ID CVE-2019-5188
Summary A code execution vulnerability exists in the directory rehashing functionality of E2fsprogs e2fsck 1.45.4. A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.
References
Vulnerable Configurations
  • cpe:2.3:a:e2fsprogs_project:e2fsprogs:1.43.3:*:*:*:*:*:*:*
    cpe:2.3:a:e2fsprogs_project:e2fsprogs:1.43.3:*:*:*:*:*:*:*
  • cpe:2.3:a:e2fsprogs_project:e2fsprogs:1.43.4:*:*:*:*:*:*:*
    cpe:2.3:a:e2fsprogs_project:e2fsprogs:1.43.4:*:*:*:*:*:*:*
  • cpe:2.3:a:e2fsprogs_project:e2fsprogs:1.43.5:*:*:*:*:*:*:*
    cpe:2.3:a:e2fsprogs_project:e2fsprogs:1.43.5:*:*:*:*:*:*:*
  • cpe:2.3:a:e2fsprogs_project:e2fsprogs:1.43.6:*:*:*:*:*:*:*
    cpe:2.3:a:e2fsprogs_project:e2fsprogs:1.43.6:*:*:*:*:*:*:*
  • cpe:2.3:a:e2fsprogs_project:e2fsprogs:1.43.7:*:*:*:*:*:*:*
    cpe:2.3:a:e2fsprogs_project:e2fsprogs:1.43.7:*:*:*:*:*:*:*
  • cpe:2.3:a:e2fsprogs_project:e2fsprogs:1.43.8:*:*:*:*:*:*:*
    cpe:2.3:a:e2fsprogs_project:e2fsprogs:1.43.8:*:*:*:*:*:*:*
  • cpe:2.3:a:e2fsprogs_project:e2fsprogs:1.43.9:*:*:*:*:*:*:*
    cpe:2.3:a:e2fsprogs_project:e2fsprogs:1.43.9:*:*:*:*:*:*:*
  • cpe:2.3:a:e2fsprogs_project:e2fsprogs:1.44.0:*:*:*:*:*:*:*
    cpe:2.3:a:e2fsprogs_project:e2fsprogs:1.44.0:*:*:*:*:*:*:*
  • cpe:2.3:a:e2fsprogs_project:e2fsprogs:1.44.1:*:*:*:*:*:*:*
    cpe:2.3:a:e2fsprogs_project:e2fsprogs:1.44.1:*:*:*:*:*:*:*
  • cpe:2.3:a:e2fsprogs_project:e2fsprogs:1.44.2:*:*:*:*:*:*:*
    cpe:2.3:a:e2fsprogs_project:e2fsprogs:1.44.2:*:*:*:*:*:*:*
  • cpe:2.3:a:e2fsprogs_project:e2fsprogs:1.44.3:*:*:*:*:*:*:*
    cpe:2.3:a:e2fsprogs_project:e2fsprogs:1.44.3:*:*:*:*:*:*:*
  • cpe:2.3:a:e2fsprogs_project:e2fsprogs:1.44.3:rc2:*:*:*:*:*:*
    cpe:2.3:a:e2fsprogs_project:e2fsprogs:1.44.3:rc2:*:*:*:*:*:*
  • cpe:2.3:a:e2fsprogs_project:e2fsprogs:1.44.4:*:*:*:*:*:*:*
    cpe:2.3:a:e2fsprogs_project:e2fsprogs:1.44.4:*:*:*:*:*:*:*
  • cpe:2.3:a:e2fsprogs_project:e2fsprogs:1.44.5:*:*:*:*:*:*:*
    cpe:2.3:a:e2fsprogs_project:e2fsprogs:1.44.5:*:*:*:*:*:*:*
  • cpe:2.3:a:e2fsprogs_project:e2fsprogs:1.45.3:*:*:*:*:*:*:*
    cpe:2.3:a:e2fsprogs_project:e2fsprogs:1.45.3:*:*:*:*:*:*:*
  • cpe:2.3:a:e2fsprogs_project:e2fsprogs:1.45.4:*:*:*:*:*:*:*
    cpe:2.3:a:e2fsprogs_project:e2fsprogs:1.45.4:*:*:*:*:*:*:*
  • cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*
    cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*
  • cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*
    cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*
  • cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
    cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
  • cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
    cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
  • cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
    cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
  • cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:esm:*:*:*
    cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:esm:*:*:*
  • cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
    cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
  • cpe:2.3:o:canonical:ubuntu_linux:19.04:*:*:*:*:*:*:*
    cpe:2.3:o:canonical:ubuntu_linux:19.04:*:*:*:*:*:*:*
  • cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*
    cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*
  • cpe:2.3:o:canonical:ubuntu_linux:19.10:*:*:*:*:*:*:*
    cpe:2.3:o:canonical:ubuntu_linux:19.10:*:*:*:*:*:*:*
  • cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*
    cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*
  • cpe:2.3:o:netapp:hci_compute_node_firmware:-:*:*:*:*:*:*:*
    cpe:2.3:o:netapp:hci_compute_node_firmware:-:*:*:*:*:*:*:*
  • cpe:2.3:h:netapp:hci_compute_node:-:*:*:*:*:*:*:*
    cpe:2.3:h:netapp:hci_compute_node:-:*:*:*:*:*:*:*
  • cpe:2.3:a:netapp:solidfire\,_enterprise_sds_\&_hci_storage_node:-:*:*:*:*:*:*:*
    cpe:2.3:a:netapp:solidfire\,_enterprise_sds_\&_hci_storage_node:-:*:*:*:*:*:*:*
CVSS
Base: 4.4 (as of 12-05-2022 - 20:14)
Impact:
Exploitability:
CWE CWE-787
CAPEC
Access
VectorComplexityAuthentication
LOCAL MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
cvss-vector via4 AV:L/AC:M/Au:N/C:P/I:P/A:P
redhat via4
advisories
bugzilla
id 1790048
title CVE-2019-5188 e2fsprogs: Out-of-bounds write in e2fsck/rehash.c
oval
OR
  • comment Red Hat Enterprise Linux must be installed
    oval oval:com.redhat.rhba:tst:20070304026
  • AND
    • comment Red Hat Enterprise Linux 7 is installed
      oval oval:com.redhat.rhba:tst:20150364027
    • OR
      • AND
        • comment e2fsprogs is earlier than 0:1.42.9-19.el7
          oval oval:com.redhat.rhsa:tst:20204011001
        • comment e2fsprogs is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20201913002
      • AND
        • comment e2fsprogs-devel is earlier than 0:1.42.9-19.el7
          oval oval:com.redhat.rhsa:tst:20204011003
        • comment e2fsprogs-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20201913006
      • AND
        • comment e2fsprogs-libs is earlier than 0:1.42.9-19.el7
          oval oval:com.redhat.rhsa:tst:20204011005
        • comment e2fsprogs-libs is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20201913008
      • AND
        • comment e2fsprogs-static is earlier than 0:1.42.9-19.el7
          oval oval:com.redhat.rhsa:tst:20204011007
        • comment e2fsprogs-static is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20204011008
      • AND
        • comment libcom_err is earlier than 0:1.42.9-19.el7
          oval oval:com.redhat.rhsa:tst:20204011009
        • comment libcom_err is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20201913010
      • AND
        • comment libcom_err-devel is earlier than 0:1.42.9-19.el7
          oval oval:com.redhat.rhsa:tst:20204011011
        • comment libcom_err-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20201913012
      • AND
        • comment libss is earlier than 0:1.42.9-19.el7
          oval oval:com.redhat.rhsa:tst:20204011013
        • comment libss is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20201913014
      • AND
        • comment libss-devel is earlier than 0:1.42.9-19.el7
          oval oval:com.redhat.rhsa:tst:20204011015
        • comment libss-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20204011016
rhsa
id RHSA-2020:4011
released 2020-09-29
severity Moderate
title RHSA-2020:4011: e2fsprogs security and bug fix update (Moderate)
rpms
  • e2fsprogs-0:1.42.9-19.el7
  • e2fsprogs-debuginfo-0:1.42.9-19.el7
  • e2fsprogs-devel-0:1.42.9-19.el7
  • e2fsprogs-libs-0:1.42.9-19.el7
  • e2fsprogs-static-0:1.42.9-19.el7
  • libcom_err-0:1.42.9-19.el7
  • libcom_err-devel-0:1.42.9-19.el7
  • libss-0:1.42.9-19.el7
  • libss-devel-0:1.42.9-19.el7
refmap via4
confirm https://talosintelligence.com/vulnerability_reports/TALOS-2019-0973
fedora
  • FEDORA-2020-01ed02451f
  • FEDORA-2020-a724cc7926
mlist
  • [debian-lts-announce] 20200324 [SECURITY] [DLA 2156-1] e2fsprogs security update
  • [debian-lts-announce] 20200726 [SECURITY] [DLA 2290-1] e2fsprogs security update
suse openSUSE-SU-2020:0166
ubuntu USN-4249-1
Last major update 12-05-2022 - 20:14
Published 08-01-2020 - 16:15
Last modified 12-05-2022 - 20:14
Back to Top