An advisory has been issued today (February 5): http://www.ocert.org/advisories/ocert-2015-002.html The issue was fixed in 1.42.12, which is already in Cauldron. Patched package uploaded for Mageia 4. Advisory: ======================== Updated e2fsprogs packages fix security vulnerability: The libext2fs library, part of e2fsprogs and utilized by its utilities, is affected by a boundary check error on block group descriptor information, leading to a heap based buffer overflow. A specially crafted filesystem image can be used to trigger the vulnerability (CVE-2015-0247). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0247 http://www.ocert.org/advisories/ocert-2015-002.html ======================== Updated packages in core/updates_testing: ======================== e2fsprogs-1.42.9-2.1.mga4 libext2fs2-1.42.9-2.1.mga4 libext2fs-devel-1.42.9-2.1.mga4 from e2fsprogs-1.42.9-2.1.mga4.src.rpm Reproducible: Steps to Reproduce:
Fedora has issued an advisory for this on February 7: https://lists.fedoraproject.org/pipermail/package-announce/2015-February/149434.html
URL: (none) => http://lwn.net/Vulnerabilities/632571/
Tested by creating a loopback filesystem image and playing with it a bit. $ dd if=/dev/zero of=foo.img bs=1M count=8 $ /sbin/mkfs.ext3 foo.img $ mkdir foofs # mount -t ext3 foo.img foofs # cp foo.tar.xz foofs/ # some file less than 8MB # umount foofs $ /sbin/dumpe2fs foo.img $ /sbin/fsck.ext3 foo.img $ /usr/sbin/e2freefrag /tmp/foo.img Testing complete Mageia 4 i586.
Whiteboard: (none) => has_procedure MGA4-32-OK
Testing complete mga4 64 using same tests as David. Validating. Advisory uploaded. Please push to 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: has_procedure MGA4-32-OK => has_procedure advisory MGA4-32-OK mga4-64-okCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0061.html
Status: NEW => RESOLVEDResolution: (none) => FIXED