Bug 50298 - e2fsprogs: Multiple issues (4.4)
e2fsprogs: Multiple issues (4.4)
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 4.4
All Linux
: P5 normal (vote)
: UCS 4.4-2-errata
Assigned To: Quality Assurance
Philipp Hahn
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-10-01 13:30 CEST by Quality Assurance
Modified: 2019-10-02 15:55 CEST (History)
0 users

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score: 6.7 (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) NVD


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Quality Assurance univentionstaff 2019-10-01 13:30:44 CEST
New Debian e2fsprogs 1.43.4-2+deb9u1A~4.4.2.201910011329 fixes:
This update addresses the following issue:
* An exploitable code execution vulnerability exists in the quota file  functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can  cause an out-of-bounds write on the heap, resulting in code execution. An  attacker can corrupt a partition to trigger this vulnerability.  (CVE-2019-5094)
Comment 1 Quality Assurance univentionstaff 2019-10-01 14:00:53 CEST
--- mirror/ftp/4.3/unmaintained/4.3-0/source/e2fsprogs_1.43.4-2A~4.3.0.201801041304.dsc
+++ apt/ucs_4.4-0-errata4.4-2/source/e2fsprogs_1.43.4-2+deb9u1A~4.4.2.201910011329.dsc
@@ -1,8 +1,10 @@
-1.43.4-2A~4.3.0.201801041304 [Thu, 04 Jan 2018 13:04:36 +0100] Univention builddaemon <buildd@univention.de>:
+1.43.4-2+deb9u1A~4.4.2.201910011329 [Tue, 01 Oct 2019 13:30:50 +0200] Univention builddaemon <buildd@univention.de>:
 
-  * UCS auto build. The following patches have been applied to the original source package
-    0001-Fix-parallel-FTBFS
-    01_inode_reatio
+  * UCS auto build. No patches were applied to the original source package
+
+1.43.4-2+deb9u1 [Wed, 25 Sep 2019 19:17:45 -0400] Theodore Y. Ts'o <tytso@mit.edu>:
+
+  * Fix CVE-2019-5094: potential buffer overrun in e2fsck (Closes: #941139)
 
 1.43.4-2 [Tue, 31 Jan 2017 19:54:55 -0500] Theodore Y. Ts'o <tytso@mit.edu>:
 

<http://10.200.17.11/4.4-2/#5941524933994691676>
Comment 2 Quality Assurance univentionstaff 2019-10-01 15:00:32 CEST
--- mirror/ftp/4.3/unmaintained/4.3-0/source/e2fsprogs_1.43.4-2A~4.3.0.201801041304.dsc
+++ apt/ucs_4.4-0-errata4.4-2/source/e2fsprogs_1.43.4-2+deb9u1A~4.4.2.201910011444.dsc
@@ -1,8 +1,12 @@
-1.43.4-2A~4.3.0.201801041304 [Thu, 04 Jan 2018 13:04:36 +0100] Univention builddaemon <buildd@univention.de>:
+1.43.4-2+deb9u1A~4.4.2.201910011444 [Tue, 01 Oct 2019 14:44:39 +0200] Univention builddaemon <buildd@univention.de>:
 
   * UCS auto build. The following patches have been applied to the original source package
     0001-Fix-parallel-FTBFS
     01_inode_reatio
+
+1.43.4-2+deb9u1 [Wed, 25 Sep 2019 19:17:45 -0400] Theodore Y. Ts'o <tytso@mit.edu>:
+
+  * Fix CVE-2019-5094: potential buffer overrun in e2fsck (Closes: #941139)
 
 1.43.4-2 [Tue, 31 Jan 2017 19:54:55 -0500] Theodore Y. Ts'o <tytso@mit.edu>:
 

<http://10.200.17.11/4.4-2/#8165997453451210168>
Comment 3 Philipp Hahn univentionstaff 2019-10-01 16:21:45 CEST
OK: yaml
OK: announce_errata
OK: patch
OK: piuparts

[4.4-2] 0d5aaa5fd8 Bug #50298: e2fsprogs 1.43.4-2+deb9u1A~4.4.2.201910011444
 doc/errata/staging/e2fsprogs.yaml | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

[4.4-2] e4637f5b4b Bug #50298: e2fsprogs 1.43.4-2+deb9u1A~4.4.2.201910011329
 doc/errata/staging/e2fsprogs.yaml | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)
Comment 4 Erik Damrose univentionstaff 2019-10-02 15:55:03 CEST
<http://errata.software-univention.de/ucs/4.4/292.html>