Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 550970 - <sys-fs/ntfs3g-2016.2.22 [-external-fuse]: incorrect filtering of environment variables could cause privilege escalation (CVE-2015-3202)
Summary: <sys-fs/ntfs3g-2016.2.22 [-external-fuse]: incorrect filtering of environment...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major
Assignee: Gentoo Security
URL: http://www.ubuntu.com/usn/usn-2617-2
Whiteboard: C1 [glsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2015-06-01 19:33 UTC by Sam James
Modified: 2017-02-04 11:47 UTC (History)
5 users (show)

See Also:
Package list:
sys-fs/ntfs3g-2016.2.22-r1
Runtime testing required: ---
kensington: sanity-check+


Attachments
Patch from Debian for the same version that we have in stable. (debian_0002-CVE-2015-3202.patch,3.12 KB, patch)
2015-06-01 19:34 UTC, Sam James
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2015-06-01 19:33:45 UTC
From URL:
----
NTFS-3G could be made to overwrite files as the administrator. 

USN-2617-1 fixed a vulnerability in FUSE. This update provides the
corresponding fix for the embedded FUSE copy in NTFS-3G.

Tavis Ormandy discovered that FUSE incorrectly filtered environment
variables. A local attacker could use this issue to gain administrative
privileges.
----

Regrettably, it seems upstream have not made a release yet to rectify this issue.
I have extracted and attached Debian's patch on the version 2014.2.15 which is currently stable in our tree.

http://www.ubuntu.com/usn/usn-2617-2
http://www.ubuntu.com/usn/usn-2617-3/
https://security-tracker.debian.org/tracker/CVE-2015-3202

Reproducible: Always
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2015-06-01 19:34:36 UTC
Created attachment 404428 [details, diff]
Patch from Debian for the same version that we have in stable.
Comment 2 SpanKY gentoo-dev 2015-06-08 15:53:41 UTC
i've added 2015.3.4 to the tree, but i don't think it includes all the fixes
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2015-07-06 04:04:50 UTC
CVE-2015-3202 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3202):
  fusermount in FUSE before 2.9.3-15 does not properly clear the environment
  before invoking (1) mount or (2) umount as root, which allows local users to
  write to arbitrary files via a crafted LIBMOUNT_MTAB environment variable
  that is used by mount's debugging feature.
Comment 4 Yury German Gentoo Infrastructure gentoo-dev 2015-07-16 11:53:06 UTC
(In reply to SpanKY from comment #2)
> i've added 2015.3.4 to the tree, but i don't think it includes all the fixes

Any updates?
Comment 5 Yury German Gentoo Infrastructure gentoo-dev 2015-11-03 14:37:45 UTC
Ping on stabilization?
Comment 6 Frank Krömmelbein 2016-02-02 22:28:04 UTC
Ping. Any updates here?
Comment 7 Yury German Gentoo Infrastructure gentoo-dev 2016-04-23 03:28:57 UTC
Versions 2015.3.14, 2016.2.22 have been checked in but are not stable. Please advise if they contain this fix and call for stabilization if appropriate.
Comment 8 SpanKY gentoo-dev 2016-05-23 19:34:43 UTC
should be fine to stabilize 2015.3.14, although still see comment #2.  someone should go through the code/patches and make sure that actually fixes things.
Comment 9 Yury German Gentoo Infrastructure gentoo-dev 2016-06-06 18:23:25 UTC
Arches, please test and mark stable:

=sys-fs/ntfs3g-2015.3.14

Target Keywords : "alpha amd64 arm ppc ppc64 sparc x86"
Comment 10 Yury German Gentoo Infrastructure gentoo-dev 2016-06-06 18:25:36 UTC
(In reply to SpanKY from comment #8)
> should be fine to stabilize 2015.3.14, although still see comment #2. 
> someone should go through the code/patches and make sure that actually fixes
> things.

Can someone familiar with ntfs3g please check what Vapier is saying here, we might need to either split up or include the bug.
Comment 11 Tobias Klausmann (RETIRED) gentoo-dev 2016-06-07 07:14:13 UTC
Stable on alpha.
Comment 12 Agostino Sarubbo gentoo-dev 2016-06-10 13:01:59 UTC
amd64 stable
Comment 13 Markus Meier gentoo-dev 2016-06-11 13:17:43 UTC
arm stable
Comment 14 Jeroen Roovers (RETIRED) gentoo-dev 2016-06-16 08:54:52 UTC
Stable for PPC64.
Comment 15 Agostino Sarubbo gentoo-dev 2016-06-27 08:48:35 UTC
x86 stable
Comment 16 Agostino Sarubbo gentoo-dev 2016-07-08 07:55:22 UTC
ppc stable
Comment 17 Agostino Sarubbo gentoo-dev 2016-07-08 10:04:04 UTC
sparc stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 18 Yury German Gentoo Infrastructure gentoo-dev 2016-09-07 01:48:11 UTC
New GLSA Request filed.

Maintainer(s), please drop the vulnerable version(s).
Comment 19 Yury German Gentoo Infrastructure gentoo-dev 2016-10-31 05:03:57 UTC
Maintainer(s), please drop the vulnerable version(s).
Comment 20 Aaron Bauman (RETIRED) gentoo-dev 2016-11-20 05:49:03 UTC
Please clean the vulnerable versions
Comment 21 Thomas Deutschmann (RETIRED) gentoo-dev 2016-12-03 00:23:28 UTC
This is not fixed in Gentoo! Regarding comment #2:

This was fixed upstream via https://sourceforge.net/p/ntfs-3g/ntfs-3g/ci/99cb156ae5307c20df842949703adbd4b80c32fa/

git tag --contains 99cb156ae5307c20df842949703adbd4b80c32fa | sort
2016.2.15
2016.2.22


Changing rating to C1 because "external-fuse" USE flag is set per default so Gentoo users have to disable that flag on their own to be affected.


@ Arches,

please test and mark stable: =sys-fs/ntfs3g-2016.2.22-r1
Comment 22 Tobias Klausmann (RETIRED) gentoo-dev 2016-12-05 15:49:10 UTC
Stable on alpha.
Comment 23 Agostino Sarubbo gentoo-dev 2016-12-06 11:50:55 UTC
amd64 stable
Comment 24 Agostino Sarubbo gentoo-dev 2016-12-06 11:53:45 UTC
x86 stable
Comment 25 Markus Meier gentoo-dev 2016-12-17 15:22:20 UTC
arm stable
Comment 26 Aaron Bauman (RETIRED) gentoo-dev 2016-12-31 06:47:00 UTC
ping for final arches.
Comment 27 Agostino Sarubbo gentoo-dev 2017-01-01 12:45:56 UTC
ppc stable
Comment 28 Agostino Sarubbo gentoo-dev 2017-01-03 10:39:50 UTC
ppc64 stable
Comment 29 Agostino Sarubbo gentoo-dev 2017-01-11 10:38:10 UTC
sparc stable.

Maintainer(s), please cleanup.
Comment 30 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2017-01-11 12:05:10 UTC
commit eaa66acd25712407b16ce615285574ad17e2fde7
Author: Lars Wendler <polynomial-c@gentoo.org>
Date:   Wed Jan 11 13:03:49 2017

    sys-fs/ntfs3g: Security cleanup (bug #550970).

    Package-Manager: Portage-2.3.3, Repoman-2.3.1
Comment 31 GLSAMaker/CVETool Bot gentoo-dev 2017-01-11 12:08:04 UTC
This issue was resolved and addressed in
 GLSA 201701-19 at https://security.gentoo.org/glsa/201701-19
by GLSA coordinator Aaron Bauman (b-man).