| Summary: | e2fsprogs new security issue CVE-2019-5094 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | andrewsfarm, geiger.david68210, herman.viaene, sysadmin-bugs, tmb |
| Version: | 7 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA7-64-OK | ||
| Source RPM: | e2fsprogs-1.45.2-1.mga7.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2019-10-14 17:14:11 CEST
Updated package uploaded by David Geiger. Advisory: ======================== Updated e2fsprogs packages fix security vulnerability: Lilith of Cisco Talos discovered a buffer overflow flaw in the quota code used by e2fsck from the ext2/ext3/ext4 file system utilities. Running e2fsck on a malformed file system can result in the execution of arbitrary code (CVE-2019-5094). The e2fsprogs package has been updated to version 1.45.4, fixing this issue and other bugs. See the upstream release notes for details. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5094 http://e2fsprogs.sourceforge.net/e2fsprogs-release.html#1.45.4 https://www.debian.org/security/2019/dsa-4535 ======================== Updated packages in core/updates_testing: ======================== e2fsprogs-1.45.4-1.mga7 libext2fs2-1.45.4-1.mga7 lib4ext2fs-devel-1.45.4-1.mga7 from e2fsprogs-1.45.4-1.mga7.src.rpm CC:
(none) =>
geiger.david68210 MGA7-64 Plasma on Lenovo B50 No installation issues Ref to bug 15208 Comment 2 for testing: sorry for Dutch, willtranslate. $ dd if=/dev/zero of=foo.img bs=1M count=8 8+0 records gelezen - read 8+0 records geschreven - written 8388608 bytes (8,4 MB, 8,0 MiB) copied, 0,0141041 s, 595 MB/s [tester7@mach5 ~]$ ls Afbeeldingen/ Desktop/ Documenten/ Downloads/ foo.img Muziek/ Sjablonen/ tmp/ "Video's"/ $ /sbin/mkfs.ext3 foo.img mke2fs 1.45.4 (23-Sep-2019) Verwerpen van blokken: voltooid reject blocks: completed Aanmaken van bestandssysteem met 8192 blokken (van 1K) en 2048 inodes. Making file system .... Reserveren van groepstabellen: voltooid Schrijven van inodetabellen: voltooid Aanmaken van journal (1024 blokken): voltooid Schrijven van superblokken en bestandssysteem-metagegevens: voltooid $ mkdir foofs $ ls Afbeeldingen/ Desktop/ Documenten/ Downloads/ foofs/ foo.img Muziek/ Sjablonen/ tmp/ "Video's"/ # mount -t ext3 foo.img foofs # cp /home/tester7/Documenten/okra/Elektrische\ fietsen\ OKRA\ 2014\ 06\ 26.pptx foofs # cd foofs/ # ls 'Elektrische fietsen OKRA 2014 06 26.pptx' lost+found/ # cd .. # umount foofs $ /sbin/dumpe2fs foo.img dumpe2fs 1.45.4 (23-Sep-2019) Filesystem volume name: <none> Last mounted on: /home/tester7/foofs Filesystem UUID: d37539de-d68f-4e8a-8721-fef7b1ecb5b5 Filesystem magic number: 0xEF53 etc ...... $ /sbin/fsck.ext3 foo.img e2fsck 1.45.4 (23-Sep-2019) foo.img: schoon, 12/2048 bestanden, 4297/8192 blokken - clean $ /usr/sbin/e2freefrag foo.img Device: foo.img Blocksize: 1024 bytes Total blocks: 8192 Free blocks: 3895 (47.5%) etc.... Seems all correect to me. CC:
(none) =>
herman.viaene Thank you, Herman. Validating. Advisory in Comment 1. Keywords:
(none) =>
validated_update
Thomas Backlund
2019-10-16 23:11:48 CEST
CC:
(none) =>
tmb An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0296.html Status:
NEW =>
RESOLVED |