Package: e2fsprogs / 1.42.5-1.1+deb7u1


Package Version Patches format
e2fsprogs 1.42.5-1.1+deb7u1 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
CVE 2015 0247.patch | (download)

lib/ext2fs/closefs.c | 6 4 + 2 - 0 !
lib/ext2fs/openfs.c | 6 4 + 2 - 0 !
2 files changed, 8 insertions(+), 4 deletions(-)

 libext2fs: avoid buffer overflow if s_first_meta_bg is too big

If s_first_meta_bg is greater than the of number block group
descriptor blocks, then reading or writing the block group descriptors
will end up overruning the memory buffer allocated for the
descriptors.  Fix this by limiting first_meta_bg to no more than
fs->desc_blocks.  This doesn't correct the bad s_first_meta_bg value,
but it avoids causing the e2fsprogs userspace programs from
potentially crashing.

Signed-off-by: Theodore Ts'o <>

CVE 2015 1572.patch | (download)

lib/ext2fs/closefs.c | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 libext2fs: fix potential buffer overflow in closefs()

The bug fix in f66e6ce4446: "libext2fs: avoid buffer overflow if
s_first_meta_bg is too big" had a typo in the fix for
ext2fs_closefs().  In practice most of the security exposure was from
the openfs path, since this meant if there was a carefully crafted
file system, buffer overrun would be triggered when the file system was

However, if corrupted file system didn't trip over some corruption
check, and then the file system was modified via tune2fs or debugfs,
such that the superblock was marked dirty and then written out via the
closefs() path, it's possible that the buffer overrun could be
triggered when the file system is closed.

Also clear up a signed vs unsigned warning while we're at it.

Thanks to Nick Kralevich <> for asking me to look at
compiler warning in the code in question, which led me to notice the
bug in f66e6ce4446.

Addresses: CVE-2015-1572

Signed-off-by: Theodore Ts'o <>