From dadbe19448ed8e339f54326b2c874db27e13bf7a Mon Sep 17 00:00:00 2001
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Mon, 8 Aug 2022 17:09:17 +0200
Subject: Update tracking for CVE-2022-1184

---
 active/CVE-2022-1184 | 22 ++++++++++++++--------
 1 file changed, 14 insertions(+), 8 deletions(-)

diff --git a/active/CVE-2022-1184 b/active/CVE-2022-1184
index 4d2e5af0..d4d8bae5 100644
--- a/active/CVE-2022-1184
+++ b/active/CVE-2022-1184
@@ -8,12 +8,18 @@ Notes:
  carnil> Ben, pelase double check if you agree on the triage. It is
  carnil> based on the additional information provided in the SUSE
  carnil> bugzilla.
+ carnil> Turns out that 46c116b920eb ("ext4: verify dir block before
+ carnil> splitting it") and 3ba733f879c2 ("ext4: avoid cycles in
+ carnil> directory h-tree") are not the upstream fixes, but according to
+ carnil> Lukas Czerner the following is needed:
+ carnil> 65f8ea4cd57d ("ext4: check if directory block is within
+ carnil> i_size") to fix the CVE and additional as defensive measure
+ carnil> b8a04fe77ef1 ("ext4: make sure ext4_append() always allocates
+ carnil> new block").
 Bugs:
-upstream: released (5.19-rc1) [46c116b920ebec58031f0a78c5ea9599b0d2a371, 3ba733f879c2a88910744647e41edeefbc0d92b2]
-5.10-upstream-stable: released (5.10.121) [da2f05919238c7bdc6e28c79539f55c8355408bb, ff4cafa51762da3824881a9000ca421d4b78b138]
-4.19-upstream-stable: released (4.19.247) [78398c2b2cc14f9a9c8592cf6d334c5a479ed611, b3ad9ff6f06c1dc6abf7437691c88ca3d6da3ac0]
-4.9-upstream-stable: released (4.9.318) [93bbf0498ba20eadcd7132bd3cfdaff54eb72751]
-sid: released (5.18.5-1)
-5.10-bullseye-security: released (5.10.127-1)
-4.19-buster-security: released (4.19.249-1)
-4.9-stretch-security: ignored "EOL"
+upstream: pending [65f8ea4cd57dbd46ea13b41dc8bac03176b04233]
+5.10-upstream-stable: needed
+4.19-upstream-stable: needed
+sid: needed
+5.10-bullseye-security: needed
+4.19-buster-security: needed
-- 
cgit v1.2.3