On Tue, May 22, 2018 at 03:57:41PM +0530, RAJESH DASARI wrote: > > Reason why i was upgrading because there seems to be some buffer > overrun issues in the blkid library and in the fsck program of > e2fsprogs. An attacker can use this to cause a denial of service and > this issue is fixed from 1.44.0 onwards. Can you be specific about which buffer overrun issues you are most concerned about? > I checked the git commit log and noticed that the below commit by ted > will fix the buffer over run issue. > https://git.kernel.org/pub/scm/fs/ext2/e2fsprogs.git/commit/?id=d8e5da0a3b94f7445ab8cdd629bfc561986e7501 > This particular fix is for a really innocuous buffer overrun issue. In the "attack" the user passes an insanely long file system type on the command-line. This can cause fsck to crash. But since fsck isn't setuid, it's really not a problem that can be exploited. I applied the fix because it's a bug, but it's not a security issue. Also note that on most modern distribution, blkid and fsck are provided by util-linux, and not by e2fsprogs. I can't speak to your system because I don't know what distribution you are running. As far as the problem you are complainng about in e2fsprogs 1.44.x, please supply (a) the full output of e2fsck which shows its complaint, and (b) the full output of dumpe2fs on the file system. Thanks, - Ted
