CVE-2015-8872
First published: Fri Jun 03 2016(Updated: )
The set_fat function in fat.c in dosfstools before 4.0 might allow attackers to corrupt a FAT12 filesystem or cause a denial of service (invalid memory read and crash) by writing an odd number of clusters to the third to last entry on a FAT12 filesystem, which triggers an "off-by-two error."
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Ubuntu Linux | =12.04 | |
| Ubuntu Linux | =14.04 | |
| Ubuntu Linux | =15.10 | |
| Ubuntu Linux | =16.04 | |
| SUSE openSUSE | =42.1 | |
| openSUSE libeconf | =13.2 | |
| dosfstools | <=3.0.28 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://lists.opensuse.org/opensuse-updates/2016-06/msg00001.html
- http://lists.opensuse.org/opensuse-updates/2016-09/msg00014.html
- http://www.securityfocus.com/bid/90311
- http://www.ubuntu.com/usn/USN-2986-1
- https://blog.fuzzing-project.org/44-dosfstools-fsck.vfat-Several-invalid-memory-accesses.html
- https://github.com/dosfstools/dosfstools/commit/07908124838afcc99c577d1d3e84cef2dbd39cb7
- https://github.com/dosfstools/dosfstools/issues/12
- https://github.com/dosfstools/dosfstools/releases/tag/v4.0
- https://lists.debian.org/debian-lts-announce/2020/05/msg00028.html
Frequently Asked Questions
What is the severity of CVE-2015-8872?
CVE-2015-8872 is considered a high severity vulnerability due to its potential to cause filesystem corruption and denial of service.
How do I fix CVE-2015-8872?
To fix CVE-2015-8872, upgrade to dosfstools version 4.0 or later.
What systems are affected by CVE-2015-8872?
CVE-2015-8872 affects dosfstools versions up to 3.0.28 on Ubuntu Linux 12.04, 14.04, 15.10, 16.04, and openSUSE 13.2 and 42.1.
What type of attack can be executed using CVE-2015-8872?
CVE-2015-8872 can allow attackers to corrupt a FAT12 filesystem or cause a denial-of-service condition through invalid memory access.
What is the technical detail behind CVE-2015-8872?
CVE-2015-8872 involves an off-by-two error triggered when writing an odd number of clusters to the third to last entry on a FAT12 filesystem.
- agent/type
- agent/remedy
- agent/references
- agent/author
- agent/weakness
- agent/severity
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/event
- agent/first-publish-date
- agent/source
- collector/nvd-index
- agent/software-canonical-lookup-request
- agent/softwarecombine
- agent/tags
- vendor/canonical
- canonical/ubuntu linux
- version/ubuntu linux/12.04
- version/ubuntu linux/14.04
- version/ubuntu linux/15.10
- version/ubuntu linux/16.04
- vendor/opensuse
- canonical/suse opensuse
- version/suse opensuse/42.1
- canonical/opensuse libeconf
- version/opensuse libeconf/13.2
- vendor/dosfstools project
- canonical/dosfstools
- version/dosfstools/3.0.28