From ${URL} : Jann Horn, Project Zero (Google) discovered that ntfs-3g, a read-write NTFS driver for FUSE does not not scrub the environment before executing modprobe to load the fuse module. This influence the behavior of modprobe (MODPROBE_OPTIONS environment variable, --config and --dirname options) potentially allowing for local root privilege escalation if ntfs-3g is installed setuid. This is the case for Debian, Ubuntu and probably Gentoo. This problem is in the source since 2008, maybe before. The fix is easy, use execle instead of execl and pass NULL as environment variables. -- cut -- --- ntfs-3g/src/lowntfs-3g.c.ref 2016-12-31 08:56:59.011749600 +0100 +++ ntfs-3g/src/lowntfs-3g.c 2017-01-05 14:41:52.041473700 +0100 @@ -4291,13 +4291,14 @@ struct stat st; pid_t pid; const char *cmd = "/sbin/modprobe"; + char *env = (char*)NULL; struct timespec req = { 0, 100000000 }; /* 100 msec */ fuse_fstype fstype; if (!stat(cmd, &st) && !geteuid()) { pid = fork(); if (!pid) { - execl(cmd, cmd, "fuse", NULL); + execle(cmd, cmd, "fuse", NULL, &env); _exit(1); } else if (pid != -1) waitpid(pid, NULL, 0); --- ntfs-3g/src/ntfs-3g.c.ref 2016-12-31 08:56:59.022518700 +0100 +++ ntfs-3g/src/ntfs-3g.c 2017-01-05 15:45:45.912499400 +0100 @@ -3885,13 +3885,14 @@ struct stat st; pid_t pid; const char *cmd = "/sbin/modprobe"; + char *env = (char*)NULL; struct timespec req = { 0, 100000000 }; /* 100 msec */ fuse_fstype fstype; if (!stat(cmd, &st) && !geteuid()) { pid = fork(); if (!pid) { - execl(cmd, cmd, "fuse", NULL); + execle(cmd, cmd, "fuse", NULL, &env); _exit(1); } else if (pid != -1) waitpid(pid, NULL, 0); -- cut -- CVE-2017-0358 is assigned to this issue by Salvatore Bonaccorso, Debian Security Team. @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Looks like CVE-2015-3202 (bug 550152 and bug 550970) but now in the ntfs-3g driver itself.
https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=63ab8f5018576fc957feef2f1cc35fc7aabd12df Version bump done, should be fine to stabilize, the patch looks pretty harmless.
@arches, please stabilize.
Stable on alpha.
Adjusting rating: Local user could escalate privileges. However, default Gentoo installation is not affected because "suid" USE flag isn't set per default. New GLSA request filed.
(In reply to Thomas Deutschmann from comment #5) > Adjusting rating: Local user could escalate privileges. However, default > Gentoo installation is not affected because "suid" USE flag isn't set per > default. Thomas, my interpretation of what stated here: https://www.gentoo.org/support/security/vulnerability-treatment-policy.html is about the configuration not the installation. So when a vulnerability apply if you modify the configuration on your own. Everyone can have suid in make.conf. I think B1 is more appropriate.
(In reply to Agostino Sarubbo from comment #6) > my interpretation of what stated here: > https://www.gentoo.org/support/security/vulnerability-treatment-policy.html > is about the configuration not the installation. So when a vulnerability > apply if you modify the configuration on your own. > Everyone can have suid in make.conf. I think B1 is more appropriate. Default configuration == Package defaults + base profile USE flags. I.e. the configuration which will be installed when a user hasn't changed anything. In this specific case: Package isn't present on at least 1/20 installations. So it is already B. But like said, you need to enable "suid" USE flag which isn't set in the package nor in any profile per default so it requires a specific configuration, i.e. "C".
amd64 stable
x86 stable
ppc stable
arm stable
sparc stable
ppc64 stable.
@ Maintainer(s): Please cleanup and drop =sys-fs/ntfs3g-2016.2.22-r1!
commit 1c8c5231343c9300a0b2a6adba38f41bde30ba71 Author: Lars Wendler <polynomial-c@gentoo.org> Date: Sat Feb 18 00:22:23 2017 sys-fs/ntfs3g: Security cleanup (bug #607912). Package-Manager: Portage-2.3.3, Repoman-2.3.1
This issue was resolved and addressed in GLSA 201702-10 at https://security.gentoo.org/glsa/201702-10 by GLSA coordinator Thomas Deutschmann (whissi).
