On Sat, Jun 04, 2016 at 05:32:08PM +0100, Adam D. Barratt wrote:
> For future reference, the generally expected workflow for fixes in
> stable is to file this bug _first_, attaching a proposed debdiff which
> is then discussed before any uploads occur. (Had that happened, we'd
> also likely have requested that the package version be 1.42.12-1.1
> +deb8u1.)
Sorry for the process screwup. Enclosed please find the debdiff. I'm
happy to adjust and reupload if you would prefer.
Cheers,
- Ted
diff -Nru e2fsprogs-1.42.12/debian/changelog e2fsprogs-1.42.12/debian/changelog
--- e2fsprogs-1.42.12/debian/changelog 2015-02-21 21:18:20.000000000 -0500
+++ e2fsprogs-1.42.12/debian/changelog 2016-06-04 12:05:58.000000000 -0400
@@ -1,3 +1,12 @@
+e2fsprogs (1.42.12-2) jessie; urgency=medium
+
+ * NMU acknowledge (closes: #778948)
+ * Disable prompts for time skew which is fudged in e2fsck (closes: #812141)
+ * Fix potential corruption of Hurd file systems by e2fsck
+ * Fix pointer bugs that could cause crashes in e2fsck and resize2fs
+
+ -- Theodore Y. Ts'o <ty...@mit.edu> Sat, 04 Jun 2016 11:58:06 -0400
+
e2fsprogs (1.42.12-1.1) unstable; urgency=high
* Non-maintainer upload by the Security Team.
diff -Nru
e2fsprogs-1.42.12/debian/patches/e2fsck-fix-corruption-of-Hurd-filesystems.patch
e2fsprogs-1.42.12/debian/patches/e2fsck-fix-corruption-of-Hurd-filesystems.patch
---
e2fsprogs-1.42.12/debian/patches/e2fsck-fix-corruption-of-Hurd-filesystems.patch
1969-12-31 19:00:00.000000000 -0500
+++
e2fsprogs-1.42.12/debian/patches/e2fsck-fix-corruption-of-Hurd-filesystems.patch
2016-06-04 11:51:11.000000000 -0400
@@ -0,0 +1,72 @@
+From 36769c606c270094df0431cbcab9932905adcedc Mon Sep 17 00:00:00 2001
+From: Justus Winter <4win...@informatik.uni-hamburg.de>
+Date: Fri, 23 Jan 2015 10:15:57 -0500
+Subject: [PATCH] e2fsck: fix corruption of Hurd filesystems
+
+Previously, e2fsck accessed the field osd2.linux2.l_i_file_acl_high
+field without checking that the filesystem is indeed created for
+Linux. This lead to e2fsck constantly complaining about certain
+nodes:
+
+i_file_acl_hi for inode XXX (/dev/console) is 32, should be zero.
+
+By "correcting" this problem, e2fsck would clobber the field
+osd2.hurd2.h_i_mode_high.
+
+Properly guard access to the OS dependent fields.
+
+Signed-off-by: Theodore Ts'o <ty...@mit.edu>
+---
+ e2fsck/pass1.c | 14 ++++++++------
+ e2fsck/pass2.c | 3 ++-
+ 2 files changed, 10 insertions(+), 7 deletions(-)
+
+diff --git a/e2fsck/pass1.c b/e2fsck/pass1.c
+index 50a8b99..3bf481f 100644
+--- a/e2fsck/pass1.c
++++ b/e2fsck/pass1.c
+@@ -1082,7 +1082,8 @@ void e2fsck_pass1(e2fsck_t ctx)
+ if (inode->i_faddr || frag || fsize ||
+ (LINUX_S_ISDIR(inode->i_mode) && inode->i_dir_acl))
+ mark_inode_bad(ctx, ino);
+- if (!(fs->super->s_feature_incompat &
++ if ((fs->super->s_creator_os == EXT2_OS_LINUX) &&
++ !(fs->super->s_feature_incompat &
+ EXT4_FEATURE_INCOMPAT_64BIT) &&
+ inode->osd2.linux2.l_i_file_acl_high != 0)
+ mark_inode_bad(ctx, ino);
+@@ -2354,11 +2355,12 @@ static void check_blocks(e2fsck_t ctx, struct
problem_context *pctx,
+ if (LINUX_S_ISREG(inode->i_mode) &&
+ ext2fs_needs_large_file_feature(EXT2_I_SIZE(inode)))
+ ctx->large_files++;
+- if ((pb.num_blocks != ext2fs_inode_i_blocks(fs, inode)) ||
+- ((fs->super->s_feature_ro_compat &
+- EXT4_FEATURE_RO_COMPAT_HUGE_FILE) &&
+- (inode->i_flags & EXT4_HUGE_FILE_FL) &&
+- (inode->osd2.linux2.l_i_blocks_hi != 0))) {
++ if ((fs->super->s_creator_os == EXT2_OS_LINUX) &&
++ ((pb.num_blocks != ext2fs_inode_i_blocks(fs, inode)) ||
++ ((fs->super->s_feature_ro_compat &
++ EXT4_FEATURE_RO_COMPAT_HUGE_FILE) &&
++ (inode->i_flags & EXT4_HUGE_FILE_FL) &&
++ (inode->osd2.linux2.l_i_blocks_hi != 0)))) {
+ pctx->num = pb.num_blocks;
+ if (fix_problem(ctx, PR_1_BAD_I_BLOCKS, pctx)) {
+ inode->i_blocks = pb.num_blocks;
+diff --git a/e2fsck/pass2.c b/e2fsck/pass2.c
+index ddfe2eb..4acddae 100644
+--- a/e2fsck/pass2.c
++++ b/e2fsck/pass2.c
+@@ -1365,7 +1365,8 @@ int e2fsck_process_bad_inode(e2fsck_t ctx, ext2_ino_t
dir,
+ }
+ }
+
+- if (!(fs->super->s_feature_incompat &
++ if ((fs->super->s_creator_os == EXT2_OS_LINUX) &&
++ !(fs->super->s_feature_incompat &
+ EXT4_FEATURE_INCOMPAT_64BIT) &&
+ inode.osd2.linux2.l_i_file_acl_high != 0) {
+ pctx.num = inode.osd2.linux2.l_i_file_acl_high;
+--
+2.5.0
+
diff -Nru
e2fsprogs-1.42.12/debian/patches/e2fsck-fix-dangling-pointer-when-dir_info-array-is-resized.patch
e2fsprogs-1.42.12/debian/patches/e2fsck-fix-dangling-pointer-when-dir_info-array-is-resized.patch
---
e2fsprogs-1.42.12/debian/patches/e2fsck-fix-dangling-pointer-when-dir_info-array-is-resized.patch
1969-12-31 19:00:00.000000000 -0500
+++
e2fsprogs-1.42.12/debian/patches/e2fsck-fix-dangling-pointer-when-dir_info-array-is-resized.patch
2016-06-04 11:52:26.000000000 -0400
@@ -0,0 +1,51 @@
+From beec19ff21d41c84dbbc2ab8d0df25147912ff59 Mon Sep 17 00:00:00 2001
+From: "Darrick J. Wong" <darrick.w...@oracle.com>
+Date: Wed, 5 Nov 2014 11:14:26 -0500
+Subject: [PATCH] e2fsck: fix dangling pointer when dir_info array is resized
+
+e2fsck uses an array to store directory usage information during pass
+3; the usage context also contains a pointer to the last directory
+looked up. When expanding the dir_info array, this cache pointer
+needs to be cleared if the array resize changed the pointer location,
+or else we'll later walk off the end of this dead pointer.
+
+Signed-off-by: Darrick J. Wong <darrick.w...@oracle.com>
+Reported-by: Sami Liedes <sami.lie...@iki.fi>
+Signed-off-by: Theodore Ts'o <ty...@mit.edu>
+---
+ e2fsck/dirinfo.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/e2fsck/dirinfo.c b/e2fsck/dirinfo.c
+index 4a9019b..dab5a13 100644
+--- a/e2fsck/dirinfo.c
++++ b/e2fsck/dirinfo.c
+@@ -121,7 +121,7 @@ static void setup_db(e2fsck_t ctx)
+ void e2fsck_add_dir_info(e2fsck_t ctx, ext2_ino_t ino, ext2_ino_t parent)
+ {
+ struct dir_info_db *db;
+- struct dir_info *dir, ent;
++ struct dir_info *dir, ent, *old_array;
+ int i, j;
+ errcode_t retval;
+ unsigned long old_size;
+@@ -136,6 +136,7 @@ void e2fsck_add_dir_info(e2fsck_t ctx, ext2_ino_t ino,
ext2_ino_t parent)
+ if (ctx->dir_info->count >= ctx->dir_info->size) {
+ old_size = ctx->dir_info->size * sizeof(struct dir_info);
+ ctx->dir_info->size += 10;
++ old_array = ctx->dir_info->array;
+ retval = ext2fs_resize_mem(old_size, ctx->dir_info->size *
+ sizeof(struct dir_info),
+ &ctx->dir_info->array);
+@@ -147,6 +148,8 @@ void e2fsck_add_dir_info(e2fsck_t ctx, ext2_ino_t ino,
ext2_ino_t parent)
+ ctx->dir_info->size -= 10;
+ return;
+ }
++ if (old_array != ctx->dir_info->array)
++ ctx->dir_info->last_lookup = NULL;
+ }
+
+ ent.ino = ino;
+--
+2.5.0
+
diff -Nru
e2fsprogs-1.42.12/debian/patches/e2fsck-fix-free-pointer-dereferences.patch
e2fsprogs-1.42.12/debian/patches/e2fsck-fix-free-pointer-dereferences.patch
--- e2fsprogs-1.42.12/debian/patches/e2fsck-fix-free-pointer-dereferences.patch
1969-12-31 19:00:00.000000000 -0500
+++ e2fsprogs-1.42.12/debian/patches/e2fsck-fix-free-pointer-dereferences.patch
2016-06-04 11:55:26.000000000 -0400
@@ -0,0 +1,49 @@
+From ebdf895b43a1ce499e4d2556a201e2a753fc422f Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <ty...@mit.edu>
+Date: Wed, 8 Oct 2014 11:18:41 -0400
+Subject: [PATCH 2/2] e2fsck: fix free pointer dereferences
+
+Commit 47fee2ef6a23a introduces some free pointer dereference bugs by
+not clearing ctx->fs after calling ext2fs_close_free().
+
+Reported-by: Matthias Andree <mand...@freebsd.org>
+Cc: Lukas Czerner <lczer...@redhat.com>
+Signed-off-by: Theodore Ts'o <ty...@mit.edu>
+---
+ e2fsck/unix.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/e2fsck/unix.c b/e2fsck/unix.c
+index 66debcd..10036e7 100644
+--- a/e2fsck/unix.c
++++ b/e2fsck/unix.c
+@@ -458,7 +458,7 @@ static void check_if_skip(e2fsck_t ctx)
+ }
+ log_out(ctx, "\n");
+ skip:
+- ext2fs_close_free(&fs);
++ ext2fs_close_free(&ctx->fs);
+ e2fsck_free_context(ctx);
+ exit(FSCK_OK);
+ }
+@@ -1462,7 +1462,7 @@ failure:
+ /*
+ * Restart in order to reopen fs but this time start mmp.
+ */
+- ext2fs_close_free(&fs);
++ ext2fs_close_free(&ctx->fs);
+ flags &= ~EXT2_FLAG_SKIP_MMP;
+ goto restart;
+ }
+@@ -1692,7 +1692,7 @@ no_journal:
+ _("while resetting context"));
+ fatal_error(ctx, 0);
+ }
+- ext2fs_close_free(&fs);
++ ext2fs_close_free(&ctx->fs);
+ goto restart;
+ }
+ if (run_result & E2F_FLAG_ABORT)
+--
+2.5.0
+
diff -Nru
e2fsprogs-1.42.12/debian/patches/e2fsck-use-PROMPT_NONE-for-FUTURE_SB_LAST_-_FUDGED-problems.patch
e2fsprogs-1.42.12/debian/patches/e2fsck-use-PROMPT_NONE-for-FUTURE_SB_LAST_-_FUDGED-problems.patch
---
e2fsprogs-1.42.12/debian/patches/e2fsck-use-PROMPT_NONE-for-FUTURE_SB_LAST_-_FUDGED-problems.patch
1969-12-31 19:00:00.000000000 -0500
+++
e2fsprogs-1.42.12/debian/patches/e2fsck-use-PROMPT_NONE-for-FUTURE_SB_LAST_-_FUDGED-problems.patch
2016-06-04 11:47:18.000000000 -0400
@@ -0,0 +1,41 @@
+From f096708126412c0569e40cfbd5740729976bf12a Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <ty...@mit.edu>
+Date: Sat, 28 Mar 2015 21:39:54 -0400
+Subject: [PATCH] e2fsck: use PROMPT_NONE for FUTURE_SB_LAST_*_FUDGED problems
+
+This allows us to print a message warning the user that there is
+something funny going on with their hardware clock (probably time zone
+issues caused by trying to be compatible with legacy OS's such as
+Windows), without triggering a full file system check.
+
+Signed-off-by: Theodore Ts'o <ty...@mit.edu>
+---
+ e2fsck/problem.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/e2fsck/problem.c b/e2fsck/problem.c
+index 12cf836..f442a33 100644
+--- a/e2fsck/problem.c
++++ b/e2fsck/problem.c
+@@ -386,14 +386,14 @@ static struct e2fsck_problem problem_table[] = {
+ /* Last mount time is in the future (fudged) */
+ { PR_0_FUTURE_SB_LAST_MOUNT_FUDGED,
+ N_("@S last mount time is in the future.\n\t(by less than a day, "
+- "probably due to the hardware clock being incorrectly set) "),
+- PROMPT_FIX, PR_PREEN_OK | PR_NO_OK },
++ "probably due to the hardware clock being incorrectly set)\n"),
++ PROMPT_NONE, PR_PREEN_OK | PR_NO_OK },
+
+ /* Last write time is in the future (fudged) */
+ { PR_0_FUTURE_SB_LAST_WRITE_FUDGED,
+ N_("@S last write time is in the future.\n\t(by less than a day, "
+- "probably due to the hardware clock being incorrectly set). "),
+- PROMPT_FIX, PR_PREEN_OK | PR_NO_OK },
++ "probably due to the hardware clock being incorrectly set)\n"),
++ PROMPT_NONE, PR_PREEN_OK | PR_NO_OK },
+
+ /* Block group checksum (latch question) is invalid. */
+ { PR_0_GDT_CSUM_LATCH,
+--
+2.5.0
+
diff -Nru
e2fsprogs-1.42.12/debian/patches/resize2fs-fix-fs-blocksize-dereference-after-fs-has-been-freed.patch
e2fsprogs-1.42.12/debian/patches/resize2fs-fix-fs-blocksize-dereference-after-fs-has-been-freed.patch
---
e2fsprogs-1.42.12/debian/patches/resize2fs-fix-fs-blocksize-dereference-after-fs-has-been-freed.patch
1969-12-31 19:00:00.000000000 -0500
+++
e2fsprogs-1.42.12/debian/patches/resize2fs-fix-fs-blocksize-dereference-after-fs-has-been-freed.patch
2016-06-04 11:55:35.000000000 -0400
@@ -0,0 +1,92 @@
+From deae5e809b524a3cca3ecf66be28058134575a02 Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <ty...@mit.edu>
+Date: Wed, 8 Oct 2014 12:09:35 -0400
+Subject: [PATCH] resize2fs: fix fs->blocksize dereference after fs has been
+ freed
+
+Commit 77255cf36944b introduced a use after free bug.
+
+Signed-off-by: Theodore Ts'o <ty...@mit.edu>
+---
+ resize/main.c | 18 ++++++++++--------
+ 1 file changed, 10 insertions(+), 8 deletions(-)
+
+diff --git a/resize/main.c b/resize/main.c
+index c107028..983d8c2 100644
+--- a/resize/main.c
++++ b/resize/main.c
+@@ -181,6 +181,7 @@ int main (int argc, char ** argv)
+ ext2fs_struct_stat st_buf;
+ __s64 new_file_size;
+ unsigned int sys_page_size = 4096;
++ unsigned int blocksize;
+ long sysval;
+ int len, mount_flags;
+ char *mtpt;
+@@ -366,7 +367,8 @@ int main (int argc, char ** argv)
+ * defaults and for making sure the new filesystem doesn't
+ * exceed the partition size.
+ */
+- retval = ext2fs_get_device_size2(device_name, fs->blocksize,
++ blocksize = fs->blocksize;
++ retval = ext2fs_get_device_size2(device_name, blocksize,
+ &max_size);
+ if (retval) {
+ com_err(program_name, retval, "%s",
+@@ -386,8 +388,8 @@ int main (int argc, char ** argv)
+ } else {
+ new_size = max_size;
+ /* Round down to an even multiple of a pagesize */
+- if (sys_page_size > fs->blocksize)
+- new_size &= ~((sys_page_size / fs->blocksize)-1);
++ if (sys_page_size > blocksize)
++ new_size &= ~((sys_page_size / blocksize)-1);
+ }
+ if (!EXT2_HAS_INCOMPAT_FEATURE(fs->super,
+ EXT4_FEATURE_INCOMPAT_64BIT)) {
+@@ -423,7 +425,7 @@ int main (int argc, char ** argv)
+ * automatically extend it in a sparse fashion by writing the
+ * last requested block.
+ */
+- new_file_size = ((__u64) new_size) * fs->blocksize;
++ new_file_size = ((__u64) new_size) * blocksize;
+ if ((__u64) new_file_size >
+ (((__u64) 1) << (sizeof(st_buf.st_size)*8 - 1)) - 1)
+ fd = -1;
+@@ -437,13 +439,13 @@ int main (int argc, char ** argv)
+ fprintf(stderr, _("The containing partition (or device)"
+ " is only %llu (%dk) blocks.\nYou requested a new size"
+ " of %llu blocks.\n\n"), max_size,
+- fs->blocksize / 1024, new_size);
++ blocksize / 1024, new_size);
+ exit(1);
+ }
+ if (new_size == ext2fs_blocks_count(fs->super)) {
+ fprintf(stderr, _("The filesystem is already %llu (%dk) "
+ "blocks long. Nothing to do!\n\n"), new_size,
+- fs->blocksize / 1024);
++ blocksize / 1024);
+ exit(0);
+ }
+ if (mount_flags & EXT2_MF_MOUNTED) {
+@@ -453,7 +455,7 @@ int main (int argc, char ** argv)
+ bigalloc_check(fs, force);
+ printf(_("Resizing the filesystem on "
+ "%s to %llu (%dk) blocks.\n"),
+- device_name, new_size, fs->blocksize / 1024);
++ device_name, new_size, blocksize / 1024);
+ retval = resize_fs(fs, &new_size, flags,
+ ((flags & RESIZE_PERCENT_COMPLETE) ?
+ resize_progress_func : 0));
+@@ -470,7 +472,7 @@ int main (int argc, char ** argv)
+ exit(1);
+ }
+ printf(_("The filesystem on %s is now %llu (%dk) blocks long.\n\n"),
+- device_name, new_size, fs->blocksize / 1024);
++ device_name, new_size, blocksize / 1024);
+
+ if ((st_buf.st_size > new_file_size) &&
+ (fd > 0)) {
+--
+2.5.0
+
diff -Nru e2fsprogs-1.42.12/debian/patches/series
e2fsprogs-1.42.12/debian/patches/series
--- e2fsprogs-1.42.12/debian/patches/series 2015-02-21 21:18:20.000000000
-0500
+++ e2fsprogs-1.42.12/debian/patches/series 2016-06-04 11:56:54.000000000
-0400
@@ -1 +1,6 @@
CVE-2015-1572.patch
+e2fsck-use-PROMPT_NONE-for-FUTURE_SB_LAST_-_FUDGED-problems.patch
+e2fsck-fix-corruption-of-Hurd-filesystems.patch
+e2fsck-fix-dangling-pointer-when-dir_info-array-is-resized.patch
+e2fsck-fix-free-pointer-dereferences.patch
+resize2fs-fix-fs-blocksize-dereference-after-fs-has-been-freed.patch
