

Loading...