CVE-2015-8872 - OpenCVE

The set_fat function in fat.c in dosfstools before 4.0 might allow attackers to corrupt a FAT12 filesystem or cause a denial of service (invalid memory read and crash) by writing an odd number of clusters to the third to last entry on a FAT12 filesystem, which triggers an "off-by-two error."

No CVSS v3.1

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

AV:L/AC:L/Au:N/C:N/I:N/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Canonical	Ubuntu Linux
Dosfstools Project	Dosfstools
Opensuse	Leap Opensuse

Configuration 1 [-]

OR	cpe:2.3:o:canonical:ubuntu_linux:12.04::::lts:::
	cpe:2.3:o:canonical:ubuntu_linux:14.04::::lts:::
	cpe:2.3:o:canonical:ubuntu_linux:15.10:::::::*
	cpe:2.3:o:canonical:ubuntu_linux:16.04::::lts:::

Configuration 2 [-]

OR	cpe:2.3:o:opensuse:leap:42.1:::::::*
	cpe:2.3:o:opensuse:opensuse:13.2:::::::*

Configuration 3 [-]

cpe:2.3:a:dosfstools_project:dosfstools:*:*:*:*:*:*:*:*

References

Link	Resource
http://lists.opensuse.org/opensuse-updates/2016-06/msg00001.html
http://lists.opensuse.org/opensuse-updates/2016-09/msg00014.html
http://www.securityfocus.com/bid/90311
http://www.ubuntu.com/usn/USN-2986-1
https://blog.fuzzing-project.org/44-dosfstools-fsck.vfat-Several-invalid-memory-accesses.html	Vendor Advisory
https://github.com/dosfstools/dosfstools/commit/07908124838afcc99c577d1d3e84cef2dbd39cb7
https://github.com/dosfstools/dosfstools/issues/12	Vendor Advisory
https://github.com/dosfstools/dosfstools/releases/tag/v4.0	Patch
https://lists.debian.org/debian-lts-announce/2020/05/msg00028.html

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2016-06-03T14:00:00

Updated: 2020-05-30T17:06:05

Reserved: 2016-05-14T00:00:00

Link: CVE-2015-8872

JSON object: View

NVD Information

Status : Modified

Published: 2016-06-03T14:59:00.123

Modified: 2020-05-30T18:15:10.017

Link: CVE-2015-8872

JSON object: View

Redhat Information

No data.

CWE

CWE-189

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2016-05-08T00:00:00", "descriptions": [{"lang": "en", "value": "The set_fat function in fat.c in dosfstools before 4.0 might allow attackers to corrupt a FAT12 filesystem or cause a denial of service (invalid memory read and crash) by writing an odd number of clusters to the third to last entry on a FAT12 filesystem, which triggers an \"off-by-two error.\""}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-05-30T17:06:05", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "openSUSE-SU-2016:1461", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-updates/2016-06/msg00001.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/dosfstools/dosfstools/releases/tag/v4.0"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/dosfstools/dosfstools/issues/12"}, {"tags": ["x_refsource_MISC"], "url": "https://blog.fuzzing-project.org/44-dosfstools-fsck.vfat-Several-invalid-memory-accesses.html"}, {"name": "USN-2986-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "http://www.ubuntu.com/usn/USN-2986-1"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/dosfstools/dosfstools/commit/07908124838afcc99c577d1d3e84cef2dbd39cb7"}, {"name": "openSUSE-SU-2016:2233", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-updates/2016-09/msg00014.html"}, {"name": "90311", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/90311"}, {"name": "[debian-lts-announce] 20200530 [SECURITY] [DLA 2224-1] dosfstools security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2020/05/msg00028.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2015-8872", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The set_fat function in fat.c in dosfstools before 4.0 might allow attackers to corrupt a FAT12 filesystem or cause a denial of service (invalid memory read and crash) by writing an odd number of clusters to the third to last entry on a FAT12 filesystem, which triggers an \"off-by-two error.\""}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "openSUSE-SU-2016:1461", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-updates/2016-06/msg00001.html"}, {"name": "https://github.com/dosfstools/dosfstools/releases/tag/v4.0", "refsource": "CONFIRM", "url": "https://github.com/dosfstools/dosfstools/releases/tag/v4.0"}, {"name": "https://github.com/dosfstools/dosfstools/issues/12", "refsource": "CONFIRM", "url": "https://github.com/dosfstools/dosfstools/issues/12"}, {"name": "https://blog.fuzzing-project.org/44-dosfstools-fsck.vfat-Several-invalid-memory-accesses.html", "refsource": "MISC", "url": "https://blog.fuzzing-project.org/44-dosfstools-fsck.vfat-Several-invalid-memory-accesses.html"}, {"name": "USN-2986-1", "refsource": "UBUNTU", "url": "http://www.ubuntu.com/usn/USN-2986-1"}, {"name": "https://github.com/dosfstools/dosfstools/commit/07908124838afcc99c577d1d3e84cef2dbd39cb7", "refsource": "CONFIRM", "url": "https://github.com/dosfstools/dosfstools/commit/07908124838afcc99c577d1d3e84cef2dbd39cb7"}, {"name": "openSUSE-SU-2016:2233", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-updates/2016-09/msg00014.html"}, {"name": "90311", "refsource": "BID", "url": "http://www.securityfocus.com/bid/90311"}, {"name": "[debian-lts-announce] 20200530 [SECURITY] [DLA 2224-1] dosfstools security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2020/05/msg00028.html"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2015-8872", "datePublished": "2016-06-03T14:00:00", "dateReserved": "2016-05-14T00:00:00", "dateUpdated": "2020-05-30T17:06:05", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*", "matchCriteriaId": "B6B7CAD7-9D4E-4FDB-88E3-1E583210A01F", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*", "matchCriteriaId": "B5A6F2F3-4894-4392-8296-3B8DD2679084", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:15.10:*:*:*:*:*:*:*", "matchCriteriaId": "E88A537F-F4D0-46B9-9E37-965233C2A355", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*", "matchCriteriaId": "F7016A2A-8365-4F1A-89A2-7A19F2BCAE5B", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:opensuse:leap:42.1:*:*:*:*:*:*:*", "matchCriteriaId": "4863BE36-D16A-4D75-90D9-FD76DB5B48B7", "vulnerable": true}, {"criteria": "cpe:2.3:o:opensuse:opensuse:13.2:*:*:*:*:*:*:*", "matchCriteriaId": "03117DF1-3BEC-4B8D-AD63-DBBDB2126081", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:dosfstools_project:dosfstools:*:*:*:*:*:*:*:*", "matchCriteriaId": "6A02C944-1F02-4007-B4C2-E4751D47AE17", "versionEndIncluding": "3.0.28", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The set_fat function in fat.c in dosfstools before 4.0 might allow attackers to corrupt a FAT12 filesystem or cause a denial of service (invalid memory read and crash) by writing an odd number of clusters to the third to last entry on a FAT12 filesystem, which triggers an \"off-by-two error.\""}, {"lang": "es", "value": "La funci\u00f3n set_fat en fat.c en dosfstools en versiones anteriores a 4.0 podr\u00eda permitir a atacantes corromper un sistema de archivos FAT12 o provocar una denegaci\u00f3n de servicio (lectura de memoria no v\u00e1lida y ca\u00edda) escribiendo un n\u00famero impar de clusters desde la tercera a la \u00faltima entrada en un sistema de archivos FAT12, lo que desencadena un \"off-by-two error\"."}], "id": "CVE-2015-8872", "lastModified": "2020-05-30T18:15:10.017", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 2.1, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0"}, "exploitabilityScore": 2.5, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2016-06-03T14:59:00.123", "references": [{"source": "cve@mitre.org", "url": "http://lists.opensuse.org/opensuse-updates/2016-06/msg00001.html"}, {"source": "cve@mitre.org", "url": "http://lists.opensuse.org/opensuse-updates/2016-09/msg00014.html"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/bid/90311"}, {"source": "cve@mitre.org", "url": "http://www.ubuntu.com/usn/USN-2986-1"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://blog.fuzzing-project.org/44-dosfstools-fsck.vfat-Several-invalid-memory-accesses.html"}, {"source": "cve@mitre.org", "url": "https://github.com/dosfstools/dosfstools/commit/07908124838afcc99c577d1d3e84cef2dbd39cb7"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://github.com/dosfstools/dosfstools/issues/12"}, {"source": "cve@mitre.org", "tags": ["Patch"], "url": "https://github.com/dosfstools/dosfstools/releases/tag/v4.0"}, {"source": "cve@mitre.org", "url": "https://lists.debian.org/debian-lts-announce/2020/05/msg00028.html"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-189"}], "source": "nvd@nist.gov", "type": "Primary"}]}