Summary: | <sys-fs/ntfs3g-2016.2.22-r2: incorrect filtering of environment variables leading to privilege escalation (CVE-2017-0358) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | base-system, chutzpah |
Priority: | Normal | Flags: | stable-bot:
sanity-check+
|
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.openwall.com/lists/oss-security/2017/02/01/8 | ||
See Also: |
https://bugs.gentoo.org/show_bug.cgi?id=550152 https://bugs.gentoo.org/show_bug.cgi?id=550970 |
||
Whiteboard: | C1 [glsa cve] | ||
Package list: |
=sys-fs/ntfs3g-2016.2.22-r2
|
Runtime testing required: | No |
Description
Agostino Sarubbo
2017-02-01 13:03:18 UTC
Looks like CVE-2015-3202 (bug 550152 and bug 550970) but now in the ntfs-3g driver itself. https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=63ab8f5018576fc957feef2f1cc35fc7aabd12df Version bump done, should be fine to stabilize, the patch looks pretty harmless. @arches, please stabilize. Stable on alpha. Adjusting rating: Local user could escalate privileges. However, default Gentoo installation is not affected because "suid" USE flag isn't set per default. New GLSA request filed. (In reply to Thomas Deutschmann from comment #5) > Adjusting rating: Local user could escalate privileges. However, default > Gentoo installation is not affected because "suid" USE flag isn't set per > default. Thomas, my interpretation of what stated here: https://www.gentoo.org/support/security/vulnerability-treatment-policy.html is about the configuration not the installation. So when a vulnerability apply if you modify the configuration on your own. Everyone can have suid in make.conf. I think B1 is more appropriate. (In reply to Agostino Sarubbo from comment #6) > my interpretation of what stated here: > https://www.gentoo.org/support/security/vulnerability-treatment-policy.html > is about the configuration not the installation. So when a vulnerability > apply if you modify the configuration on your own. > Everyone can have suid in make.conf. I think B1 is more appropriate. Default configuration == Package defaults + base profile USE flags. I.e. the configuration which will be installed when a user hasn't changed anything. In this specific case: Package isn't present on at least 1/20 installations. So it is already B. But like said, you need to enable "suid" USE flag which isn't set in the package nor in any profile per default so it requires a specific configuration, i.e. "C". amd64 stable x86 stable ppc stable arm stable sparc stable ppc64 stable. @ Maintainer(s): Please cleanup and drop =sys-fs/ntfs3g-2016.2.22-r1! commit 1c8c5231343c9300a0b2a6adba38f41bde30ba71 Author: Lars Wendler <polynomial-c@gentoo.org> Date: Sat Feb 18 00:22:23 2017 sys-fs/ntfs3g: Security cleanup (bug #607912). Package-Manager: Portage-2.3.3, Repoman-2.3.1 This issue was resolved and addressed in GLSA 201702-10 at https://security.gentoo.org/glsa/201702-10 by GLSA coordinator Thomas Deutschmann (whissi). |