Your message dated Sun, 02 Feb 2020 19:17:08 +0000
with message-id <[email protected]>
and subject line Bug#948517: fixed in e2fsprogs 1.44.5-1+deb10u3
has caused the Debian Bug report #948517,
regarding e2fsprogs: malicious fs can cause use after free in e2fsck
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
948517: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=948517
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: e2fsprogs
Version:
Severity: grave
Tags: security
Justification: user security hole
E2fsprogs 1.45.5 contains a bug fix for a use after free which could
potentially be used to run malicious code if a user can be tricked into
running e2fsck on a maliciously crafted file system. The following
commit should be backported to Debian Buster (it is not applicable to
older versions of e2fsprogs):
101e73e9 - e2fsck: fix use after free in calculate_tree()
No exploit exists today as far as I know, but we should backport this
fix while we are addressing CVE-2019-5188 (Bug: #948508).
--- End Message ---
--- Begin Message ---
Source: e2fsprogs
Source-Version: 1.44.5-1+deb10u3
We believe that the bug you reported is fixed in the latest version of
e2fsprogs, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Theodore Y. Ts'o <[email protected]> (supplier of updated e2fsprogs package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 09 Jan 2020 20:19:57 -0500
Source: e2fsprogs
Architecture: source
Version: 1.44.5-1+deb10u3
Distribution: buster
Urgency: medium
Maintainer: Theodore Y. Ts'o <[email protected]>
Changed-By: Theodore Y. Ts'o <[email protected]>
Closes: 948508 948517
Changes:
e2fsprogs (1.44.5-1+deb10u3) buster; urgency=medium
.
* Fix CVE-2019-5188: potential stack underflow in e2fsck (Closes: #948508)
* Fix use after free in e2fsck (Closes: #948517)
Checksums-Sha1:
3415765e85e55240f8ba87d55333ff93f710c640 2903 e2fsprogs_1.44.5-1+deb10u3.dsc
4d02f7e775f06bdf8ed5c526df2776fb1290ad68 82412
e2fsprogs_1.44.5-1+deb10u3.debian.tar.xz
Checksums-Sha256:
acdc31d6fd491f9db97aabc96340559d8492b98e3549df32d8369690e03058dc 2903
e2fsprogs_1.44.5-1+deb10u3.dsc
0114857448922a218613f369f665f03f1b1435004c9d79ce5ee1a8a8a6cec53f 82412
e2fsprogs_1.44.5-1+deb10u3.debian.tar.xz
Files:
bf870a591ecae238eb9a2176aa89a885 2903 admin required
e2fsprogs_1.44.5-1+deb10u3.dsc
06b5d0e4023d94add08971e8e58c8264 82412 admin required
e2fsprogs_1.44.5-1+deb10u3.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEEK2m5VNv+CHkogTfJ8vlZVpUNgaMFAl4sbPkACgkQ8vlZVpUN
gaOcgAf+KiRHnD/Dyw5n2JxIQsWrcTMOUVlUnDJl2Kb8FYINmfPKGwxVw8EY5vYw
x4PzD+voyw4Js7SsE9pKxncwSehaqSuoMWeUYWIFlj5rBEDkyjRezPdGbSbm8qxp
M+QAvUV4RZMVXUK9pOq9xp4vKJhOb4+svVgZ4b+WAIiCWqj5JEVsYORujAj1CaNY
IigdWmAWfq/kskc3Rb4W8tzsfMeP+S6Q6m94P/YUzfRpKScCw/+5oePxVjB9QTPk
LFpFdtNgsnL8T37YGFITjxTFwJPRIYrYOHuHqWQEAWS/FKGllVDI8r/UnaSQjUrL
N+7Qd30WpIzhYprseJhuIc6J3/wCCA==
=dJMD
-----END PGP SIGNATURE-----
--- End Message ---
