CVE-2019-5094

First published: Tue Sep 24 2019(Updated: )

An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.

Credit: talos-cna@cisco.com talos-cna@cisco.com

Affected Software	Affected Version	How to fix
debian/e2fsprogs	<=1.44.5-1<=1.43.4-2<=1.44.5-1+deb10u1	1.45.4-1 1.44.5-1+deb10u2 1.43.4-2+deb9u1
E2fsprogs Project E2fsprogs	>=1.43.3<=1.45.3
Debian Debian Linux	=8.0
Debian Debian Linux	=9.0
Debian Debian Linux	=10.0
Fedoraproject Fedora	=30
Fedoraproject Fedora	=31
Canonical Ubuntu Linux	=12.04
Canonical Ubuntu Linux	=14.04
Canonical Ubuntu Linux	=16.04
Canonical Ubuntu Linux	=18.04
Canonical Ubuntu Linux	=19.04
Netapp Hci Management Node
Netapp Solidfire
IBM Security Guardium	<=10.5
IBM Security Guardium	<=10.6
IBM Security Guardium	<=11.0
IBM Security Guardium	<=11.1
IBM Security Guardium	<=11.2
IBM Security Guardium	<=11.3
debian/e2fsprogs		1.46.2-2 1.47.0-2 1.47.1-1

Remedy

https://git.kernel.org/pub/scm/fs/ext2/e2fsprogs.git/commit/?h=maint&id=8dbe7b475ec5e91ed767239f0e85880f416fc384

Never miss a vulnerability like this again

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

IBM-6455281

collector/debian-bugs
alias/CVE-2019-5094
collector/nvd-index
agent/type
collector/ibm-support
source/IBM
agent/software-canonical-lookup
agent/weakness
collector/mitre-cve
source/MITRE
agent/severity
agent/last-modified-date
agent/remedy
agent/references
agent/description
agent/first-publish-date
collector/launchpad-cve
source/Launchpad
collector/security-tracker-debian
source/Debian
agent/author
agent/tags
collector/nvd-cve
source/NVD
agent/softwarecombine
agent/event
collector/usn-cve
source/Ubuntu
package-manager/debian
vendor/e2fsprogs project
canonical/e2fsprogs project e2fsprogs
version/e2fsprogs project e2fsprogs/1.43.3
version/e2fsprogs project e2fsprogs/1.45.3
vendor/debian
canonical/debian debian linux
version/debian debian linux/8.0
version/debian debian linux/9.0
version/debian debian linux/10.0
vendor/fedoraproject
canonical/fedoraproject fedora
version/fedoraproject fedora/30
version/fedoraproject fedora/31
vendor/canonical
canonical/canonical ubuntu linux
version/canonical ubuntu linux/12.04
version/canonical ubuntu linux/14.04
version/canonical ubuntu linux/16.04
version/canonical ubuntu linux/18.04
version/canonical ubuntu linux/19.04
vendor/netapp
canonical/netapp hci management node
canonical/netapp solidfire
vendor/ibm
canonical/ibm security guardium
version/ibm security guardium/10.5
version/ibm security guardium/10.6
version/ibm security guardium/11.0
version/ibm security guardium/11.1
version/ibm security guardium/11.2
version/ibm security guardium/11.3

CVE-2019-5094

Remedy

Never miss a vulnerability like this again

Reference Links

Parent vulnerabilities

Company

Resources

Contact