svn commit: r522701 - head/security/vuxml
Matthias Andree
mandree at FreeBSD.org
Sat Jan 11 18:32:16 UTC 2020
Author: mandree
Date: Sat Jan 11 18:32:15 2020
New Revision: 522701
URL: https://svnweb.freebsd.org/changeset/ports/522701
Log:
mark e2fsprogs vulnerable, CVE-2019-5188
Security: 8b61308b-322a-11ea-b34b-1de6fb24355d
Security: CVE-2019-5188
Modified:
head/security/vuxml/vuln.xml
Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml Sat Jan 11 18:19:31 2020 (r522700)
+++ head/security/vuxml/vuln.xml Sat Jan 11 18:32:15 2020 (r522701)
@@ -58,6 +58,49 @@ Notes:
* Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
-->
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+ <vuln vid="8b61308b-322a-11ea-b34b-1de6fb24355d">
+ <topic>e2fsprogs -- rehash.c/pass 3a mutate_name() code execution vulnerability</topic>
+ <affects>
+ <package>
+ <name>e2fsprogs</name>
+ <range><lt>1.45.5</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Lilith of Cisco Talos reports:</p>
+ <blockquote cite="https://talosintelligence.com/vulnerability_reports/TALOS-2019-0973">
+ <p>
+ A code execution vulnerability exists in the directory rehashing
+ functionality of E2fsprogs e2fsck 1.45.4. A specially crafted ext4
+ directory can cause an out-of-bounds write on the stack, resulting
+ in code execution. An attacker can corrupt a partition to trigger
+ this vulnerability.
+ </p>
+ </blockquote>
+ <p>Theodore Y. Ts'o reports:</p>
+ <blockquote cite="http://e2fsprogs.sourceforge.net/e2fsprogs-release.html#1.45.5">
+ <p>
+ E2fsprogs 1.45.5 [...:] Fix a potential out of bounds write when
+ checking a maliciously corrupted file system. This is probably not
+ exploitable on 64-bit platforms, but may be exploitable on 32-bit
+ binaries depending on how the compiler lays out the stack variables.
+ (Addresses CVE-2019-5188)
+ </p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://talosintelligence.com/vulnerability_reports/TALOS-2019-0973</url>
+ <url>http://e2fsprogs.sourceforge.net/e2fsprogs-release.html#1.45.5</url>
+ <cvename>CVE-2019-5188</cvename>
+ </references>
+ <dates>
+ <discovery>2019-12-18</discovery>
+ <entry>2020-01-08</entry>
+ </dates>
+ </vuln>
+
<vuln vid="16aed7b7-344a-11ea-9cdb-001b217b3468">
<topic>phpMyAdmin -- SQL injection</topic>
<affects>
More information about the svn-ports-all
mailing list