[security-announce] e2fsprogs 1.42.9: Security update

Sona Sarmadi sona.sarmadi at enea.com
Thu Mar 12 10:14:40 CET 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

		Enea Linux Security Advisory

=========================================================
Product/package: e2fsprogs 1.42.9
Severity: Moderate
CVE Name: CVE-2015-0247 ext2fs_open2() missing first_meta_bg
boundary check leading to heap buffer overflow
=========================================================
A security patch that fixes a heap-based buffer overflow in openfs.c
is now available at http://linux.enea.com/4.0/patches:

README file: 0055-e2fsprogs-CVE-2015-0247.README
Patch file: 0055-e2fsprogs-CVE-2015-0247.patch

Description
===========
Heap-based buffer overflow in openfs.c in the libext2fs library
in e2fsprogs before 1.42.12 allows local users to execute arbitrary
code via crafted block group descriptor data in a filesystem image.

References
==========
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0247
http://git.kernel.org/cgit/fs/ext2/e2fsprogs.git/commit/?id=f66e6ce4
http://www.ocert.org/advisories/ocert-2015-002.html

How to apply the patches
=======================
- - Preparation
Make sure that you have an installation of Enea Linux and have
applied the existing patches in the right order

wget http://linux.enea.com/4.0/Enea-Linux-4.0.tar.gz
tar zxf Enea-Linux-4.0.tar.gz
cd Enea-Linux-4.0/poky/
<Fetch and apply the existing patches >

- - Fetch and apply the new patch
wget http://linux.enea.com/4.0/patches/0055-e2fsprogs-CVE-2015-0247.patch
patch -p1 < ./0055-e2fsprogs-CVE-2015-0247.patch

If you have any questions regarding the security patches and security
updates please contact security at enea.com.

Enea Security Team
Sona Sarmadi
Mobile: +46 70 971 4475
www.enea.com

This message, including attachments, is CONFIDENTIAL. It may also be
privileged or otherwise protected by law. If you received this email
by mistake please let us know by reply and then delete it from your
system; you should not copy it or disclose its contents to anyone.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBAgAGBQJVAVkAAAoJEHc+9u9ocWoUGrwQAIoWNBMDVOK+M2wd9098a6/L
TH/sWCnQMYtsUxClc3FZRaSFruG09F8mRmMSVi76bxP3hjBSOaxhdvu+1/H1ltMI
vO4q+7TyqqAe5f0/HetcSQqpMnGSMLUEfSkibP9NH23cIBV/2Qm6Va31i3dRr/oR
9cgEJXikCDKdoJckkZLPQOJO5ps3vDcPgGud8M5Daui6iAvv/cEKaKRUONGns1xA
BRKEIJwZDVhtLxjpYraUU7yEvmeL39y2SQlhVQohs69O5dyWw22hHXkE/89L5zvY
/M5lAMVHr2Uq9FRXx2jmsjklgr6JIffNJRYGfptyopBk00KFT13cJ3JcePRmrXyG
bxUUOyxxUsozHM5uHneFMr0eyoxAjPryU6iJyp+GxWJrdD9UNK6dUCgCaQEa7pPl
MORHkRJmtbUV6LC6Erl2tsUU7dMgb+COejug9BeyJMTdx8kvEfmqxmbc4rMToHIe
S1X9X1R2DyQy7kJ8GobUbwFdTau4lmGMA01l3jKHDNAEa7xcnG9fXdQ/eC0t1bQY
IFFdj9xiLfVbEw5xpcaHaYdUgBI6FU0sK2S7Q6RRUYfRETE/7s7Cg0fElIo9NnFh
10uuFFhESY4nsya8aRQjPUfMKZ1mToSN0HeS6vrN3Otbc1SMl/DTiMzchS/fueFr
SsBOhCCqzSM4IuvF0DAI
=6cki
-----END PGP SIGNATURE-----



More information about the security-announce mailing list