main/e2fsprogs: security fix for CVE-2015-0247

fixes #3943

2 files changed, 64 insertions, 3 deletions

diff --git a/main/e2fsprogs/APKBUILD b/main/e2fsprogs/APKBUILD
index 0c11e60e03..7771583981 100644
--- a/main/e2fsprogs/APKBUILD
+++ b/main/e2fsprogs/APKBUILD
@@ -1,7 +1,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=e2fsprogs
 pkgver=1.42.7
-pkgrel=0
+pkgrel=1
 pkgdesc="Standard Ext2/3/4 filesystem utilities"
 url="http://e2fsprogs.sourceforge.net"
 arch="all"
@@ -10,7 +10,9 @@ depends=
 install=
 makedepends="util-linux-dev pkgconfig"
 subpackages="$pkgname-dev $pkgname-doc libcom_err"
-source="http://downloads.sourceforge.net/sourceforge/e2fsprogs/e2fsprogs-$pkgver.tar.gz"
+source="http://downloads.sourceforge.net/sourceforge/e2fsprogs/e2fsprogs-$pkgver.tar.gz
+	CVE-2015-0247.patch
+	"
 
 depends_dev="util-linux-dev"
 
@@ -46,4 +48,9 @@ libcom_err() {
 	mv "$pkgdir"/lib/libcom_err* "$subpkgdir"/lib/
 }
 
-md5sums="a1ec22ef003688dae9f76c74881b22b9  e2fsprogs-1.42.7.tar.gz"
+md5sums="a1ec22ef003688dae9f76c74881b22b9  e2fsprogs-1.42.7.tar.gz
+687730ae5bb3c62f38524197fcee8de6  CVE-2015-0247.patch"
+sha256sums="dc6501b2e75d205e425196d753d92b129c568525d8aad08085c0aa69ee9e7345  e2fsprogs-1.42.7.tar.gz
+ecee45031bc64cb3572602e0035963ccfe8ef8b2e116b67783f64e5d3bf9e6cc  CVE-2015-0247.patch"
+sha512sums="954dbb832c2614d20cfaa5233033b469f16bf96612cf25074a66da79a5b3abf5eb1b340781e351bde06daf13bbbf5db4643774858aa494b8a8394ea742b6f07b  e2fsprogs-1.42.7.tar.gz
+00263dab2ae1929bba74c3841874fb3f7609a4279404014adad31ccca0e4503e203b0ead1c4937708dce161f046b47314f797aba4b62d81a5e840c0f44ca8116  CVE-2015-0247.patch"
diff --git a/main/e2fsprogs/CVE-2015-0247.patch b/main/e2fsprogs/CVE-2015-0247.patch
new file mode 100644
index 0000000000..be7672c5c8
--- /dev/null
+++ b/main/e2fsprogs/CVE-2015-0247.patch
@@ -0,0 +1,54 @@
+From f66e6ce4446738c2c7f43d41988a3eb73347e2f5 Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Sat, 9 Aug 2014 12:24:54 -0400
+Subject: libext2fs: avoid buffer overflow if s_first_meta_bg is too big
+
+If s_first_meta_bg is greater than the of number block group
+descriptor blocks, then reading or writing the block group descriptors
+will end up overruning the memory buffer allocated for the
+descriptors.  Fix this by limiting first_meta_bg to no more than
+fs->desc_blocks.  This doesn't correct the bad s_first_meta_bg value,
+but it avoids causing the e2fsprogs userspace programs from
+potentially crashing.
+
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+
+diff --git a/lib/ext2fs/closefs.c b/lib/ext2fs/closefs.c
+index 4599eef..1f99113 100644
+--- a/lib/ext2fs/closefs.c
++++ b/lib/ext2fs/closefs.c
+@@ -344,9 +344,11 @@ errcode_t ext2fs_flush2(ext2_filsys fs, int flags)
+ 	 * superblocks and group descriptors.
+ 	 */
+ 	group_ptr = (char *) group_shadow;
+-	if (fs->super->s_feature_incompat & EXT2_FEATURE_INCOMPAT_META_BG)
++	if (fs->super->s_feature_incompat & EXT2_FEATURE_INCOMPAT_META_BG) {
+ 		old_desc_blocks = fs->super->s_first_meta_bg;
+-	else
++		if (old_desc_blocks > fs->super->s_first_meta_bg)
++			old_desc_blocks = fs->desc_blocks;
++	} else
+ 		old_desc_blocks = fs->desc_blocks;
+ 
+ 	ext2fs_numeric_progress_init(fs, &progress, NULL,
+diff --git a/lib/ext2fs/openfs.c b/lib/ext2fs/openfs.c
+index a1a3517..ba501e6 100644
+--- a/lib/ext2fs/openfs.c
++++ b/lib/ext2fs/openfs.c
+@@ -378,9 +378,11 @@ errcode_t ext2fs_open2(const char *name, const char *io_options,
+ #ifdef WORDS_BIGENDIAN
+ 	groups_per_block = EXT2_DESC_PER_BLOCK(fs->super);
+ #endif
+-	if (fs->super->s_feature_incompat & EXT2_FEATURE_INCOMPAT_META_BG)
++	if (fs->super->s_feature_incompat & EXT2_FEATURE_INCOMPAT_META_BG) {
+ 		first_meta_bg = fs->super->s_first_meta_bg;
+-	else
++		if (first_meta_bg > fs->desc_blocks)
++			first_meta_bg = fs->desc_blocks;
++	} else
+ 		first_meta_bg = fs->desc_blocks;
+ 	if (first_meta_bg) {
+ 		retval = io_channel_read_blk(fs->io, group_block +
+-- 
+cgit v0.10.2
+