Hi Ted, [FTR, this is on the security public discussion list, if you need to contact the security team directly, you might use team@s.d.o or security@d..o]
On Mon, Sep 23, 2019 at 07:42:02PM -0400, Theodore Y. Ts'o wrote: > Hi, I just released e2fsprogs v1.45.4 (upstream and for Debian > unstable) which among other things, contains a fix[1] for > CVE-2019-5094 / TALOS-2019-0887. I imagine Talos will be doing a full > disclosure with a proof-of-concept exploit within the next few days. > > [1] > https://git.kernel.org/pub/scm/fs/ext2/e2fsprogs.git/commit/?h=maint&id=8dbe7b475ec5e91ed767239f0e85880f416fc384 > > The impact of this bug is that if an attacker can tricker the system > into running e2fsck on an untrustworthy file system as root, a > maliciously crafted file system could result in a buffer overflow that > can result in arbitrary userspace memory modification. Hence, > weaponizing this vulnerability so allowing the attacker to run code as > whatever user ran e2fsck should be fairly simple. > > What's the procedure with respect to getting this backported to the > vesion of e2fsprogs in Debian Stable? Will you do it, or should I do > the backport? I'm happy to create the backport, but then what's the > best way of getting this into Stable as efficiently as possible? We can release a DSA for this issue. Can you prepare proposed updates for buster-security (and stretch-security, assuming it is affected as well)? Speaking of procedure, depending on if an issue warrants a DSA, you mgiht be redirected to the stable release managers for inclusion in a point release. There are some guidelines as well in the dev-ref about uploads for stable/oldstable (both for specifics on point releases and security-updates via security.d.o). Usually please do send proposed debdiffs then for a short review/ack for the upload to the security team before uploading to security master. https://www.debian.org/doc/manuals/developers-reference/ch05.en.html#upload-stable https://www.debian.org/doc/manuals/developers-reference/ch05.en.html#s5.6.4 https://www.debian.org/doc/manuals/developers-reference/ch05.en.html#bug-security and https://www.debian.org/security/faq Does this helps? Regards, Salvatore
