[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Backporting a security fix for e2fsprogs to Stable

Hi Ted,

[FTR, this is on the security public discussion list, if you need to
contact the security team directly, you might use team@s.d.o or

On Mon, Sep 23, 2019 at 07:42:02PM -0400, Theodore Y. Ts'o wrote:
> Hi, I just released e2fsprogs v1.45.4 (upstream and for Debian
> unstable) which among other things, contains a fix[1] for
> CVE-2019-5094 / TALOS-2019-0887.  I imagine Talos will be doing a full
> disclosure with a proof-of-concept exploit within the next few days.
> [1] https://git.kernel.org/pub/scm/fs/ext2/e2fsprogs.git/commit/?h=maint&id=8dbe7b475ec5e91ed767239f0e85880f416fc384
> The impact of this bug is that if an attacker can tricker the system
> into running e2fsck on an untrustworthy file system as root, a
> maliciously crafted file system could result in a buffer overflow that
> can result in arbitrary userspace memory modification.  Hence,
> weaponizing this vulnerability so allowing the attacker to run code as
> whatever user ran e2fsck should be fairly simple.
> What's the procedure with respect to getting this backported to the
> vesion of e2fsprogs in Debian Stable?  Will you do it, or should I do
> the backport?  I'm happy to create the backport, but then what's the
> best way of getting this into Stable as efficiently as possible?

We can release a DSA for this issue. Can you prepare proposed updates
for buster-security (and stretch-security, assuming it is affected as

Speaking of procedure, depending on if an issue warrants a DSA, you
mgiht be redirected to the stable release managers for inclusion in a
point release. There are some guidelines as well in the dev-ref about
uploads for stable/oldstable (both for specifics on point releases and
security-updates via security.d.o). Usually please do send proposed
debdiffs then for a short review/ack for the upload to the security
team before uploading to security master.


Does this helps?


Reply to: