Vulnerabilities > CVE-2019-5094 - Out-of-bounds Write vulnerability in multiple products

047910
CVSS 6.7 - MEDIUM
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
HIGH
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH

Summary

An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.

Common Weakness Enumeration (CWE)

Nessus

  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-2140.NASL
    descriptionAccording to the version of the e2fsprogs packages installed, the EulerOS installation on the remote host is affected by the following vulnerability : - The e2fsprogs package contains a number of utilities for creating,checking, modifying, and correcting any inconsistencies in second,third and fourth extended (ext2/ext3/ext4) file systems. E2fsprogs contains e2fsck (used to repair file system inconsistencies after an unclean shutdown), mke2fs (used to initialize a partition to contain an empty ext2 file system), debugfs (used to examine the internal structure of a file system, to manually repair a corrupted file system, or to create test cases for e2fsck), tune2fs (used to modify file system parameters), and most of the other core ext2fs file system utilities.You should install the e2fsprogs package if you need to manage the performance of an ext2, ext3, or ext4 file system.Security Fix(es):An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.(CVE-2019-5094) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-08
    modified2019-11-12
    plugin id130849
    published2019-11-12
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/130849
    titleEulerOS 2.0 SP5 : e2fsprogs (EulerOS-SA-2019-2140)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(130849);
      script_version("1.3");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/07");
    
      script_cve_id(
        "CVE-2019-5094"
      );
    
      script_name(english:"EulerOS 2.0 SP5 : e2fsprogs (EulerOS-SA-2019-2140)");
      script_summary(english:"Checks the rpm output for the updated package.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote EulerOS host is missing a security update.");
      script_set_attribute(attribute:"description", value:
    "According to the version of the e2fsprogs packages installed, the
    EulerOS installation on the remote host is affected by the following
    vulnerability :
    
      - The e2fsprogs package contains a number of utilities
        for creating,checking, modifying, and correcting any
        inconsistencies in second,third and fourth extended
        (ext2/ext3/ext4) file systems. E2fsprogs contains
        e2fsck (used to repair file system inconsistencies
        after an unclean shutdown), mke2fs (used to initialize
        a partition to contain an empty ext2 file system),
        debugfs (used to examine the internal structure of a
        file system, to manually repair a corrupted file
        system, or to create test cases for e2fsck), tune2fs
        (used to modify file system parameters), and most of
        the other core ext2fs file system utilities.You should
        install the e2fsprogs package if you need to manage the
        performance of an ext2, ext3, or ext4 file
        system.Security Fix(es):An exploitable code execution
        vulnerability exists in the quota file functionality of
        E2fsprogs 1.45.3. A specially crafted ext4 partition
        can cause an out-of-bounds write on the heap, resulting
        in code execution. An attacker can corrupt a partition
        to trigger this vulnerability.(CVE-2019-5094)
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the EulerOS security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues.");
      # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-2140
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?a2f07447");
      script_set_attribute(attribute:"solution", value:
    "Update the affected e2fsprogs package.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2019/10/27");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/11/12");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:e2fsprogs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:e2fsprogs-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:e2fsprogs-libs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:libcom_err");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:libcom_err-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:libss");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Huawei Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp");
      script_exclude_keys("Host/EulerOS/uvp_version");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/EulerOS/release");
    if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
    if (release !~ "^EulerOS release 2\.0(\D|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0");
    
    sp = get_kb_item("Host/EulerOS/sp");
    if (isnull(sp) || sp !~ "^(5)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP5");
    
    uvp = get_kb_item("Host/EulerOS/uvp_version");
    if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP5", "EulerOS UVP " + uvp);
    
    if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu);
    
    flag = 0;
    
    pkgs = ["e2fsprogs-1.45.0-1.h4.eulerosv2r7",
            "e2fsprogs-devel-1.45.0-1.h4.eulerosv2r7",
            "e2fsprogs-libs-1.45.0-1.h4.eulerosv2r7",
            "libcom_err-1.45.0-1.h4.eulerosv2r7",
            "libcom_err-devel-1.45.0-1.h4.eulerosv2r7",
            "libss-1.45.0-1.h4.eulerosv2r7"];
    
    foreach (pkg in pkgs)
      if (rpm_check(release:"EulerOS-2.0", sp:"5", reference:pkg)) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_WARNING,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "e2fsprogs");
    }
    
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2020-A724CC7926.NASL
    descriptionFixes ----- A maliciously corrupted file systems can trigger buffer overruns in the quota code used by e2fsck. (Addresses CVE-2019-5094) E2fsck now checks to make sure the casefold flag is only set on directories, and only when the casefold feature is enabled. E2fsck will not disable the low dtime checks when using a backup superblock where the last mount time is zero. This fixes a failure in xfstests ext4/007. Fix e2fsck so that when it needs to recreate the root directory, the quota counts are correctly updated. Fix e2scrub_all cron script so it checks to make sure e2scrub_all exists, since the crontab and cron script might stick around after the e2fsprogs package is removed. (Addresses Debian Bug: #932622) Fix e2scrub_all so that it works when the free space is exactly the snapshot size. (Addresses Debian Bug: #935009) Avoid spurious lvm warnings when e2scrub_all is run out of cron on non-systemd systems (Addresses Debian Bug: #940240) Update the man pages to document the new fsverity feature, and improve the documentation for the casefold and encrypt features. E2fsck will no longer force a full file system check if time-based forced checks are disabled and the last mount time or last write time in the superblock are in the future. Fix a potential out of bounds write when checking a maliciously corrupted file system. This is probably not exploitable on 64-bit platforms, but may be exploitable on 32-bit binaries depending on how the compiler lays out the stack variables. (Addresses CVE-2019-5188) Fixed spurious weekly e-mails when e2scrub_all is run via a cron job on non-systemd systems. (Addresses Debian Bug: #944033) Remove an unnecessary sleep in e2scrub which could add up to an additional two second delay during the boot up. Also, avoid trying to reap aborted snapshots if it has been disabled via e2scrub.conf. (Addresses Debian Bug: #948193) If a mischievous system administrator mounts a pseudo-file system such as tmpfs with a device name that duplicates another mounted file system, this could potentially confuse resize2fs when it needs to find the mount point of a mounted file system. (Who would have guessed?) Add some sanity checking so that we can make libext2fs more robust against such insanity, at least on Linux. (GNU HURD doesn
    last seen2020-06-01
    modified2020-06-02
    plugin id133117
    published2020-01-21
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/133117
    titleFedora 31 : e2fsprogs (2020-a724cc7926)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Fedora Security Advisory FEDORA-2020-a724cc7926.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(133117);
      script_version("1.2");
      script_cvs_date("Date: 2020/01/23");
    
      script_cve_id("CVE-2019-5094", "CVE-2019-5188");
      script_xref(name:"FEDORA", value:"2020-a724cc7926");
    
      script_name(english:"Fedora 31 : e2fsprogs (2020-a724cc7926)");
      script_summary(english:"Checks rpm output for the updated package.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Fedora host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Fixes
    
    -----
    
    A maliciously corrupted file systems can trigger buffer overruns in
    the quota code used by e2fsck. (Addresses CVE-2019-5094)
    
    E2fsck now checks to make sure the casefold flag is only set on
    directories, and only when the casefold feature is enabled.
    
    E2fsck will not disable the low dtime checks when using a backup
    superblock where the last mount time is zero. This fixes a failure in
    xfstests ext4/007.
    
    Fix e2fsck so that when it needs to recreate the root directory, the
    quota counts are correctly updated.
    
    Fix e2scrub_all cron script so it checks to make sure e2scrub_all
    exists, since the crontab and cron script might stick around after the
    e2fsprogs package is removed. (Addresses Debian Bug: #932622)
    
    Fix e2scrub_all so that it works when the free space is exactly the
    snapshot size. (Addresses Debian Bug: #935009)
    
    Avoid spurious lvm warnings when e2scrub_all is run out of cron on
    non-systemd systems (Addresses Debian Bug: #940240)
    
    Update the man pages to document the new fsverity feature, and improve
    the documentation for the casefold and encrypt features.
    
    E2fsck will no longer force a full file system check if time-based
    forced checks are disabled and the last mount time or last write time
    in the superblock are in the future.
    
    Fix a potential out of bounds write when checking a maliciously
    corrupted file system. This is probably not exploitable on 64-bit
    platforms, but may be exploitable on 32-bit binaries depending on how
    the compiler lays out the stack variables. (Addresses CVE-2019-5188)
    
    Fixed spurious weekly e-mails when e2scrub_all is run via a cron job
    on non-systemd systems. (Addresses Debian Bug: #944033)
    
    Remove an unnecessary sleep in e2scrub which could add up to an
    additional two second delay during the boot up. Also, avoid trying to
    reap aborted snapshots if it has been disabled via e2scrub.conf.
    (Addresses Debian Bug: #948193)
    
    If a mischievous system administrator mounts a pseudo-file system such
    as tmpfs with a device name that duplicates another mounted file
    system, this could potentially confuse resize2fs when it needs to find
    the mount point of a mounted file system. (Who would have guessed?)
    Add some sanity checking so that we can make libext2fs more robust
    against such insanity, at least on Linux. (GNU HURD doesn't support
    st_rdev.)
    
    Tune2fs now prohibits enabling or disabling uninit_bg if the file
    system is mounted, since this could result in the file system getting
    corrupted, and there is an unfortunate AskUbuntu article suggesting
    this as a way to modify a file system's UUID on a live file system.
    (Ext4 now has a way to do this safely, using the metadata_csum_seed
    feature, which was added in the 4.4 Linux kernel.)
    
    Fix potential crash in e2fsck when rebuilding very large directories
    on file systems which have the new large_dir feature enable.
    
    Fix support of 32-bit uid's and gid's in fuse2fs and in mke2fs -d.
    
    Fix mke2fs's setting bad blocks to bigalloc file systems.
    
    Fix a bug where fuse2fs would incorrectly report the i_blocks fields
    for bigalloc file systems.
    
    Resize2fs's minimum size estimates (via resize2fs -M) estimates are
    now more accurate when run on mounted file systems.
    
    Fixed potential memory leak in read_bitmap() in libext2fs.
    
    Fixed various UBsan failures found when fuzzing file system images.
    (Addresses Google Bug: #128130353)
    
    Updated and clarified various man pages.
    
    Performance, Internal Implementation, Development Support etc.
    
    --------------------------------------------------------------
    
    Fixed various debian packaging issues. (Addresses Debian Bug: #933247,
    #932874, #932876, #932855, #932859, #932861, #932881, #932888)
    
    Fix false positive test failure in f_pre_1970_date_encoding on 32-bit
    systems with a 64-bit time_t. (Addresses Debian Bug: #932906)
    
    Fixed various compiler warnings. (Addresses Google Bug #118836063)
    
    Update the Czech, Dutch, French, German, Malay, Polish, Portuguese,
    Spanish, Swedish, Ukrainian, and Vietnamese translations from the
    Translation Project.
    
    Speed up e2fsck on file systems with a very large number of inodes
    caused by repeated calls to gettext().
    
    The inode_io io_manager can now support files which are greater than
    2GB.
    
    The ext2_off_t and ext2_off64_t are now signed types so that
    ext2fs_file_lseek() and ext2fs_file_llseek() can work correctly.
    
    Reserve codepoint for the fast_commit feature.
    
    Fixed various Debian packaging issues.
    
    Fix portability problems for Illumous and on hurd/i386 (Addresses
    Debian Bug: #944649)
    
    Always compile the ext2fs_swap_* functions even on little-endian
    architectures, so that debian/libext2fs.symbols can be consistent
    across architectures.
    
    Synchronized changes from Android's AOSP e2fsprogs tree.
    
    Updated config.guess and config.sub with newer versions from the FSF.
    
    Update the Chinese and Malay translations from the translation
    project.
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Fedora update system website.
    Tenable has attempted to automatically clean and format it as much as
    possible without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bodhi.fedoraproject.org/updates/FEDORA-2020-a724cc7926"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected e2fsprogs package."
      );
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:e2fsprogs");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:31");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/09/24");
      script_set_attribute(attribute:"patch_publication_date", value:"2020/01/21");
      script_set_attribute(attribute:"plugin_publication_date", value:"2020/01/21");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Fedora Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
    os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
    os_ver = os_ver[1];
    if (! preg(pattern:"^31([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 31", "Fedora " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"FC31", reference:"e2fsprogs-1.45.5-1.fc31")) flag++;
    
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_WARNING,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "e2fsprogs");
    }
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-1935.NASL
    descriptionLilith of Cisco Talos discovered a buffer overflow flaw in the quota code used by e2fsck from the ext2/ext3/ext4 file system utilities. Running e2fsck on a malformed file system can result in the execution of arbitrary code. For Debian 8
    last seen2020-06-01
    modified2020-06-02
    plugin id129409
    published2019-09-30
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/129409
    titleDebian DLA-1935-1 : e2fsprogs security update
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2020-1347.NASL
    descriptionAccording to the versions of the e2fsprogs packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities : - An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.(CVE-2019-5094) - A code execution vulnerability exists in the directory rehashing functionality of E2fsprogs e2fsck 1.45.4. A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.(CVE-2019-5188) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-04-07
    modified2020-04-02
    plugin id135134
    published2020-04-02
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/135134
    titleEulerOS Virtualization for ARM 64 3.0.6.0 : e2fsprogs (EulerOS-SA-2020-1347)
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_AD3451B923E011EA8B36F1925A339A82.NASL
    descriptionTed Y. Ts
    last seen2020-06-01
    modified2020-06-02
    plugin id132350
    published2019-12-23
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/132350
    titleFreeBSD : e2fsprogs -- maliciously corrupted file systems can trigger buffer overruns in the quota code used by e2fsck (ad3451b9-23e0-11ea-8b36-f1925a339a82)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2020-1287.NASL
    descriptionAccording to the versions of the e2fsprogs packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - A code execution vulnerability exists in the directory rehashing functionality of E2fsprogs e2fsck 1.45.4. A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.(CVE-2019-5188) - An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.(CVE-2019-5094) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-03
    modified2020-03-23
    plugin id134779
    published2020-03-23
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/134779
    titleEulerOS 2.0 SP8 : e2fsprogs (EulerOS-SA-2020-1287)
  • NASL familyPhotonOS Local Security Checks
    NASL idPHOTONOS_PHSA-2019-2_0-0184_E2FSPROGS.NASL
    descriptionAn update of the e2fsprogs package has been released.
    last seen2020-06-01
    modified2020-06-02
    plugin id130203
    published2019-10-25
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/130203
    titlePhoton OS 2.0: E2Fsprogs PHSA-2019-2.0-0184
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-202003-05.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-202003-05 (e2fsprogs: Arbitrary code execution) It was discovered that e2fsprogs incorrectly handled certain ext4 partitions. Impact : A remote attacker could entice a user to process a specially crafted corrupted file system using e2fsck, possibly resulting in execution of arbitrary code with the privileges of the process or a Denial of Service condition. Workaround : There is no known workaround at this time.
    last seen2020-03-19
    modified2020-03-13
    plugin id134472
    published2020-03-13
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/134472
    titleGLSA-202003-05 : e2fsprogs: Arbitrary code execution
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2020-1272.NASL
    descriptionAccording to the version of the e2fsprogs packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerability : - An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.(CVE-2019-5094) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-03-26
    modified2020-03-20
    plugin id134738
    published2020-03-20
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/134738
    titleEulerOS Virtualization 3.0.2.2 : e2fsprogs (EulerOS-SA-2020-1272)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-4142-1.NASL
    descriptionIt was discovered that e2fsprogs incorrectly handled certain ext4 partitions. An attacker could possibly use this issue to execute arbitrary code. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id129488
    published2019-10-01
    reporterUbuntu Security Notice (C) 2019 Canonical, Inc. / NASL script (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/129488
    titleUbuntu 16.04 LTS / 18.04 LTS / 19.04 : e2fsprogs vulnerability (USN-4142-1)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2020-1515.NASL
    descriptionAccording to the versions of the e2fsprogs packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities : - An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.(CVE-2019-5094) - A code execution vulnerability exists in the directory rehashing functionality of E2fsprogs e2fsck 1.45.4. A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.(CVE-2019-5188) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-08
    modified2020-05-01
    plugin id136218
    published2020-05-01
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/136218
    titleEulerOS Virtualization for ARM 64 3.0.2.0 : e2fsprogs (EulerOS-SA-2020-1515)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-4535.NASL
    descriptionLilith of Cisco Talos discovered a buffer overflow flaw in the quota code used by e2fsck from the ext2/ext3/ext4 file system utilities. Running e2fsck on a malformed file system can result in the execution of arbitrary code.
    last seen2020-06-01
    modified2020-06-02
    plugin id129413
    published2019-09-30
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/129413
    titleDebian DSA-4535-1 : e2fsprogs - security update
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2020-01ED02451F.NASL
    descriptionFix a potential out of bounds write when checking a maliciously corrupted file system. This is probably not exploitable on 64-bit platforms, but may be exploitable on 32-bit binaries depending on how the compiler lays out the stack variables. (Addresses CVE-2019-5188) A maliciously corrupted file systems can trigger buffer overruns in the quota code used by e2fsck. (Addresses CVE-2019-5094) Fix potential use after free in calculate_tree() Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id133420
    published2020-02-03
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/133420
    titleFedora 30 : e2fsprogs (2020-01ed02451f)

Redhat

advisories
bugzilla
id1788573
titlee2fsprogs: Document supported features/options in ext4 man page
oval
OR
  • commentRed Hat Enterprise Linux must be installed
    ovaloval:com.redhat.rhba:tst:20070304026
  • AND
    • commentRed Hat Enterprise Linux 8 is installed
      ovaloval:com.redhat.rhba:tst:20193384074
    • OR
      • AND
        • commente2fsprogs-debugsource is earlier than 0:1.45.4-3.el8
          ovaloval:com.redhat.rhsa:tst:20201913001
        • commente2fsprogs-debugsource is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20201913002
      • AND
        • commentlibss is earlier than 0:1.45.4-3.el8
          ovaloval:com.redhat.rhsa:tst:20201913003
        • commentlibss is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20201913004
      • AND
        • commentlibcom_err-devel is earlier than 0:1.45.4-3.el8
          ovaloval:com.redhat.rhsa:tst:20201913005
        • commentlibcom_err-devel is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20201913006
      • AND
        • commentlibcom_err is earlier than 0:1.45.4-3.el8
          ovaloval:com.redhat.rhsa:tst:20201913007
        • commentlibcom_err is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20201913008
      • AND
        • commente2fsprogs-libs is earlier than 0:1.45.4-3.el8
          ovaloval:com.redhat.rhsa:tst:20201913009
        • commente2fsprogs-libs is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20201913010
      • AND
        • commente2fsprogs-devel is earlier than 0:1.45.4-3.el8
          ovaloval:com.redhat.rhsa:tst:20201913011
        • commente2fsprogs-devel is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20201913012
      • AND
        • commente2fsprogs is earlier than 0:1.45.4-3.el8
          ovaloval:com.redhat.rhsa:tst:20201913013
        • commente2fsprogs is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20201913014
rhsa
idRHSA-2020:1913
released2020-04-28
severityModerate
titleRHSA-2020:1913: e2fsprogs security, bug fix, and enhancement update (Moderate)
rpms
  • e2fsprogs-0:1.45.4-3.el8
  • e2fsprogs-debuginfo-0:1.45.4-3.el8
  • e2fsprogs-debugsource-0:1.45.4-3.el8
  • e2fsprogs-devel-0:1.45.4-3.el8
  • e2fsprogs-libs-0:1.45.4-3.el8
  • e2fsprogs-libs-debuginfo-0:1.45.4-3.el8
  • libcom_err-0:1.45.4-3.el8
  • libcom_err-debuginfo-0:1.45.4-3.el8
  • libcom_err-devel-0:1.45.4-3.el8
  • libss-0:1.45.4-3.el8
  • libss-debuginfo-0:1.45.4-3.el8

Talos

idTALOS-2019-0887
last seen2019-10-08
published2019-09-24
reporterTalos Intelligence
sourcehttp://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0887
titleE2fsprogs quotaio_tree.c report_tree() code execution vulnerability