Re: [debian-lts] e2fsprogs package

[Raphael Hertzog <hertzog@debian.org>]

Hello Nguyen,

first of all I noticed that "e2fsprogs" was not in "dla-needed.txt" but
that you added it yourself. I would suggest to not do that unless you
want to help with CVE triaging.

In this case, the issue has been marked "no-dsa" for wheezy by the
security team and this issue would have disappeared from
https://security-tracker.debian.org/tracker/status/release/oldstable when
someone of the LTS team would have tagged it "no-dsa" for squeeze as well.

The best way to help the LTS team is to concentrate your efforts on issues
that have been classified as severe enough and that have been added to
data/dla-needed.txt by someone who has been doing CVE triaging.

That said, now that you prepared this update, I'm going to upload it.

On Tue, 10 Feb 2015, Nguyen Cong wrote:
> Oops, stupid mistakes.
> I have fixed it, could you please check it again.

It looks good. Did you test it?

When you're asking someone else to upload it for you, you need
to give us some confidence that the upload won't break anything.
As such, telling us the tests you did is a good idea.

Also the description you write for the announce should target
end users and not programmers. So "libext2fs was vulnerable to a potential
buffer overflow if s_first_meta_bg is too big. This fix doesn't correct
the bad value of s_first_meta_bg but avoids causing e2fsprogs userspace
programs from potential crashing." is not really satisfactory.

I would suggest something simpler:
« A broken (or maliciously crafted) file system could trigger a buffer
overflow in e2fsprogs. »

Anyway, I have tested the update and sent the package. The announce
will follow.

Thanks for your help!
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/