| Summary: | sys-fs/ntfs3g Privilege Escalation (CVE-2007-5159) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Tobias Heinlein (RETIRED) <keytoaster> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED WONTFIX | ||
| Severity: | major | CC: | chutzpah, jakub |
| Priority: | High | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | B1 [noglsa] | ||
| Package list: | Runtime testing required: | --- | |
|
Description
Tobias Heinlein (RETIRED)
2007-10-05 09:34:08 UTC
The ebuild sets the suid on /bin/ntfs-3g, and /sbin/mount.ntfs-3g is a symlink to this file, so it seems we are affected by this, too. Maintainer, please advise and/or create a fixed ebuild. (In reply to comment #1) > The ebuild sets the suid on /bin/ntfs-3g, and /sbin/mount.ntfs-3g is a symlink > to this file, so it seems we are affected by this, too. Maintainer, please > advise and/or create a fixed ebuild. > Uh... - we only do this with USE=suid set - we explicitely warn users about possible consequences <snip> ewarn "You have chosen to install ${PN} with the binary setuid root. This" ewarn "means that if there any undetected vulnerabilities in the binary," ewarn "then local users may be able to gain root access on your machine." </snip> - removing suid bit is supposed to be a fix? That's a joke, right? As Jakub pointed out, by default this does not affect us, and we explicitly warn the user about the possibility of vulnerabilities if they enable setting suid. Frankly, I don't think it is an issue, if you disagree please explain why you think it is still an issue. Fine then, closing. reopening since it is not "fixed" at all... and closing as WONTFIX (or INVALID perhaps) since nothing will be changed. |