Debian Security Advisory

DSA-3166-1 e2fsprogs -- security update

Date Reported:
22 Feb 2015
Affected Packages:
e2fsprogs
Vulnerable:
Yes
Security database references:
In the Debian bugtracking system: Bug 778948.
In Mitre's CVE dictionary: CVE-2015-0247, CVE-2015-1572.
More information:

Jose Duart of the Google Security Team discovered a buffer overflow in e2fsprogs, a set of utilities for the ext2, ext3, and ext4 file systems. This issue can possibly lead to arbitrary code execution if a malicious device is plugged in, the system is configured to automatically mount it, and the mounting process chooses to run fsck on the device's malicious filesystem.

For the stable distribution (wheezy), these problems have been fixed in version 1.42.5-1.1+deb7u1.

For the upcoming stable (jessie) and unstable (sid) distributions, these problems will be fixed soon.

We recommend that you upgrade your e2fsprogs packages.