"This vulnerability may allow an attacker using a maliciously crafted NTFS-formatted image file or external storage to potentially execute arbitrary privileged code, if the attacker has either local access and the ntfs-3g binary is setuid root, or if the attacker has physical access to an external port to a computer which is configured to run the ntfs-3g binary or one of the ntfsprogs tools when the external storage is plugged into the computer. This vulnerability results from incorrect validation of some of the NTFS metadata that could potentially cause buffer overflow, which could be exploited by an attacker. Common ways for attackers to gain physical access to a machine is through social engineering or an evil maid attack on an unattended computer." Please bump to 2022.10.3.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7cae66cff4d59bd8c976c22ac9dcdc082a61cebf commit 7cae66cff4d59bd8c976c22ac9dcdc082a61cebf Author: Mike Gilbert <floppym@gentoo.org> AuthorDate: 2022-10-31 17:23:15 +0000 Commit: Mike Gilbert <floppym@gentoo.org> CommitDate: 2022-10-31 17:23:15 +0000 sys-fs/ntfs3g: add 2022.10.3, drop 2022.5.17-r1 Bug: https://bugs.gentoo.org/878885 Signed-off-by: Mike Gilbert <floppym@gentoo.org> sys-fs/ntfs3g/Manifest | 1 + sys-fs/ntfs3g/{ntfs3g-2022.5.17-r1.ebuild => ntfs3g-2022.10.3.ebuild} | 0 2 files changed, 1 insertion(+)
Thanks!
Please cleanup.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=806a05a7096b096362ce56975a35cc8872f96c42 commit 806a05a7096b096362ce56975a35cc8872f96c42 Author: Mike Gilbert <floppym@gentoo.org> AuthorDate: 2022-11-08 17:01:42 +0000 Commit: Mike Gilbert <floppym@gentoo.org> CommitDate: 2022-11-08 17:01:48 +0000 sys-fs/ntfs3g: drop 2022.5.17 Bug: https://bugs.gentoo.org/878885 Signed-off-by: Mike Gilbert <floppym@gentoo.org> sys-fs/ntfs3g/Manifest | 1 - sys-fs/ntfs3g/ntfs3g-2022.5.17.ebuild | 83 ----------------------------------- 2 files changed, 84 deletions(-)
GLSA request filed
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=0b323c3c4c76d17342e03e1b9c0abd5a2e564341 commit 0b323c3c4c76d17342e03e1b9c0abd5a2e564341 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2023-01-11 05:15:14 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2023-01-11 05:22:03 +0000 [ GLSA 202301-01 ] NTFS-3G: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/811156 Bug: https://bugs.gentoo.org/847598 Bug: https://bugs.gentoo.org/878885 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: John Helmert III <ajak@gentoo.org> glsa-202301-01.xml | 72 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 72 insertions(+)
GLSA released, all done!