MidnightBSD

Advisories for e2fsprogs_project

CVE-2015-0247 MEDIUM

Heap-based buffer overflow in openfs.c in the libext2fs library in e2fsprogs before 1.42.12 allows local users to execute arbitrary code via crafted block group descriptor data in a filesystem image.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-119,

Products Affected

Vendor Product Version
canonical ubuntu_linux 14.04
e2fsprogs_project e2fsprogs *
debian debian_linux 7.0
fedoraproject fedora 21
canonical ubuntu_linux 10.04
fedoraproject fedora 20
canonical ubuntu_linux 12.04
canonical ubuntu_linux 14.10
CVE-2015-1572 MEDIUM

Heap-based buffer overflow in closefs.c in the libext2fs library in e2fsprogs before 1.42.12 allows local users to execute arbitrary code by causing a crafted block group descriptor to be marked as dirty. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-0247.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-119,

Products Affected

Vendor Product Version
canonical ubuntu_linux 14.04
e2fsprogs_project e2fsprogs *
debian debian_linux 7.0
canonical ubuntu_linux 10.04
canonical ubuntu_linux 12.04
canonical ubuntu_linux 14.10
CVE-2019-5094 MEDIUM

An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
talos-cna@cisco.com 7.5 HIGH CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H 0.8 6.0
nvd@nist.gov 6.7 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 0.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-787,CWE-787,CWE-787,

Products Affected

Vendor Product Version
debian debian_linux 8.0
e2fsprogs_project e2fsprogs *
debian debian_linux 10.0
fedoraproject fedora 30
debian debian_linux 9.0
canonical ubuntu_linux 19.04
netapp solidfire -
canonical ubuntu_linux 14.04
canonical ubuntu_linux 18.04
fedoraproject fedora 31
canonical ubuntu_linux 12.04
canonical ubuntu_linux 16.04
netapp hci_management_node -
CVE-2019-5188 MEDIUM

A code execution vulnerability exists in the directory rehashing functionality of E2fsprogs e2fsck 1.45.4. A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.7 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 0.8 5.9
talos-cna@cisco.com 7.5 HIGH CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H 0.8 6.0

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-787,CWE-787,

Products Affected

Vendor Product Version
debian debian_linux 8.0
e2fsprogs_project e2fsprogs *
opensuse leap 15.1
fedoraproject fedora 30
debian debian_linux 9.0
canonical ubuntu_linux 19.04
netapp solidfire,_enterprise_sds_&_hci_storage_node -
canonical ubuntu_linux 14.04
canonical ubuntu_linux 19.10
canonical ubuntu_linux 18.04
netapp hci_compute_node_firmware -
fedoraproject fedora 31
canonical ubuntu_linux 12.04
canonical ubuntu_linux 16.04
CVE-2022-1304 MEDIUM

An out-of-bounds read/write vulnerability was found in e2fsprogs 1.46.5. This issue leads to a segmentation fault and possibly arbitrary code execution via a specially crafted filesystem.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-125,CWE-125,CWE-787,

Products Affected

Vendor Product Version
redhat enterprise_linux 8.0
e2fsprogs_project e2fsprogs 1.46.5
redhat enterprise_linux 7.0
redhat enterprise_linux 6.0
fedoraproject fedora 35