Bug#941139: marked as done (CVE-2019-5094: malicious fs can cause buffer overrun in e2fsck)

[Debian Bug Tracking System]

Your message dated Sat, 28 Sep 2019 18:36:27 +0000
with message-id <e1iehzz-0006jk...@fasolo.debian.org>
and subject line Bug#941139: fixed in e2fsprogs 1.43.4-2+deb9u1
has caused the Debian Bug report #941139,
regarding CVE-2019-5094: malicious fs can cause buffer overrun in e2fsck
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
941139: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=941139
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: debian
Version: 1.44.5-1+deb10u1
Severity: grave
Tags: security
Justification: user security hole

E2fsprogs 1.45.4 contains a bugfix for CVE-2019-5094 / TALOS-2019-0887.
We need to backport commit 8dbe7b475ec5: "libsupport: add checks to
prevent buffer overrun bugs in quota code" to the versions of e2fsprogs
found in Debian Buster and Stretch.

The impact of this bug is that if an attacker can tricker the system
into running e2fsck on an untrustworthy file system as root, a
maliciously crafted file system could result in a buffer overflow that
can result in arbitrary userspace memory modification.

-- System Information:
Debian Release: bullseye/sid
  APT prefers testing
  APT policy: (900, 'testing'), (900, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.3.0-00068-g7ec6dbcda3db (SMP w/8 CPU cores)
Kernel taint flags: TAINT_WARN
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8), 
LANGUAGE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)

--- End Message ---

--- Begin Message ---

Source: e2fsprogs
Source-Version: 1.43.4-2+deb9u1

We believe that the bug you reported is fixed in the latest version of
e2fsprogs, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 941...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Theodore Y. Ts'o <ty...@mit.edu> (supplier of updated e2fsprogs package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 25 Sep 2019 19:17:45 -0400
Source: e2fsprogs
Architecture: source
Version: 1.43.4-2+deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: Theodore Y. Ts'o <ty...@mit.edu>
Changed-By: Theodore Y. Ts'o <ty...@mit.edu>
Closes: 941139
Changes:
 e2fsprogs (1.43.4-2+deb9u1) stretch-security; urgency=high
 .
   * Fix CVE-2019-5094: potential buffer overrun in e2fsck (Closes: #941139)
Checksums-Sha1:
 48d9830a2ab7334ce552e34de97d2f317d5f463d 2071 e2fsprogs_1.43.4-2+deb9u1.dsc
 53f2f3f9f7f9f645bcb66705b038721d56abeb0a 7552218 e2fsprogs_1.43.4.orig.tar.gz
 f0ef3b2a7a6f1f9ab70070ee1e6e51c6919a1831 78168 
e2fsprogs_1.43.4-2+deb9u1.debian.tar.xz
Checksums-Sha256:
 b3d4d80f72ef552369448b0f2ecc2b68e3a670fdab5a14705fcaf8607579cc32 2071 
e2fsprogs_1.43.4-2+deb9u1.dsc
 484ab0bc1bc07c64267b18cfe7871b6b975bf0a705c5a4563001f035071cdc7c 7552218 
e2fsprogs_1.43.4.orig.tar.gz
 d238b0872e2aad029fbcd02a9e83242befb3b2cc445bbaa4712a90f2741fbeeb 78168 
e2fsprogs_1.43.4-2+deb9u1.debian.tar.xz
Files:
 70e8670ed4d12ac01b2d13c2152d11b9 2071 admin required 
e2fsprogs_1.43.4-2+deb9u1.dsc
 3f1370601996afd8636e4a8a4d1b29bb 7552218 admin required 
e2fsprogs_1.43.4.orig.tar.gz
 90f5cc8d3bca9a3e51f274fd0d8ffc58 78168 admin required 
e2fsprogs_1.43.4-2+deb9u1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEEK2m5VNv+CHkogTfJ8vlZVpUNgaMFAl2NGGYACgkQ8vlZVpUN
gaPivAf/WBo1uUwBKpgMQyzrJZV05shI7+i0QK0zBDtbVtk6D7yjndZX2tZwyb/y
dySShiqxJlhfhCGNnz7uOzt2X4sAFjIkFL5Xc+q2znA3p4lmd0Lmq1IFWYsei+TG
Iqx7PQBd2e6XaXtWP1Lycr6350JeBnFSQGKQyi9B8ekDm80QjVrPk92xPEVMnw4t
nh/9SJ/ko1OMrzoajUnKTmEGk1PsuLQqGqZaKrIZYZkzXE9CfFE1tz84TWnZ95Mj
FI2ClPP7LvOhBqdmV3OSjRaIaaVC8BgpBRfJDZvfbNHHMMuGn3Ag5AuTT5/EgXCK
GZNnQXcP2BwaHKthHIYrZVeDtFFxfw==
=ikzF
-----END PGP SIGNATURE-----

--- End Message ---