oCERT-2015-002 e2fsprogs input sanitization errors


The e2fsprogs package is a set of open source utilities for ext2, ext3 and ext4 filesytems.

The libext2fs library, part of e2fsprogs and utilized by its utilities, is affected by a boundary check error on block group descriptor information, leading to a heap based buffer overflow.

A specially crafted filesystem image can be used to trigger the vulnerability.

Affected version:

e2fsprogs < 1.42.12

Fixed version:

e2fsprogs >= 1.42.12

Credit: vulnerability report from Jose Duart of Google Security Team <jduart AT google.com>.

CVE: CVE-2015-0247


2015-01-19: vulnerability report received
2015-01-29: contacted affected vendors, assigned CVEs
2015-02-05: advisory release