Vulnerability Details : CVE-2015-1572
Heap-based buffer overflow in closefs.c in the libext2fs library in e2fsprogs before 1.42.12 allows local users to execute arbitrary code by causing a crafted block group descriptor to be marked as dirty. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-0247.
Vulnerability category: OverflowExecute code
Products affected by CVE-2015-1572
- cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:10.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:14.10:*:*:*:*:*:*:*
- cpe:2.3:a:e2fsprogs_project:e2fsprogs:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2015-1572
0.25%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 46 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2015-1572
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
4.6
|
MEDIUM | AV:L/AC:L/Au:N/C:P/I:P/A:P |
3.9
|
6.4
|
NIST |
CWE ids for CVE-2015-1572
-
The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.Assigned by: nvd@nist.gov (Primary)
References for CVE-2015-1572
-
http://www.securityfocus.com/bid/72709
e2fsprogs CVE-2015-1572 Incomplete Fix Local Heap Based Buffer Overflow Vulnerability
-
http://lists.opensuse.org/opensuse-updates/2015-06/msg00010.html
openSUSE-SU-2015:1006-1: moderate: Security update for e2fsprogs
-
http://lists.fedoraproject.org/pipermail/package-announce/2015-March/150805.html
[SECURITY] Fedora 20 Update: e2fsprogs-1.42.12-3.fc20
-
http://www.debian.org/security/2015/dsa-3166
Debian -- Security Information -- DSA-3166-1 e2fsprogs
-
http://www.ubuntu.com/usn/USN-2507-1
USN-2507-1: e2fsprogs vulnerabilities | Ubuntu security notices
-
https://security.gentoo.org/glsa/201507-22
e2fsprogs: Arbitrary code execution (GLSA 201507-22) — Gentoo security
-
http://lists.opensuse.org/opensuse-updates/2015-06/msg00006.html
openSUSE-SU-2015:1002-1: moderate: Security update for e2fsprogs
-
http://www.mandriva.com/security/advisories?name=MDVSA-2015:068
mandriva.com
-
http://www.mandriva.com/security/advisories?name=MDVSA-2015:067
mandriva.com
-
https://git.kernel.org/cgit/fs/ext2/e2fsprogs.git/commit/?id=49d0fe2a14f2a23da2fe299643379b8c1d37df73
ext2/e2fsprogs.git - Ext2/3/4 filesystem userspace utilitiesVendor Advisory
-
http://lists.fedoraproject.org/pipermail/package-announce/2015-March/150606.html
[SECURITY] Fedora 21 Update: e2fsprogs-1.42.12-3.fc21
-
http://advisories.mageia.org/MGASA-2015-0088.html
Mageia Advisory: MGASA-2015-0088 - Updated e2fsprogs packages fix CVE-2015-1572
-
http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00019.html
[security-announce] SUSE-SU-2015:1103-1: important: Security update for
Jump to