Your message dated Sun, 03 Jan 2021 16:33:45 +0000 with message-id <e1kw6k9-000aus...@fasolo.debian.org> and subject line Bug#970941: fixed in f2fs-tools 1.14.0-1 has caused the Debian Bug report #970941, regarding f2fs-tools: CVE-2020-6070 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 970941: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=970941 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: f2fs-tools Version: 1.11.0-1.1 Severity: grave Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Hi, The following vulnerability was published for f2fs-tools. CVE-2020-6070[0]: | An exploitable code execution vulnerability exists in the file system | checking functionality of fsck.f2fs 1.12.0. A specially crafted f2fs | file can cause a logic flaw and out-of-bounds heap operations, | resulting in code execution. An attacker can provide a malicious file | to trigger this vulnerability. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-6070 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6070 [1] https://talosintelligence.com/vulnerability_reports/TALOS-2020-0988 Please adjust the affected versions in the BTS as needed. Note, I did try to reach out to upstream to isolate the upstream fixes, but got not repsonse so far. In any case bullseye should ideally get a newer version, thus the RC severity (ortogonally to it, the issue wouldbe no-dsa for buster). Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: f2fs-tools Source-Version: 1.14.0-1 Done: Theodore Y. Ts'o <ty...@mit.edu> We believe that the bug you reported is fixed in the latest version of f2fs-tools, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 970...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Theodore Y. Ts'o <ty...@mit.edu> (supplier of updated f2fs-tools package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Wed, 30 Dec 2020 22:25:08 -0500 Source: f2fs-tools Architecture: source Version: 1.14.0-1 Distribution: unstable Urgency: medium Maintainer: Filesystems Group <filesystems-de...@lists.alioth.debian.org> Changed-By: Theodore Y. Ts'o <ty...@mit.edu> Closes: 896909 952318 970176 970941 973380 Changes: f2fs-tools (1.14.0-1) unstable; urgency=medium . * New upstream release (Closes: #973380, #970176) - add IO cache to speed up fsck.f2fs run - support casefolding - support data compression - support zns zone-capacity - enhance fsck.f2fs for zoned device - enhance f2fs_io tool * NMU acknowledge (for 1.11.0-1.2), thanks to Paul Gevers * Dropped shared library packages since upstream is not capable of maintaining a stable ABI . f2fs-tools (1.13.0-1) unstable; urgency=medium . * New upstream release (Closes: #970941) - enable VERITY by default on Android - introduce some preen mode in fsck.f2fs - add f2fs_io tool - add casefolding support - "lots of bug fixes" * Fix FTBFS caused by dh_makeshlibs 12.3 trying to add an shlibs line for f2fs-tools-udeb (Closes: #952318) * Add missing licenses in debian/copyright file * Don't package sg_write_buffer since it's just a copy of the program with the same name from sg3-utils, and so this results in a potential conflict. . f2fs-tools (1.12.0-1) unstable; urgency=medium . * Acknowledge NMU, thanks to Gregor Herrmann * New upstream release (Closes: #896909) - add android default configuration - fix resgid/resuid - add more sanity checks - fix corrupted quota in clean umount - add superblock checksum * Update for new shared library versions: libf2fs6 and libf2fs-format5 * Update the debhelper compatibility level to 12 * Transition to dbgsym packages * Updated Standards compliance to 4.4.0 Checksums-Sha1: 08ba5015245fb2422dbdfaace6ead3b56809150e 2045 f2fs-tools_1.14.0-1.dsc 6d4397252471e7561764df04fcbefd73fcc0de4d 278524 f2fs-tools_1.14.0.orig.tar.xz c9ec50d88b151feb890b29c901b7ab9ab4c061b2 5368 f2fs-tools_1.14.0-1.debian.tar.xz Checksums-Sha256: b02118b23aeb47ab51b7168b83a5b2c9912e842db9eb242e70ad1603339bd58c 2045 f2fs-tools_1.14.0-1.dsc 8a38297cd6c1b015b0b763b7c57dd055c7afc325e8b2883537da13c686b41d2b 278524 f2fs-tools_1.14.0.orig.tar.xz c1160cfee6f196a67bb89312f3a1a82600372547553167f84a35c48adcba7fbc 5368 f2fs-tools_1.14.0-1.debian.tar.xz Files: 0c36006ef5d315dd66e73736cd838564 2045 admin optional f2fs-tools_1.14.0-1.dsc cd063630d3859fd5c03349e11f6b3e3e 278524 admin optional f2fs-tools_1.14.0.orig.tar.xz 698f3982115aec6da6103c61190a308d 5368 admin optional f2fs-tools_1.14.0-1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEK2m5VNv+CHkogTfJ8vlZVpUNgaMFAl/x7c8ACgkQ8vlZVpUN gaP4DQf9FMMFT3osUE/9pLkO2CyG41cta26PafhbdSswEsFbPTcI5VAQ5kF36pU+ 69PTKMsU2alHVQ9uJFJowuy8tlBLHJSuPl1XY/DZb3QhWlxu7ayaifNW/tbUrWt5 rkf3Zf0X/rSdYUjAg9yz0/2GgDKi0OifHZS+OFVXIkfPoM0kspnEikafqcwbzyQh uoI8Nfsh8SYKEDereN3Q3TepXqau8HgZR7EBYsnG1zczelj0L6X5XDlw+gTOETcY GApeiog7/BD84eLb+jfWcN+UWhjIgdrXJA3CAfegYreoMCnLUrBiFj7Sjvy7FT6h hlNapTWxI6pGwAGOtslUOAFOO4Ezkg== =oQZ9 -----END PGP SIGNATURE-----
--- End Message ---
