Hi, I just released e2fsprogs v1.45.4 (upstream and for Debian unstable) which among other things, contains a fix[1] for CVE-2019-5094 / TALOS-2019-0887. I imagine Talos will be doing a full disclosure with a proof-of-concept exploit within the next few days.
[1] https://git.kernel.org/pub/scm/fs/ext2/e2fsprogs.git/commit/?h=maint&id=8dbe7b475ec5e91ed767239f0e85880f416fc384 The impact of this bug is that if an attacker can tricker the system into running e2fsck on an untrustworthy file system as root, a maliciously crafted file system could result in a buffer overflow that can result in arbitrary userspace memory modification. Hence, weaponizing this vulnerability so allowing the attacker to run code as whatever user ran e2fsck should be fairly simple. What's the procedure with respect to getting this backported to the vesion of e2fsprogs in Debian Stable? Will you do it, or should I do the backport? I'm happy to create the backport, but then what's the best way of getting this into Stable as efficiently as possible? Thanks, - Ted
