An advisory has been issued today (February 5):
The issue was fixed in 1.42.12, which is already in Cauldron.
Patched package uploaded for Mageia 4.
Updated e2fsprogs packages fix security vulnerability:
The libext2fs library, part of e2fsprogs and utilized by its utilities, is
affected by a boundary check error on block group descriptor information,
leading to a heap based buffer overflow. A specially crafted filesystem image
can be used to trigger the vulnerability (CVE-2015-0247).
Updated packages in core/updates_testing:
Steps to Reproduce:
Fedora has issued an advisory for this on February 7:
Tested by creating a loopback filesystem image and playing with it a bit.
$ dd if=/dev/zero of=foo.img bs=1M count=8
$ /sbin/mkfs.ext3 foo.img
$ mkdir foofs
# mount -t ext3 foo.img foofs
# cp foo.tar.xz foofs/ # some file less than 8MB
# umount foofs
$ /sbin/dumpe2fs foo.img
$ /sbin/fsck.ext3 foo.img
$ /usr/sbin/e2freefrag /tmp/foo.img
Testing complete Mageia 4 i586.
Testing complete mga4 64 using same tests as David.
Validating. Advisory uploaded.
Please push to 4 updates
has_procedure MGA4-32-OK =>
has_procedure advisory MGA4-32-OK mga4-64-okCC:
An update for this issue has been pushed to Mageia Updates repository.