Re: [SECURITY] [DSA 1422-1] New e2fsprogs packages fix arbitrary code execution

Hi,
* Nico Golde <nion@debian.org> [2007-12-07 18:32]: [...]
> > Rafal Wojtczuk of McAfee AVERT Research discovered that e2fsprogs,
> > ext2 file system utilities and libraries, contained multiple
> > integer overflows in memory allocations, based on sizes taken directly
> > from filesystem information. These could result in heap-based
> > overflows potentially allowing the execution of arbitrary code.
> >
> > For the stable distribution (etch), this problem has been fixed in version
> > 1.39+1.40-WIP-2006.11.14+dfsg-2etch1.
> [...]
> e2fsck/swapfs.c: retval = ext2fs_get_mem(fs->blocksize * fs->inode_blocks_per_group,
> resize/resize2fs.c: retval = ext2fs_get_mem(fs->blocksize * fs->inode_blocks_per_group,
> resize/resize2fs.c: retval = ext2fs_get_mem(fs->blocksize *
> resize/resize2fs.c: retval = ext2fs_get_mem(rfs->old_fs->blocksize * 3, &block_buf);
> resize/extent.c: retval = ext2fs_get_mem(sizeof(struct ext2_extent_entry) *
>
> What about those, are they unimportant? They are still present in the etch code. I stumbled
> upon them while preparing a testing-security upload.

Sorry, this mail was originally only addressed to Steve but since I also got this mail through the debian-security list it ended up here now :)
Anyway, I looked again into these and from my point of view the released DSA is incomplete, I fixed those for testing-security by using get_mem_array as well. Kind regards
Nico

-- 
Nico Golde - 
http://www.ngolde.de - 
nion(at)jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

-- To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org