Backporting a security fix for e2fsprogs to Stable

To: debian-security@lists.debian.org
Subject: Backporting a security fix for e2fsprogs to Stable
From: "Theodore Y. Ts'o" <tytso@mit.edu>
Date: Mon, 23 Sep 2019 19:42:02 -0400
Message-id: <[🔎] 20190923234202.GA3776@mit.edu>

Hi, I just released e2fsprogs v1.45.4 (upstream and for Debian
unstable) which among other things, contains a fix[1] for
CVE-2019-5094 / TALOS-2019-0887.  I imagine Talos will be doing a full
disclosure with a proof-of-concept exploit within the next few days.

[1] https://git.kernel.org/pub/scm/fs/ext2/e2fsprogs.git/commit/?h=maint&id=8dbe7b475ec5e91ed767239f0e85880f416fc384

The impact of this bug is that if an attacker can tricker the system
into running e2fsck on an untrustworthy file system as root, a
maliciously crafted file system could result in a buffer overflow that
can result in arbitrary userspace memory modification.  Hence,
weaponizing this vulnerability so allowing the attacker to run code as
whatever user ran e2fsck should be fairly simple.

What's the procedure with respect to getting this backported to the
vesion of e2fsprogs in Debian Stable?  Will you do it, or should I do
the backport?  I'm happy to create the backport, but then what's the
best way of getting this into Stable as efficiently as possible?

Thanks,

						- Ted

Reply to:

Follow-Ups:
- Re: Backporting a security fix for e2fsprogs to Stable
  - From: Salvatore Bonaccorso <carnil@debian.org>

Prev by Date: Re: Upcoming oldstable point release (9.10)
Next by Date: Re: Backporting a security fix for e2fsprogs to Stable
Previous by thread: Mailbox for Sysadmin
Next by thread: Re: Backporting a security fix for e2fsprogs to Stable
Index(es):
- Date
- Thread