Date: Sat, 11 Jan 2020 18:32:15 +0000 (UTC) From: Matthias Andree <mandree@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r522701 - head/security/vuxml Message-ID: <202001111832.00BIWFx5029866@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: mandree Date: Sat Jan 11 18:32:15 2020 New Revision: 522701 URL: https://svnweb.freebsd.org/changeset/ports/522701 Log: mark e2fsprogs vulnerable, CVE-2019-5188 Security: 8b61308b-322a-11ea-b34b-1de6fb24355d Security: CVE-2019-5188 Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Sat Jan 11 18:19:31 2020 (r522700) +++ head/security/vuxml/vuln.xml Sat Jan 11 18:32:15 2020 (r522701) @@ -58,6 +58,49 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">; + <vuln vid="8b61308b-322a-11ea-b34b-1de6fb24355d"> + <topic>e2fsprogs -- rehash.c/pass 3a mutate_name() code execution vulnerability</topic> + <affects> + <package> + <name>e2fsprogs</name> + <range><lt>1.45.5</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>Lilith of Cisco Talos reports:</p> + <blockquote cite="https://talosintelligence.com/vulnerability_reports/TALOS-2019-0973">; + <p> + A code execution vulnerability exists in the directory rehashing + functionality of E2fsprogs e2fsck 1.45.4. A specially crafted ext4 + directory can cause an out-of-bounds write on the stack, resulting + in code execution. An attacker can corrupt a partition to trigger + this vulnerability. + </p> + </blockquote> + <p>Theodore Y. Ts'o reports:</p> + <blockquote cite="http://e2fsprogs.sourceforge.net/e2fsprogs-release.html#1.45.5">; + <p> + E2fsprogs 1.45.5 [...:] Fix a potential out of bounds write when + checking a maliciously corrupted file system. This is probably not + exploitable on 64-bit platforms, but may be exploitable on 32-bit + binaries depending on how the compiler lays out the stack variables. + (Addresses CVE-2019-5188) + </p> + </blockquote> + </body> + </description> + <references> + <url>https://talosintelligence.com/vulnerability_reports/TALOS-2019-0973</url>; + <url>http://e2fsprogs.sourceforge.net/e2fsprogs-release.html#1.45.5</url>; + <cvename>CVE-2019-5188</cvename> + </references> + <dates> + <discovery>2019-12-18</discovery> + <entry>2020-01-08</entry> + </dates> + </vuln> + <vuln vid="16aed7b7-344a-11ea-9cdb-001b217b3468"> <topic>phpMyAdmin -- SQL injection</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202001111832.00BIWFx5029866>