Package: e2fsprogs / 1.42.12-2

Metadata

Package Version Patches format
e2fsprogs 1.42.12-2 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
CVE 2015 1572.patch | (download)

lib/ext2fs/closefs.c | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 libext2fs: fix potential buffer overflow in closefs()

The bug fix in f66e6ce4446: "libext2fs: avoid buffer overflow if
s_first_meta_bg is too big" had a typo in the fix for
ext2fs_closefs().  In practice most of the security exposure was from
the openfs path, since this meant if there was a carefully crafted
file system, buffer overrun would be triggered when the file system was
opened.

However, if corrupted file system didn't trip over some corruption
check, and then the file system was modified via tune2fs or debugfs,
such that the superblock was marked dirty and then written out via the
closefs() path, it's possible that the buffer overrun could be
triggered when the file system is closed.

Also clear up a signed vs unsigned warning while we're at it.

Thanks to Nick Kralevich <nnk@google.com> for asking me to look at
compiler warning in the code in question, which led me to notice the
bug in f66e6ce4446.

Addresses: CVE-2015-1572

Signed-off-by: Theodore Ts'o <tytso@mit.edu>


e2fsck use PROMPT_NONE for FUTURE_SB_LAST_ _FUDGED problems.patch | (download)

e2fsck/problem.c | 8 4 + 4 - 0 !
1 file changed, 4 insertions(+), 4 deletions(-)

 [patch] e2fsck: use prompt_none for future_sb_last_*_fudged problems

This allows us to print a message warning the user that there is
something funny going on with their hardware clock (probably time zone
issues caused by trying to be compatible with legacy OS's such as
Windows), without triggering a full file system check.

Signed-off-by: Theodore Ts'o <tytso@mit.edu>

e2fsck fix corruption of Hurd filesystems.patch | (download)

e2fsck/pass1.c | 14 8 + 6 - 0 !
e2fsck/pass2.c | 3 2 + 1 - 0 !
2 files changed, 10 insertions(+), 7 deletions(-)

 [patch] e2fsck: fix corruption of hurd filesystems

Previously, e2fsck accessed the field osd2.linux2.l_i_file_acl_high
field without checking that the filesystem is indeed created for
Linux.  This lead to e2fsck constantly complaining about certain
nodes:

i_file_acl_hi for inode XXX (/dev/console) is 32, should be zero.

By "correcting" this problem, e2fsck would clobber the field
osd2.hurd2.h_i_mode_high.

Properly guard access to the OS dependent fields.

Signed-off-by: Theodore Ts'o <tytso@mit.edu>

e2fsck fix dangling pointer when dir_info array is resized.patch | (download)

e2fsck/dirinfo.c | 5 4 + 1 - 0 !
1 file changed, 4 insertions(+), 1 deletion(-)

 [patch] e2fsck: fix dangling pointer when dir_info array is resized

e2fsck uses an array to store directory usage information during pass
3; the usage context also contains a pointer to the last directory
looked up.  When expanding the dir_info array, this cache pointer
needs to be cleared if the array resize changed the pointer location,
or else we'll later walk off the end of this dead pointer.

Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Reported-by: Sami Liedes <sami.liedes@iki.fi>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>

e2fsck fix free pointer dereferences.patch | (download)

e2fsck/unix.c | 6 3 + 3 - 0 !
1 file changed, 3 insertions(+), 3 deletions(-)

 [patch 2/2] e2fsck: fix free pointer dereferences

Commit 47fee2ef6a23a introduces some free pointer dereference bugs by
not clearing ctx->fs after calling ext2fs_close_free().

Reported-by: Matthias Andree <mandree@FreeBSD.org>
Cc: Lukas Czerner <lczerner@redhat.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>

resize2fs fix fs blocksize dereference after fs has been freed.patch | (download)

resize/main.c | 18 10 + 8 - 0 !
1 file changed, 10 insertions(+), 8 deletions(-)

 [patch] resize2fs: fix fs->blocksize dereference after fs has been
 freed

Commit 77255cf36944b introduced a use after free bug.

Signed-off-by: Theodore Ts'o <tytso@mit.edu>