Your message dated Sat, 28 Sep 2019 18:32:08 +0000
with message-id <[email protected]>
and subject line Bug#941139: fixed in e2fsprogs 1.44.5-1+deb10u2
has caused the Debian Bug report #941139,
regarding CVE-2019-5094: malicious fs can cause buffer overrun in e2fsck
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
941139: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=941139
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: debian
Version: 1.44.5-1+deb10u1
Severity: grave
Tags: security
Justification: user security hole
E2fsprogs 1.45.4 contains a bugfix for CVE-2019-5094 / TALOS-2019-0887.
We need to backport commit 8dbe7b475ec5: "libsupport: add checks to
prevent buffer overrun bugs in quota code" to the versions of e2fsprogs
found in Debian Buster and Stretch.
The impact of this bug is that if an attacker can tricker the system
into running e2fsck on an untrustworthy file system as root, a
maliciously crafted file system could result in a buffer overflow that
can result in arbitrary userspace memory modification.
-- System Information:
Debian Release: bullseye/sid
APT prefers testing
APT policy: (900, 'testing'), (900, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 5.3.0-00068-g7ec6dbcda3db (SMP w/8 CPU cores)
Kernel taint flags: TAINT_WARN
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8),
LANGUAGE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
--- End Message ---
--- Begin Message ---
Source: e2fsprogs
Source-Version: 1.44.5-1+deb10u2
We believe that the bug you reported is fixed in the latest version of
e2fsprogs, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Theodore Y. Ts'o <[email protected]> (supplier of updated e2fsprogs package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 25 Sep 2019 13:37:44 -0400
Source: e2fsprogs
Architecture: source
Version: 1.44.5-1+deb10u2
Distribution: buster-security
Urgency: high
Maintainer: Theodore Y. Ts'o <[email protected]>
Changed-By: Theodore Y. Ts'o <[email protected]>
Closes: 941139
Changes:
e2fsprogs (1.44.5-1+deb10u2) buster-security; urgency=high
.
* Fix CVE-2019-5094: potential buffer overrun in e2fsck (Closes: #941139)
Checksums-Sha1:
37171a576022a59af50ab5632690d4793a21f905 2779 e2fsprogs_1.44.5-1+deb10u2.dsc
c3f64d10b6ef1a268a077838a5cafb6aaebe2986 7619237 e2fsprogs_1.44.5.orig.tar.gz
db05093049f5f2788a5b6fd23a6746bbcfe05ed9 488 e2fsprogs_1.44.5.orig.tar.gz.asc
9355d27fccddc8fb2a961f0a375b977ae420564f 80528
e2fsprogs_1.44.5-1+deb10u2.debian.tar.xz
Checksums-Sha256:
17b95752e40dc26713bc58b0ff9c47aab081b41bf558e1a72bd55c4183974ff7 2779
e2fsprogs_1.44.5-1+deb10u2.dsc
2e211fae27ef74d5af4a4e40b10b8df7f87c655933bd171aab4889bfc4e6d1cc 7619237
e2fsprogs_1.44.5.orig.tar.gz
c0e3e4e51f46c005890963b005015b784b2f19e291a16a15681b9906528f557e 488
e2fsprogs_1.44.5.orig.tar.gz.asc
eda6a307d3c06c26a8cb9f345cb58445d11f42cca1b4fb9c5b7f6f4af5ac7ef1 80528
e2fsprogs_1.44.5-1+deb10u2.debian.tar.xz
Files:
d1a6e51895d62af6f785c91b150f1448 2779 admin required
e2fsprogs_1.44.5-1+deb10u2.dsc
8d78b11d04d26c0b2dd149529441fa80 7619237 admin required
e2fsprogs_1.44.5.orig.tar.gz
dde8ecabaf0f5082ef7de90e8bc9b8c6 488 admin required
e2fsprogs_1.44.5.orig.tar.gz.asc
624a3fdf6bb260fb004393af9fdd8704 80528 admin required
e2fsprogs_1.44.5-1+deb10u2.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEEK2m5VNv+CHkogTfJ8vlZVpUNgaMFAl2NCWUACgkQ8vlZVpUN
gaPZFgf/cKdfZxc0Ao66EY0mWC5hcF0pKj3hhgkOLinWyKd2ptx7UaifaSQ0xSgn
RVUNFNbTZmxVddQdclQu5swahyYQZEGG41qv9kVnSntpzfRTCRLG1kKR1UGGk9if
XTeVkFW2LMPqwqvxdHYaeskT7G8qxq/DgO208KI+8SzLzQSCXIHzXaMQeaQz5uzt
PXRgEWtvYuPB4HyttUpCNn/nz8KeFwI+EIotRPjQ+EZQWQdCAZf5VxYP3+PS6Xk8
9tKjcPVSd+TMZKJLjtsg/oWrT9PrVrh+8nlTvXBgAwqB5K7l9wBEvHFI9rf0pPey
UIO5383WBoZPelXrufIvOhPgDNEWXw==
=Rh9F
-----END PGP SIGNATURE-----
--- End Message ---
