On Wed, Apr 27, 2022 at 01:55:27PM +0200, Moritz Muehlenhoff wrote: > Package: e2fsprogs > Version: 1.46.5-2 > Severity: important > > This issue was found by Alpine: > https://gitlab.alpinelinux.org/alpine/aports/-/issues/13661 > > Details and the patches they used are in the report above, but the > patches are not yet merged upstream, might be worth to wait until > that's fixed since the impact is rather low.
Um, going to that link results in the (closed) alpine bug from three weeks ago: "netstat is vulnerable to escape sequence injection (busybox)" "Alpine ships BusyBox with the netstat applet enabled. This is vulnerable to escape sequence injection when used from an VT compatible terminal. To exploit this vulnerability the PTR for a remote host must contain a escape sequence and the victim has to execute netstat. I've set up an example at [elided] with the PTR resolving to \027[33\;46mlocalhost." The string "e2fsprogs" appears nowhere in on the page. I've done a search on Alpine/aports looking for "e2fsprogs" and could only find: e2fsprogs can be uninstalled manually on systems that depend on it #13584 · created 1 month ago by Álvaro Torralba updated 1 month ago modloop verification fails with apline usb drive when local disk partition has a alpine installation #11136 · created 2 years ago by nico Neither seems to be security related. Are you sure this was correctly filed against e2fsprogs? - Ted