Debian Security Advisory
DSA-3166-1 e2fsprogs -- security update
- Date Reported:
- 22 Feb 2015
- Affected Packages:
- e2fsprogs
- Vulnerable:
- Yes
- Security database references:
- In the Debian bugtracking system: Bug 778948.
In Mitre's CVE dictionary: CVE-2015-0247, CVE-2015-1572. - More information:
-
Jose Duart of the Google Security Team discovered a buffer overflow in e2fsprogs, a set of utilities for the ext2, ext3, and ext4 file systems. This issue can possibly lead to arbitrary code execution if a malicious device is plugged in, the system is configured to automatically mount it, and the mounting process chooses to run fsck on the device's malicious filesystem.
- CVE-2015-0247
Buffer overflow in the ext2/ext3/ext4 file system open/close routines.
- CVE-2015-1572
Incomplete fix for CVE-2015-0247.
For the stable distribution (wheezy), these problems have been fixed in version 1.42.5-1.1+deb7u1.
For the upcoming stable (jessie) and unstable (sid) distributions, these problems will be fixed soon.
We recommend that you upgrade your e2fsprogs packages.
- CVE-2015-0247