Your message dated Sun, 02 Feb 2020 19:17:08 +0000
with message-id <e1iykk0-000j3o...@fasolo.debian.org>
and subject line Bug#948508: fixed in e2fsprogs 1.44.5-1+deb10u3
has caused the Debian Bug report #948508,
regarding CVE-2019-5188: malicious fs can cause stack underflow in e2fsck
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
948508: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=948508
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: e2fsprogs
Version: 1.43.4-2+deb9u1
Severity: grave
Tags: security
Justification: user security hole
E2fsprogs 1.45.5 contains a bug fix for CVE-2019-5188 / TALOS-2019-0973.
The following commits need to be backported to address this
vulnerability in Debian Buster and Debian Stretch:
8dd73c14 - e2fsck: abort if there is a corrupted directory block when rehashing
71ba1375 - e2fsck: don't try to rehash a deleted directory
The impact of this bug is that if an attacker can tricker the system
into running e2fsck on an untrustworthy file system, a maliciously
crafted file system could result in a stack underflow. The primary
concern is on 32-bit systems; due to limitations in the kind of stack
corruption which can be triggered due to this bug, it is probably not
exploitable on 64-bit systems.
--- End Message ---
--- Begin Message ---
Source: e2fsprogs
Source-Version: 1.44.5-1+deb10u3
We believe that the bug you reported is fixed in the latest version of
e2fsprogs, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 948...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Theodore Y. Ts'o <ty...@mit.edu> (supplier of updated e2fsprogs package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 09 Jan 2020 20:19:57 -0500
Source: e2fsprogs
Architecture: source
Version: 1.44.5-1+deb10u3
Distribution: buster
Urgency: medium
Maintainer: Theodore Y. Ts'o <ty...@mit.edu>
Changed-By: Theodore Y. Ts'o <ty...@mit.edu>
Closes: 948508 948517
Changes:
e2fsprogs (1.44.5-1+deb10u3) buster; urgency=medium
.
* Fix CVE-2019-5188: potential stack underflow in e2fsck (Closes: #948508)
* Fix use after free in e2fsck (Closes: #948517)
Checksums-Sha1:
3415765e85e55240f8ba87d55333ff93f710c640 2903 e2fsprogs_1.44.5-1+deb10u3.dsc
4d02f7e775f06bdf8ed5c526df2776fb1290ad68 82412
e2fsprogs_1.44.5-1+deb10u3.debian.tar.xz
Checksums-Sha256:
acdc31d6fd491f9db97aabc96340559d8492b98e3549df32d8369690e03058dc 2903
e2fsprogs_1.44.5-1+deb10u3.dsc
0114857448922a218613f369f665f03f1b1435004c9d79ce5ee1a8a8a6cec53f 82412
e2fsprogs_1.44.5-1+deb10u3.debian.tar.xz
Files:
bf870a591ecae238eb9a2176aa89a885 2903 admin required
e2fsprogs_1.44.5-1+deb10u3.dsc
06b5d0e4023d94add08971e8e58c8264 82412 admin required
e2fsprogs_1.44.5-1+deb10u3.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEEK2m5VNv+CHkogTfJ8vlZVpUNgaMFAl4sbPkACgkQ8vlZVpUN
gaOcgAf+KiRHnD/Dyw5n2JxIQsWrcTMOUVlUnDJl2Kb8FYINmfPKGwxVw8EY5vYw
x4PzD+voyw4Js7SsE9pKxncwSehaqSuoMWeUYWIFlj5rBEDkyjRezPdGbSbm8qxp
M+QAvUV4RZMVXUK9pOq9xp4vKJhOb4+svVgZ4b+WAIiCWqj5JEVsYORujAj1CaNY
IigdWmAWfq/kskc3Rb4W8tzsfMeP+S6Q6m94P/YUzfRpKScCw/+5oePxVjB9QTPk
LFpFdtNgsnL8T37YGFITjxTFwJPRIYrYOHuHqWQEAWS/FKGllVDI8r/UnaSQjUrL
N+7Qd30WpIzhYprseJhuIc6J3/wCCA==
=dJMD
-----END PGP SIGNATURE-----
--- End Message ---
