From URL: ---- NTFS-3G could be made to overwrite files as the administrator. USN-2617-1 fixed a vulnerability in FUSE. This update provides the corresponding fix for the embedded FUSE copy in NTFS-3G. Tavis Ormandy discovered that FUSE incorrectly filtered environment variables. A local attacker could use this issue to gain administrative privileges. ---- Regrettably, it seems upstream have not made a release yet to rectify this issue. I have extracted and attached Debian's patch on the version 2014.2.15 which is currently stable in our tree. http://www.ubuntu.com/usn/usn-2617-2 http://www.ubuntu.com/usn/usn-2617-3/ https://security-tracker.debian.org/tracker/CVE-2015-3202 Reproducible: Always
Created attachment 404428 [details, diff] Patch from Debian for the same version that we have in stable.
i've added 2015.3.4 to the tree, but i don't think it includes all the fixes
CVE-2015-3202 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3202): fusermount in FUSE before 2.9.3-15 does not properly clear the environment before invoking (1) mount or (2) umount as root, which allows local users to write to arbitrary files via a crafted LIBMOUNT_MTAB environment variable that is used by mount's debugging feature.
(In reply to SpanKY from comment #2) > i've added 2015.3.4 to the tree, but i don't think it includes all the fixes Any updates?
Ping on stabilization?
Ping. Any updates here?
Versions 2015.3.14, 2016.2.22 have been checked in but are not stable. Please advise if they contain this fix and call for stabilization if appropriate.
should be fine to stabilize 2015.3.14, although still see comment #2. someone should go through the code/patches and make sure that actually fixes things.
Arches, please test and mark stable: =sys-fs/ntfs3g-2015.3.14 Target Keywords : "alpha amd64 arm ppc ppc64 sparc x86"
(In reply to SpanKY from comment #8) > should be fine to stabilize 2015.3.14, although still see comment #2. > someone should go through the code/patches and make sure that actually fixes > things. Can someone familiar with ntfs3g please check what Vapier is saying here, we might need to either split up or include the bug.
Stable on alpha.
amd64 stable
arm stable
Stable for PPC64.
x86 stable
ppc stable
sparc stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
New GLSA Request filed. Maintainer(s), please drop the vulnerable version(s).
Maintainer(s), please drop the vulnerable version(s).
Please clean the vulnerable versions
This is not fixed in Gentoo! Regarding comment #2: This was fixed upstream via https://sourceforge.net/p/ntfs-3g/ntfs-3g/ci/99cb156ae5307c20df842949703adbd4b80c32fa/ git tag --contains 99cb156ae5307c20df842949703adbd4b80c32fa | sort 2016.2.15 2016.2.22 Changing rating to C1 because "external-fuse" USE flag is set per default so Gentoo users have to disable that flag on their own to be affected. @ Arches, please test and mark stable: =sys-fs/ntfs3g-2016.2.22-r1
ping for final arches.
ppc64 stable
sparc stable. Maintainer(s), please cleanup.
commit eaa66acd25712407b16ce615285574ad17e2fde7 Author: Lars Wendler <polynomial-c@gentoo.org> Date: Wed Jan 11 13:03:49 2017 sys-fs/ntfs3g: Security cleanup (bug #550970). Package-Manager: Portage-2.3.3, Repoman-2.3.1
This issue was resolved and addressed in GLSA 201701-19 at https://security.gentoo.org/glsa/201701-19 by GLSA coordinator Aaron Bauman (b-man).
