[security-announce] e2fsprogs 1.42.9: Security update

Sona Sarmadi sona.sarmadi at enea.com
Thu Jul 30 14:30:41 CEST 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

	Enea Linux Security Advisory
	
=========================================================
Product/package: e2fsprogs 1.42.9
Severity: Moderate
CVE Name: CVE-2015-0247 ext2fs_open2() missing first_meta_bg
boundary check leading to heap buffer overflow
=========================================================
This security patch fixes a heap-based buffer overflow in openfs.c

Signed patch and README files
================================
0022-e2fsprogs-CVE-2015-0247.patch
0022-e2fsprogs-CVE-2015-0247.patch.sig
0022-e2fsprogs-CVE-2015-0247.READMAE.asc

Description
===========
Heap-based buffer overflow in openfs.c in the libext2fs library
in e2fsprogso before 1.42.12 allows local users to execute arbitrary
code via crafted block group descriptor data mn a filesystem image.

Reference
==========
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0247

How to apply the patches
=======================
 - Preparation
Make sure that you have an installation of Enea Linux and have
applied the existing patches in the right order.

wget https://linux.enea.com/5.0-beta-m400/Enea-Linux-5.0-beta-m400.tar.g
z
tar zxf Enea-Linux-5.0-beta-m400.tar.gz
cd Enea-Linux-5.0-beta-m400/poky

<Fetch and apply the existing patches >

 - Fetch, verify and apply the new patch
wget
https://linux.enea.com/5.0-beta-m400/patches/0022-e2fsprogs-CVE-2015-024
7.patch
wget
https://linux.enea.com/5.0-beta-m400/patches/0022-e2fsprogs-CVE-2015-024
7.patch.sig
gpg --verify 0022-e2fsprogs-CVE-2015-0247.patch.sig
patch -p1 < ./0022-e2fsprogs-CVE-2015-0247.patch

If you have any questions regarding the security patches and security
updates please contact security at enea.com.

Enea Security Team
Sona Sarmadi
Mobile: +46 70 971 4475
www.enea.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJVuhjxAAoJEHc+9u9ocWoU7l4P/19AJjHgASdCYLRfc8xDdlcO
X8tGwXnvSn2upfFe76GqwKRg2Fu7UooPwt4MVW14rStdyfKc7SrenmS1kLwO/I4H
Od666ixfXoUTPkaCua+2GZs366Jczw3b9IlLV6hxRXVyJRiDWlEyg8uI0+G1fT8P
WsO+afOYO1YH3N5I3gWnJtGz4Kv/wQywAHTFX6LEAzSTmw9APooocScjlFNItkNi
iV8O9t3bGNy43dhEBJ+Y4hXh6Z+pbzxf4/fRd6XSlhtEeyd3tHppYRq8RDhs3PZu
mBDflFNSIOOgnVy+rPzZ528+M21uWD0r4choWGbiD2M6/qSyZuvU+0c+PUbEONgA
PUlK13h4kSbXtv4ejWFClxS++eqFAecS9AJ8jWNlFUzZcUVpERJPOmxuFxGlPpn0
wxHxYRZ7r/mkFj/3wz5wVzVCGFx+2LutQkUZAe9YTyI5mXBzvOFrAXH2DPfnRG0O
uyedexVH5dS79yDcZIAvRx0tnaPiC8SmobofGe10U5zEo6WJq1qrcQz41YAxvnC2
nw1GfJbLy9F2Q2qLPr2a64A6fd5hYHSK0R2pWsPvkKzKosGrnVVs12yuhaVuFJAs
4eKGXrlmTBjD609LD26m1mDk3N0cCuezBvsIP+ETbe9F3mbqtRlNvAHSt/GTKDSg
CrwkOB03aUFC6OE7Q27Q
=eDqE
-----END PGP SIGNATURE-----



More information about the security-announce mailing list