Bug#1010264: CVE-2022-28391
- To: Moritz Muehlenhoff <jmm@debian.org>, 1010264@bugs.debian.org
- Subject: Bug#1010264: CVE-2022-28391
- From: "Theodore Ts'o" <tytso@mit.edu>
- Date: Wed, 27 Apr 2022 23:29:00 -0400
- Message-id: <YmoJ/CSb1Z/gttA0@mit.edu>
- Reply-to: "Theodore Ts'o" <tytso@mit.edu>, 1010264@bugs.debian.org
- In-reply-to: <165106052732.15361.16329981273607996588.reportbug@hullmann.westfalen.local>
- References: <165106052732.15361.16329981273607996588.reportbug@hullmann.westfalen.local> <165106052732.15361.16329981273607996588.reportbug@hullmann.westfalen.local>
On Wed, Apr 27, 2022 at 01:55:27PM +0200, Moritz Muehlenhoff wrote:
> Package: e2fsprogs
> Version: 1.46.5-2
> Severity: important
>
> This issue was found by Alpine:
> https://gitlab.alpinelinux.org/alpine/aports/-/issues/13661
>
> Details and the patches they used are in the report above, but the
> patches are not yet merged upstream, might be worth to wait until
> that's fixed since the impact is rather low.
Um, going to that link results in the (closed) alpine bug from three
weeks ago:
"netstat is vulnerable to escape sequence injection (busybox)"
"Alpine ships BusyBox with the netstat applet enabled. This is
vulnerable to escape sequence injection when used from an VT
compatible terminal. To exploit this vulnerability the PTR for a
remote host must contain a escape sequence and the victim has to
execute netstat. I've set up an example at [elided] with the PTR
resolving to \027[33\;46mlocalhost."
The string "e2fsprogs" appears nowhere in on the page.
I've done a search on Alpine/aports looking for "e2fsprogs" and could
only find:
e2fsprogs can be uninstalled manually on systems that depend on it
#13584 · created 1 month ago by Álvaro Torralba
updated 1 month ago
modloop verification fails with apline usb drive when local disk partition has a alpine installation
#11136 · created 2 years ago by nico
Neither seems to be security related. Are you sure this was correctly
filed against e2fsprogs?
- Ted
Reply to: