Foresight: e2fsprogs
Posted by Bill Keys   
Previous versions of the e2fsprogs package are vulnerable to multiple integer overflows which may be exploited via specially-crafted filesystems. The workaround for is to not run fsck on a filesystem to which an untrusted user has the ability to directly modify filesystem metadata. This is most commonly an issue when using a virtualization solution in which the root user for the guest OS is not trusted, and can convince the host's root user to run fsck on the guests's filesystem. Foresight Linux neither enables nor supports any form of virtualization in the default install.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Foresight Linux Essential Advisory: 2008-0005-1
Published: 2008-02-11

Rating: Minor

Updated Versions:
   e2fsprogs=/conary.rpath.com@rpl:devel//1/1.37-3.3-1
   group-dist=/foresight.rpath.org@fl:1-devel//1/1.4.2-0.7-3

References:
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5497
   http://wiki.rpath.com/Advisories:rPSA-2007-0262

Description:
   Previous versions of the e2fsprogs package are vulnerable to multiple
   integer overflows which may be exploited via specially-crafted filesystems.

   The workaround for is to not run fsck on a filesystem to which an untrusted
   user has the ability to directly modify filesystem metadata. This is most
   commonly an issue when using a virtualization solution in which the root
   user for the guest OS is not trusted, and can convince the host's root user
   to run fsck on the guests's filesystem. Foresight Linux neither enables nor
   supports any form of virtualization in the default install.

- ---

Copyright 2008 Foresight Linux Project
This file is distributed under the terms of the MIT License.
A copy is available at http://www.foresightlinux.org/permanent/mit-license.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.8 (GNU/Linux)

iQIcBAEBAgAGBQJHsV2RAAoJENfwEn07iAtZhb0P/RnKJzBXlNtpyaN5BgvaslbP
2asNCwET0Xn4VdwTdX/bDfMIYiRskTezYoApYUspmoVdPupMg41IXu9UmE3rQVtP
GzYsbznEjuOeBJlF5LTfkvS1qnJJaok/If3ISPlqXkC+r9N59+3hJE3CwjGTKzZx
9+KocNTpPbhUXqp2PCg7dGiB3pSZ3lUTAcFotBQTBdEIfMXNOm9GvjM5fF2oKglb
8StmutCZ5KbrO8OXwSJfocHzLKNmyJDaQ9lBuqwmIVE/0KNDiaYB4IxlsmomoPjg
uXSbhVK+fpzAeX8JqgRl3QCNZvXGeUvzaANDdmmjhVnc9UBXy5dvh4GVBx+TIQWl
gQ3fBmTramU1OIYP3ip80aV9SLE+BDWOa0Nz6hNL5ed9MiaeYq1CE+x5HwSr7+Se
QOP+RH7tiCaGOkQuvdYEqRkvwQ2+nNKkQGnM3O3JPRVnblTKoEgpWLEcPGAl+Znr
fYQdy5ufUffuX/bBitt3e9zObBwx1ziYXzZVXfEsTmTWlzeETNDPQdzhD0yRwHvZ
xGbBAQgaTr5+ikFGi4VZFTCv5pf5ljdMP5h36zL9oWsZFMA8MLJf8QRaNN8rOl0X
ojGSoBKPzGNkFu+PB8/17dcf24f0oD1Osd18vRw96fSppMfW0BK+Dc5gjW5ek7KK
sIytgbLlNi76mHUJVv48
=0Zx9
-----END PGP SIGNATURE-----
_______________________________________________
Foresight-security-announce mailing list
Foresight-security-announce@lists.rpath.org
http://lists.rpath.org/mailman/listinfo/foresight-security-announce