Package: debian Version: 1.44.5-1+deb10u1 Severity: grave Tags: security Justification: user security hole
E2fsprogs 1.45.4 contains a bugfix for CVE-2019-5094 / TALOS-2019-0887. We need to backport commit 8dbe7b475ec5: "libsupport: add checks to prevent buffer overrun bugs in quota code" to the versions of e2fsprogs found in Debian Buster and Stretch. The impact of this bug is that if an attacker can tricker the system into running e2fsck on an untrustworthy file system as root, a maliciously crafted file system could result in a buffer overflow that can result in arbitrary userspace memory modification. -- System Information: Debian Release: bullseye/sid APT prefers testing APT policy: (900, 'testing'), (900, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 5.3.0-00068-g7ec6dbcda3db (SMP w/8 CPU cores) Kernel taint flags: TAINT_WARN Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8), LANGUAGE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system)
