Package: e2fsprogs Version: 1.43.4-2+deb9u1 Severity: grave Tags: security Justification: user security hole
E2fsprogs 1.45.5 contains a bug fix for CVE-2019-5188 / TALOS-2019-0973. The following commits need to be backported to address this vulnerability in Debian Buster and Debian Stretch: 8dd73c14 - e2fsck: abort if there is a corrupted directory block when rehashing 71ba1375 - e2fsck: don't try to rehash a deleted directory The impact of this bug is that if an attacker can tricker the system into running e2fsck on an untrustworthy file system, a maliciously crafted file system could result in a stack underflow. The primary concern is on 32-bit systems; due to limitations in the kind of stack corruption which can be triggered due to this bug, it is probably not exploitable on 64-bit systems.
