CVE-2007-5159 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5159): The ntfs-3g package before 1.913-2.fc7 in Fedora 7, and an ntfs-3g package in Ubuntu 7.10/Gutsy, assign incorrect permissions (setuid root) to mount.ntfs-3g, which allows local users with fuse group membership to read from and write to arbitrary block devices, possibly involving a file descriptor leak.
The ebuild sets the suid on /bin/ntfs-3g, and /sbin/mount.ntfs-3g is a symlink to this file, so it seems we are affected by this, too. Maintainer, please advise and/or create a fixed ebuild.
(In reply to comment #1) > The ebuild sets the suid on /bin/ntfs-3g, and /sbin/mount.ntfs-3g is a symlink > to this file, so it seems we are affected by this, too. Maintainer, please > advise and/or create a fixed ebuild. > Uh... - we only do this with USE=suid set - we explicitely warn users about possible consequences <snip> ewarn "You have chosen to install ${PN} with the binary setuid root. This" ewarn "means that if there any undetected vulnerabilities in the binary," ewarn "then local users may be able to gain root access on your machine." </snip> - removing suid bit is supposed to be a fix? That's a joke, right?
As Jakub pointed out, by default this does not affect us, and we explicitly warn the user about the possibility of vulnerabilities if they enable setting suid. Frankly, I don't think it is an issue, if you disagree please explain why you think it is still an issue.
Fine then, closing.
reopening since it is not "fixed" at all...
and closing as WONTFIX (or INVALID perhaps) since nothing will be changed.
