| Summary: | <sys-fs/ntfs3g-2016.2.22 [-external-fuse]: incorrect filtering of environment variables could cause privilege escalation (CVE-2015-3202) | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Sam James <sam> | ||||
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||
| Status: | RESOLVED FIXED | ||||||
| Severity: | major | CC: | base-system, chutzpah, kroemmelbein, pacho, ssuominen | ||||
| Priority: | Normal | Flags: | kensington:
sanity-check+
|
||||
| Version: | unspecified | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| URL: | http://www.ubuntu.com/usn/usn-2617-2 | ||||||
| See Also: | https://bugs.gentoo.org/show_bug.cgi?id=607912 | ||||||
| Whiteboard: | C1 [glsa cve] | ||||||
| Package list: |
sys-fs/ntfs3g-2016.2.22-r1
|
Runtime testing required: | --- | ||||
| Attachments: |
|
||||||
|
Description
Sam James
2015-06-01 19:33:45 UTC
Created attachment 404428 [details, diff]
Patch from Debian for the same version that we have in stable.
i've added 2015.3.4 to the tree, but i don't think it includes all the fixes CVE-2015-3202 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3202): fusermount in FUSE before 2.9.3-15 does not properly clear the environment before invoking (1) mount or (2) umount as root, which allows local users to write to arbitrary files via a crafted LIBMOUNT_MTAB environment variable that is used by mount's debugging feature. (In reply to SpanKY from comment #2) > i've added 2015.3.4 to the tree, but i don't think it includes all the fixes Any updates? Ping on stabilization? Ping. Any updates here? Versions 2015.3.14, 2016.2.22 have been checked in but are not stable. Please advise if they contain this fix and call for stabilization if appropriate. should be fine to stabilize 2015.3.14, although still see comment #2. someone should go through the code/patches and make sure that actually fixes things. Arches, please test and mark stable: =sys-fs/ntfs3g-2015.3.14 Target Keywords : "alpha amd64 arm ppc ppc64 sparc x86" (In reply to SpanKY from comment #8) > should be fine to stabilize 2015.3.14, although still see comment #2. > someone should go through the code/patches and make sure that actually fixes > things. Can someone familiar with ntfs3g please check what Vapier is saying here, we might need to either split up or include the bug. Stable on alpha. amd64 stable arm stable Stable for PPC64. x86 stable ppc stable sparc stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one. New GLSA Request filed. Maintainer(s), please drop the vulnerable version(s). Maintainer(s), please drop the vulnerable version(s). Please clean the vulnerable versions This is not fixed in Gentoo! Regarding comment #2: This was fixed upstream via https://sourceforge.net/p/ntfs-3g/ntfs-3g/ci/99cb156ae5307c20df842949703adbd4b80c32fa/ git tag --contains 99cb156ae5307c20df842949703adbd4b80c32fa | sort 2016.2.15 2016.2.22 Changing rating to C1 because "external-fuse" USE flag is set per default so Gentoo users have to disable that flag on their own to be affected. @ Arches, please test and mark stable: =sys-fs/ntfs3g-2016.2.22-r1 Stable on alpha. amd64 stable x86 stable arm stable ping for final arches. ppc stable ppc64 stable sparc stable. Maintainer(s), please cleanup. commit eaa66acd25712407b16ce615285574ad17e2fde7 Author: Lars Wendler <polynomial-c@gentoo.org> Date: Wed Jan 11 13:03:49 2017 sys-fs/ntfs3g: Security cleanup (bug #550970). Package-Manager: Portage-2.3.3, Repoman-2.3.1 This issue was resolved and addressed in GLSA 201701-19 at https://security.gentoo.org/glsa/201701-19 by GLSA coordinator Aaron Bauman (b-man). |