ntfs: Mark it as broken, and add CVE IDs that are being closed

debian/changelog

@@ -809,6 +809,7 @@ linux (4.19.34-1) UNRELEASED; urgency=medium
   * [armel/marvell,sh4] linux-image: Recommend apparmor, like all other configs
   * udeb: Drop unused ntfs-modules packages
   * ntfs: Disable NTFS_FS due to lack of upstream security support
+    (CVE-2018-12929, CVE-2018-12930, CVE-2018-12931)
 
   [ YunQiang Su ]
   * [mips*r6] Re-enable CONFIG_JUMP_LABEL, which has been fixed in upstream.

debian/patches/debian/ntfs-mark-it-as-broken.patch

@@ -0,0 +1,19 @@
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Thu, 25 Apr 2019 15:31:33 +0100
+Subject: ntfs: mark it as broken
+
+NTFS has unfixed issues CVE-2018-12929, CVE-2018-12930, and
+CVE-2018-12931.  ntfs-3g is a better supported alternative.
+
+Make sure it can't be enabled even in custom kernels.
+
+---
+--- a/fs/ntfs/Kconfig
++++ b/fs/ntfs/Kconfig
+@@ -1,5 +1,6 @@
+ config NTFS_FS
+ 	tristate "NTFS file system support"
++	depends on BROKEN
+ 	select NLS
+ 	help
+ 	  NTFS is the file system of Microsoft Windows NT, 2000, XP and 2003.

debian/patches/series

@@ -147,6 +147,7 @@ features/all/lockdown/lockdown-refer-to-debian-wiki-until-manual-page-exists.pat
 # Security fixes
 debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
 bugfix/all/xen-pciback-Don-t-disable-PCI_COMMAND-on-PCI-device-.patch
+debian/ntfs-mark-it-as-broken.patch
 
 # Fix exported symbol versions
 bugfix/all/module-disable-matching-missing-version-crc.patch