Security Information / 2015 / Security Information -- DSA-3166-1 e2fsprogs

Debian Security Advisory

DSA-3166-1 e2fsprogs -- security update

Date Reported:

22 Feb 2015

Affected Packages:

e2fsprogs

Vulnerable:

Yes

Security database references:

In the Debian bugtracking system: Bug 778948.
In Mitre's CVE dictionary: CVE-2015-0247, CVE-2015-1572.

More information:

Jose Duart of the Google Security Team discovered a buffer overflow in e2fsprogs, a set of utilities for the ext2, ext3, and ext4 file systems. This issue can possibly lead to arbitrary code execution if a malicious device is plugged in, the system is configured to automatically mount it, and the mounting process chooses to run fsck on the device's malicious filesystem.

• CVE-2015-0247

  Buffer overflow in the ext2/ext3/ext4 file system open/close routines.

• CVE-2015-1572

  Incomplete fix for CVE-2015-0247.

For the stable distribution (wheezy), these problems have been fixed in version 1.42.5-1.1+deb7u1.

For the upcoming stable (jessie) and unstable (sid) distributions, these problems will be fixed soon.

We recommend that you upgrade your e2fsprogs packages.