Debian Security Advisory
DSA-3166-1 e2fsprogs -- security update
- Date Reported:
- 22 Feb 2015
- Affected Packages:
- Security database references:
- In the Debian bugtracking system: Bug 778948.
In Mitre's CVE dictionary: CVE-2015-0247, CVE-2015-1572.
- More information:
Jose Duart of the Google Security Team discovered a buffer overflow in e2fsprogs, a set of utilities for the ext2, ext3, and ext4 file systems. This issue can possibly lead to arbitrary code execution if a malicious device is plugged in, the system is configured to automatically mount it, and the mounting process chooses to run fsck on the device's malicious filesystem.
Buffer overflow in the ext2/ext3/ext4 file system open/close routines.
Incomplete fix for CVE-2015-0247.
For the stable distribution (wheezy), these problems have been fixed in version 1.42.5-1.1+deb7u1.
For the upcoming stable (jessie) and unstable (sid) distributions, these problems will be fixed soon.
We recommend that you upgrade your e2fsprogs packages.