[arch-security] [ASA-201503-8] e2fsprogs: arbitrary code execution
Levente Polyak
anthraxx at archlinux.org
Thu Mar 12 14:09:55 UTC 2015
Arch Linux Security Advisory ASA-201503-8
=========================================
Severity: Medium
Date : 2015-03-12
CVE-ID : CVE-2015-1572
Package : e2fsprogs
Type : arbitrary code execution
Remote : No
Link : https://wiki.archlinux.org/index.php/CVE
Summary
=======
The package e2fsprogs before version 1.42.12-2 is vulnerable to heap
buffer overflow leading to arbitrary code execution.
Resolution
==========
Upgrade to 1.42.12-2.
# pacman -Syu "e2fsprogs>=1.42.12-2"
The problem has been fixed upstream but no release is available yet.
Workaround
==========
None.
Description
===========
If corrupted file system didn't trip over some corruption check, and
then the file system was modified via tune2fs or debugfs, such that the
superblock was marked dirty and then written out via the closefs() path,
it's possible that the buffer overrun could be triggered when the file
system is closed.
This issue can lead to arbitrary code execution if a malicious device is
plugged in and the mounting process chooses to run fsck (or other
application using the ext2fs library) on the device's malicious filesystem.
Impact
======
A local attacker is able to execute arbitrary code with a plugged in
malicious device by causing a crafted block group descriptor to be
marked as dirty and then accessed by an application using the ext2fs
library like fsck.
References
==========
https://git.kernel.org/cgit/fs/ext2/e2fsprogs.git/commit/?id=49d0fe
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1572
https://bugs.archlinux.org/task/44015
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20150312/0c3723dd/attachment.asc>
More information about the arch-security
mailing list