1. CVE-Search
  2. CVE-2019-5094
ID CVE-2019-5094
Summary An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.
References
Vulnerable Configurations
  • cpe:2.3:a:e2fsprogs_project:e2fsprogs:1.43.3:*:*:*:*:*:*:*
    cpe:2.3:a:e2fsprogs_project:e2fsprogs:1.43.3:*:*:*:*:*:*:*
  • cpe:2.3:a:e2fsprogs_project:e2fsprogs:1.43.4:*:*:*:*:*:*:*
    cpe:2.3:a:e2fsprogs_project:e2fsprogs:1.43.4:*:*:*:*:*:*:*
  • cpe:2.3:a:e2fsprogs_project:e2fsprogs:1.43.5:*:*:*:*:*:*:*
    cpe:2.3:a:e2fsprogs_project:e2fsprogs:1.43.5:*:*:*:*:*:*:*
  • cpe:2.3:a:e2fsprogs_project:e2fsprogs:1.43.6:*:*:*:*:*:*:*
    cpe:2.3:a:e2fsprogs_project:e2fsprogs:1.43.6:*:*:*:*:*:*:*
  • cpe:2.3:a:e2fsprogs_project:e2fsprogs:1.43.7:*:*:*:*:*:*:*
    cpe:2.3:a:e2fsprogs_project:e2fsprogs:1.43.7:*:*:*:*:*:*:*
  • cpe:2.3:a:e2fsprogs_project:e2fsprogs:1.43.8:*:*:*:*:*:*:*
    cpe:2.3:a:e2fsprogs_project:e2fsprogs:1.43.8:*:*:*:*:*:*:*
  • cpe:2.3:a:e2fsprogs_project:e2fsprogs:1.43.9:*:*:*:*:*:*:*
    cpe:2.3:a:e2fsprogs_project:e2fsprogs:1.43.9:*:*:*:*:*:*:*
  • cpe:2.3:a:e2fsprogs_project:e2fsprogs:1.44.0:*:*:*:*:*:*:*
    cpe:2.3:a:e2fsprogs_project:e2fsprogs:1.44.0:*:*:*:*:*:*:*
  • cpe:2.3:a:e2fsprogs_project:e2fsprogs:1.44.1:*:*:*:*:*:*:*
    cpe:2.3:a:e2fsprogs_project:e2fsprogs:1.44.1:*:*:*:*:*:*:*
  • cpe:2.3:a:e2fsprogs_project:e2fsprogs:1.44.2:*:*:*:*:*:*:*
    cpe:2.3:a:e2fsprogs_project:e2fsprogs:1.44.2:*:*:*:*:*:*:*
  • cpe:2.3:a:e2fsprogs_project:e2fsprogs:1.44.3:*:*:*:*:*:*:*
    cpe:2.3:a:e2fsprogs_project:e2fsprogs:1.44.3:*:*:*:*:*:*:*
  • cpe:2.3:a:e2fsprogs_project:e2fsprogs:1.44.3:rc2:*:*:*:*:*:*
    cpe:2.3:a:e2fsprogs_project:e2fsprogs:1.44.3:rc2:*:*:*:*:*:*
  • cpe:2.3:a:e2fsprogs_project:e2fsprogs:1.44.4:*:*:*:*:*:*:*
    cpe:2.3:a:e2fsprogs_project:e2fsprogs:1.44.4:*:*:*:*:*:*:*
  • cpe:2.3:a:e2fsprogs_project:e2fsprogs:1.44.5:*:*:*:*:*:*:*
    cpe:2.3:a:e2fsprogs_project:e2fsprogs:1.44.5:*:*:*:*:*:*:*
  • cpe:2.3:a:e2fsprogs_project:e2fsprogs:1.45.3:*:*:*:*:*:*:*
    cpe:2.3:a:e2fsprogs_project:e2fsprogs:1.45.3:*:*:*:*:*:*:*
  • cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
    cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
  • cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
    cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
  • cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
    cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
  • cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*
    cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*
  • cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*
    cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*
  • cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
    cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
  • cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:esm:*:*:*
    cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:esm:*:*:*
  • cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
    cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
  • cpe:2.3:o:canonical:ubuntu_linux:19.04:*:*:*:*:*:*:*
    cpe:2.3:o:canonical:ubuntu_linux:19.04:*:*:*:*:*:*:*
  • cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*
    cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*
  • cpe:2.3:a:netapp:solidfire:-:*:*:*:*:*:*:*
    cpe:2.3:a:netapp:solidfire:-:*:*:*:*:*:*:*
  • cpe:2.3:a:netapp:hci_management_node:-:*:*:*:*:*:*:*
    cpe:2.3:a:netapp:hci_management_node:-:*:*:*:*:*:*:*
CVSS
Base: 4.6 (as of 27-06-2022 - 17:23)
Impact:
Exploitability:
CWE CWE-787
CAPEC
Access
VectorComplexityAuthentication
LOCAL LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
cvss-vector via4 AV:L/AC:L/Au:N/C:P/I:P/A:P
redhat via4
advisories
bugzilla
id 1788573
title e2fsprogs: Document supported features/options in ext4 man page
oval
OR
  • comment Red Hat Enterprise Linux must be installed
    oval oval:com.redhat.rhba:tst:20070304026
  • AND
    • comment Red Hat Enterprise Linux 8 is installed
      oval oval:com.redhat.rhba:tst:20193384074
    • OR
      • AND
        • comment e2fsprogs is earlier than 0:1.45.4-3.el8
          oval oval:com.redhat.rhsa:tst:20201913001
        • comment e2fsprogs is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20201913002
      • AND
        • comment e2fsprogs-debugsource is earlier than 0:1.45.4-3.el8
          oval oval:com.redhat.rhsa:tst:20201913003
        • comment e2fsprogs-debugsource is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20201913004
      • AND
        • comment e2fsprogs-devel is earlier than 0:1.45.4-3.el8
          oval oval:com.redhat.rhsa:tst:20201913005
        • comment e2fsprogs-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20201913006
      • AND
        • comment e2fsprogs-libs is earlier than 0:1.45.4-3.el8
          oval oval:com.redhat.rhsa:tst:20201913007
        • comment e2fsprogs-libs is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20201913008
      • AND
        • comment libcom_err is earlier than 0:1.45.4-3.el8
          oval oval:com.redhat.rhsa:tst:20201913009
        • comment libcom_err is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20201913010
      • AND
        • comment libcom_err-devel is earlier than 0:1.45.4-3.el8
          oval oval:com.redhat.rhsa:tst:20201913011
        • comment libcom_err-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20201913012
      • AND
        • comment libss is earlier than 0:1.45.4-3.el8
          oval oval:com.redhat.rhsa:tst:20201913013
        • comment libss is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20201913014
rhsa
id RHSA-2020:1913
released 2020-04-28
severity Moderate
title RHSA-2020:1913: e2fsprogs security, bug fix, and enhancement update (Moderate)
rpms
  • e2fsprogs-0:1.45.4-3.el8
  • e2fsprogs-debuginfo-0:1.45.4-3.el8
  • e2fsprogs-debugsource-0:1.45.4-3.el8
  • e2fsprogs-devel-0:1.45.4-3.el8
  • e2fsprogs-libs-0:1.45.4-3.el8
  • e2fsprogs-libs-debuginfo-0:1.45.4-3.el8
  • libcom_err-0:1.45.4-3.el8
  • libcom_err-debuginfo-0:1.45.4-3.el8
  • libcom_err-devel-0:1.45.4-3.el8
  • libss-0:1.45.4-3.el8
  • libss-debuginfo-0:1.45.4-3.el8
  • e2fsprogs-0:1.42.9-19.el7
  • e2fsprogs-debuginfo-0:1.42.9-19.el7
  • e2fsprogs-devel-0:1.42.9-19.el7
  • e2fsprogs-libs-0:1.42.9-19.el7
  • e2fsprogs-static-0:1.42.9-19.el7
  • libcom_err-0:1.42.9-19.el7
  • libcom_err-devel-0:1.42.9-19.el7
  • libss-0:1.42.9-19.el7
  • libss-devel-0:1.42.9-19.el7
refmap via4
bugtraq 20190929 [SECURITY] [DSA 4535-1] e2fsprogs security update
confirm https://security.netapp.com/advisory/ntap-20200115-0002/
debian DSA-4535
fedora
  • FEDORA-2020-01ed02451f
  • FEDORA-2020-a724cc7926
gentoo GLSA-202003-05
misc https://talosintelligence.com/vulnerability_reports/TALOS-2019-0887
mlist [debian-lts-announce] 20190928 [SECURITY] [DLA 1935-1] e2fsprogs security update
ubuntu
  • USN-4142-1
  • USN-4142-2
Last major update 27-06-2022 - 17:23
Published 24-09-2019 - 22:15
Last modified 27-06-2022 - 17:23
Back to Top