CVE-2022-1304: 
NixOS vulnerability analysis and mitigation

An out-of-bounds read/write vulnerability was found in e2fsprogs version 1.46.5. This issue leads to a segmentation fault and possibly arbitrary code execution via a specially crafted filesystem. The vulnerability was discovered and disclosed in April 2022 and affects the ext2/ext3/ext4 file system utilities (NVD, Ubuntu).

The vulnerability occurs in the ext2fsextentdelete() function within lib/ext2fs/extent.c when path->left is equal to -1, resulting in a call to memmove() with invalid arguments. The issue has been assigned a CVSS 3.1 base score of 7.8 (High) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating local attack vector, low attack complexity, no privileges required, and user interaction required (Red Hat Bugzilla, Ubuntu).

The vulnerability can lead to disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS). When successfully exploited, it can cause a segmentation fault and potentially allow arbitrary code execution through a specially crafted filesystem (Debian Security, Ubuntu).

Multiple vendors have released patches to address this vulnerability. Debian 11 (bullseye) has fixed the issue in version 1.46.2-2+deb11u1. Ubuntu has released fixes for various versions including 22.04 LTS (1.46.5-2ubuntu1.1), 20.04 LTS (1.45.5-2ubuntu1.1), and 18.04 LTS (1.44.1-1ubuntu1.4) (Debian LTS, Ubuntu).