Debian has issued an advisory on February 22: https://www.debian.org/security/2015/dsa-3166 Upstream patch checked into Mageia 4 and Cauldron SVN. Freeze push requested for Cauldron. Reproducible: Steps to Reproduce:
Note that this issue is due to an incomplete fix for CVE-2015-0247, which we fixed in Bug 15208. Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=15208#c2
Patched package uploaded for Mageia 4. See the test procedure linked from Comment 1. Advisory: ======================== Updated e2fsprogs packages fix security vulnerability: The libext2fs library, part of e2fsprogs and utilized by its utilities, is affected by a boundary check error on block group descriptor information, leading to a heap based buffer overflow. A specially crafted filesystem image can be used to trigger the vulnerability. This is due to an incomplete fix for CVE-2015-0247 (CVE-2015-1572). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1572 http://advisories.mageia.org/MGASA-2015-0061.html https://www.debian.org/security/2015/dsa-3166 ======================== Updated packages in core/updates_testing: ======================== e2fsprogs-1.42.9-2.2.mga4 libext2fs2-1.42.9-2.2.mga4 libext2fs-devel-1.42.9-2.2.mga4 from e2fsprogs-1.42.9-2.2.mga4.src.rpm
Assignee: bugsquad => qa-bugsWhiteboard: (none) => has_procedure
Testing complete Mageia 4 i586 using the previous procedure.
Whiteboard: has_procedure => has_procedure MGA4-32-OK
Testing on Mageia4x64 real hardware using procedure mentioned in comment 1 with updated testing packages : ----------------------------- e2fsprogs-1.42.9-2.2.mga4.x86_64 lib64ext2fs-devel-1.42.9-2.2.mga4.x86_64 lib64ext2fs2-1.42.9-2.2.mga4.x86_64 OK on Mageia 4x64 (just had to replace last line of procedure : $ /usr/sbin/e2freefrag /tmp/foo.img by $ /usr/sbin/e2freefrag foo.img)
CC: (none) => olchalWhiteboard: has_procedure MGA4-32-OK => has_procedure MGA4-32-OK MGA4-64-OK
Validating. Advisory uploaded. Please push to 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: has_procedure MGA4-32-OK MGA4-64-OK => has_procedure advisory MGA4-32-OK MGA4-64-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0088.html
Status: NEW => RESOLVEDResolution: (none) => FIXED