From cda3581467f80a066a3eed80518eca3baec50afe Mon Sep 17 00:00:00 2001
From: Ben Hutchings <ben@decadent.org.uk>
Date: Thu, 25 Apr 2019 15:35:56 +0100
Subject: [PATCH] ntfs: Mark it as broken, and add CVE IDs that are being
 closed

---
 debian/changelog                              |  1 +
 .../debian/ntfs-mark-it-as-broken.patch       | 19 +++++++++++++++++++
 debian/patches/series                         |  1 +
 3 files changed, 21 insertions(+)
 create mode 100644 debian/patches/debian/ntfs-mark-it-as-broken.patch

diff --git a/debian/changelog b/debian/changelog
index e14b373e9..b9f6f24ef 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -809,6 +809,7 @@ linux (4.19.34-1) UNRELEASED; urgency=medium
   * [armel/marvell,sh4] linux-image: Recommend apparmor, like all other configs
   * udeb: Drop unused ntfs-modules packages
   * ntfs: Disable NTFS_FS due to lack of upstream security support
+    (CVE-2018-12929, CVE-2018-12930, CVE-2018-12931)
 
   [ YunQiang Su ]
   * [mips*r6] Re-enable CONFIG_JUMP_LABEL, which has been fixed in upstream.
diff --git a/debian/patches/debian/ntfs-mark-it-as-broken.patch b/debian/patches/debian/ntfs-mark-it-as-broken.patch
new file mode 100644
index 000000000..733b286d6
--- /dev/null
+++ b/debian/patches/debian/ntfs-mark-it-as-broken.patch
@@ -0,0 +1,19 @@
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Thu, 25 Apr 2019 15:31:33 +0100
+Subject: ntfs: mark it as broken
+
+NTFS has unfixed issues CVE-2018-12929, CVE-2018-12930, and
+CVE-2018-12931.  ntfs-3g is a better supported alternative.
+
+Make sure it can't be enabled even in custom kernels.
+
+---
+--- a/fs/ntfs/Kconfig
++++ b/fs/ntfs/Kconfig
+@@ -1,5 +1,6 @@
+ config NTFS_FS
+ 	tristate "NTFS file system support"
++	depends on BROKEN
+ 	select NLS
+ 	help
+ 	  NTFS is the file system of Microsoft Windows NT, 2000, XP and 2003.
diff --git a/debian/patches/series b/debian/patches/series
index 8356a6077..203bc14e4 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -147,6 +147,7 @@ features/all/lockdown/lockdown-refer-to-debian-wiki-until-manual-page-exists.pat
 # Security fixes
 debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
 bugfix/all/xen-pciback-Don-t-disable-PCI_COMMAND-on-PCI-device-.patch
+debian/ntfs-mark-it-as-broken.patch
 
 # Fix exported symbol versions
 bugfix/all/module-disable-matching-missing-version-crc.patch