Re: Backporting a security fix for e2fsprogs to Stable

To: "Theodore Y. Ts'o" <tytso@mit.edu>
Cc: debian-security@lists.debian.org, team@security.debian.org
Subject: Re: Backporting a security fix for e2fsprogs to Stable
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Tue, 24 Sep 2019 08:58:44 +0200
Message-id: <[🔎] 20190924065844.GA13426@lorien.valinor.li>
Mail-followup-to: "Theodore Y. Ts'o" <tytso@mit.edu>, debian-security@lists.debian.org, team@security.debian.org
In-reply-to: <[🔎] 20190923234202.GA3776@mit.edu>
References: <[🔎] 20190923234202.GA3776@mit.edu>

Hi Ted,

[FTR, this is on the security public discussion list, if you need to
contact the security team directly, you might use team@s.d.o or
security@d..o]

On Mon, Sep 23, 2019 at 07:42:02PM -0400, Theodore Y. Ts'o wrote:
> Hi, I just released e2fsprogs v1.45.4 (upstream and for Debian
> unstable) which among other things, contains a fix[1] for
> CVE-2019-5094 / TALOS-2019-0887.  I imagine Talos will be doing a full
> disclosure with a proof-of-concept exploit within the next few days.
> 
> [1] https://git.kernel.org/pub/scm/fs/ext2/e2fsprogs.git/commit/?h=maint&id=8dbe7b475ec5e91ed767239f0e85880f416fc384
> 
> The impact of this bug is that if an attacker can tricker the system
> into running e2fsck on an untrustworthy file system as root, a
> maliciously crafted file system could result in a buffer overflow that
> can result in arbitrary userspace memory modification.  Hence,
> weaponizing this vulnerability so allowing the attacker to run code as
> whatever user ran e2fsck should be fairly simple.
> 
> What's the procedure with respect to getting this backported to the
> vesion of e2fsprogs in Debian Stable?  Will you do it, or should I do
> the backport?  I'm happy to create the backport, but then what's the
> best way of getting this into Stable as efficiently as possible?

We can release a DSA for this issue. Can you prepare proposed updates
for buster-security (and stretch-security, assuming it is affected as
well)? 

Speaking of procedure, depending on if an issue warrants a DSA, you
mgiht be redirected to the stable release managers for inclusion in a
point release. There are some guidelines as well in the dev-ref about
uploads for stable/oldstable (both for specifics on point releases and
security-updates via security.d.o). Usually please do send proposed
debdiffs then for a short review/ack for the upload to the security
team before uploading to security master.

https://www.debian.org/doc/manuals/developers-reference/ch05.en.html#upload-stable
https://www.debian.org/doc/manuals/developers-reference/ch05.en.html#s5.6.4
https://www.debian.org/doc/manuals/developers-reference/ch05.en.html#bug-security
and
https://www.debian.org/security/faq

Does this helps?

Regards,
Salvatore

Reply to:

References:
- Backporting a security fix for e2fsprogs to Stable
  - From: "Theodore Y. Ts'o" <tytso@mit.edu>

Prev by Date: Backporting a security fix for e2fsprogs to Stable
Next by Date: Bug#941018: ibus 1.5.21-1 does not work with qt5 applications
Previous by thread: Backporting a security fix for e2fsprogs to Stable
Next by thread: Bug#941018: ibus 1.5.21-1 does not work with qt5 applications
Index(es):
- Date
- Thread