811156 – (CVE-2021-33285, CVE-2021-33286, CVE-2021-33287, CVE-2021-33289, CVE-2021-35266, CVE-2021-35267, CVE-2021-35268, CVE-2021-35269, CVE-2021-39251, CVE-2021-39252, CVE-2021-39253, CVE-2021-39254, CVE-2021-39255, CVE-2021-39256, CVE-2021-39257, CVE-2021-39258, CVE-2021-39259, CVE-2021-39260, CVE-2021-39261, CVE-2021-39262, CVE-2021-39263) <sys-fs/ntfs3g-2021.8.22: Multiple vulnerabilities

Bug 811156 (CVE-2021-33285, CVE-2021-33286, CVE-2021-33287, CVE-2021-33289, CVE-2021-35266, CVE-2021-35267, CVE-2021-35268, CVE-2021-35269, CVE-2021-39251, CVE-2021-39252, CVE-2021-39253, CVE-2021-39254, CVE-2021-39255, CVE-2021-39256, CVE-2021-39257, CVE-2021-39258, CVE-2021-39259, CVE-2021-39260, CVE-2021-39261, CVE-2021-39262, CVE-2021-39263) - <sys-fs/ntfs3g-2021.8.22: Multiple vulnerabilities

Summary: <sys-fs/ntfs3g-2021.8.22: Multiple vulnerabilities

Status:	RESOLVED FIXED

Alias:	CVE-2021-33285, CVE-2021-33286, CVE-2021-33287, CVE-2021-33289, CVE-2021-35266, CVE-2021-35267, CVE-2021-35268, CVE-2021-35269, CVE-2021-39251, CVE-2021-39252, CVE-2021-39253, CVE-2021-39254, CVE-2021-39255, CVE-2021-39256, CVE-2021-39257, CVE-2021-39258, CVE-2021-39259, CVE-2021-39260, CVE-2021-39261, CVE-2021-39262, CVE-2021-39263

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal major
Assignee:	Gentoo Security

URL:
Whiteboard:	B1 [glsa+]
Keywords:

Depends on:	818703
Blocks:
	Show dependency tree

Reported:	2021-08-30 19:41 UTC by Sam James
Modified:	2023-01-11 05:26 UTC (History)
CC List:	3 users (show)

See Also:	CVE-2022-30783, CVE-2022-30784, CVE-2022-30785, CVE-2022-30786, CVE-2022-30787, CVE-2022-30788, CVE-2022-30789
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sam James archtester

2021-08-30 19:41:03 UTC

From https://www.openwall.com/lists/oss-security/2021/08/30/1:

```
Security vulnerabilities were identified in the open source NTFS-3G and NTFSPROGS software. These vulnerabilities were confirmed and resolved. To our knowledge, these vulnerabilities have not been exploited.

These vulnerabilities may allow an attacker using a maliciously crafted NTFS-formatted image file or external storage to potentially execute arbitrary privileged code, if the attacker has either local access and the ntfs-3g binary is setuid root, or if the attacker has physical access to an external port to a computer which is configured to run the ntfs-3g binary or one of the ntfsprogs tools when the external storage is plugged into the computer. These vulnerabilities result from incorrect validation of some of the NTFS metadata that could potentially cause buffer overflows, which could be exploited by an attacker. Common ways for attackers to gain physical access to a machine is through social engineering or an evil maid attack on an unattended computer.

We recommend installing and applying the update with the security fixes, and advise to follow security guidance and frameworks such as NIST for assessing and improving an organization’s abilities to prevent, detect, and respond to security threats and cyber attacks.

AFFECTED PRODUCTS: All previous versions of open source NTFS-3G and NTFSPROGS.

WORKAROUND: None

SOLUTION: Upgrade to 2021.8.22

PROJECT URL: https://github.com/tuxera/ntfs-3g

ADVISORY ID: NTFS3G-SA-2021-0001

ISSUE DATE: 2021-08-30

SEVERITY: Moderate

CVEs: CVE-2021-33285, CVE-2021-35269, CVE-2021-35268, CVE-2021-33289, CVE-2021-33286, CVE-2021-35266, CVE-2021-33287, CVE-2021-35267, CVE-2021-39251, CVE-2021-39252, CVE-2021-39253, CVE-2021-39254, CVE-2021-39255, CVE-2021-39256, CVE-2021-39257, CVE-2021-39258, CVE-2021-39259, CVE-2021-39260, CVE-2021-39261, CVE-2021-39262, CVE-2021-39263

CVSS SCORE: 3.9-6.7

ACKNOWLEDGMENT: Jeremy Galindo, Akshay Ajayan, Kyle Zeng and Fish Wang for reporting these vulnerabilities.
```

Comment 1 Sam James archtester

2021-08-30 19:41:39 UTC

Please bump to 2021.8.22.

Comment 2 Larry the Git Cow gentoo-dev

2021-08-31 08:19:25 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cf72416b29d1fc39f978044b7da63d909d90bd24

commit cf72416b29d1fc39f978044b7da63d909d90bd24
Author:     Lars Wendler <polynomial-c@gentoo.org>
AuthorDate: 2021-08-31 08:18:56 +0000
Commit:     Lars Wendler <polynomial-c@gentoo.org>
CommitDate: 2021-08-31 08:19:19 +0000

    sys-fs/ntfs3g: Security bump to version 2021.8.22
    
    Bug: https://bugs.gentoo.org/811156
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>

 sys-fs/ntfs3g/Manifest                |  1 +
 sys-fs/ntfs3g/ntfs3g-2021.8.22.ebuild | 82 +++++++++++++++++++++++++++++++++++
 2 files changed, 83 insertions(+)

Comment 3 John Helmert III archtester

2021-10-29 12:47:38 UTC

Please cleanup

Comment 4 Larry the Git Cow gentoo-dev

2021-11-05 23:12:28 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=357980f40f7aceb19e2075010806752fda92b22c

commit 357980f40f7aceb19e2075010806752fda92b22c
Author:     Mike Gilbert <floppym@gentoo.org>
AuthorDate: 2021-11-05 23:11:59 +0000
Commit:     Mike Gilbert <floppym@gentoo.org>
CommitDate: 2021-11-05 23:11:59 +0000

    sys-fs/ntfs3g: drop 2017.3.23.5-r1
    
    Bug: https://bugs.gentoo.org/811156
    Signed-off-by: Mike Gilbert <floppym@gentoo.org>

 sys-fs/ntfs3g/Manifest                     |  1 -
 sys-fs/ntfs3g/ntfs3g-2017.3.23.5-r1.ebuild | 79 ------------------------------
 2 files changed, 80 deletions(-)

Comment 5 John Helmert III archtester

2022-11-22 16:43:26 UTC

GLSA request filed

Comment 6 Larry the Git Cow gentoo-dev

2023-01-11 05:22:49 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=0b323c3c4c76d17342e03e1b9c0abd5a2e564341

commit 0b323c3c4c76d17342e03e1b9c0abd5a2e564341
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2023-01-11 05:15:14 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2023-01-11 05:22:03 +0000

    [ GLSA 202301-01 ] NTFS-3G: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/811156
    Bug: https://bugs.gentoo.org/847598
    Bug: https://bugs.gentoo.org/878885
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202301-01.xml | 72 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 72 insertions(+)

Comment 7 John Helmert III archtester

2023-01-11 05:26:10 UTC

GLSA released, all done!