Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 811156 (CVE-2021-33285, CVE-2021-33286, CVE-2021-33287, CVE-2021-33289, CVE-2021-35266, CVE-2021-35267, CVE-2021-35268, CVE-2021-35269, CVE-2021-39251, CVE-2021-39252, CVE-2021-39253, CVE-2021-39254, CVE-2021-39255, CVE-2021-39256, CVE-2021-39257, CVE-2021-39258, CVE-2021-39259, CVE-2021-39260, CVE-2021-39261, CVE-2021-39262, CVE-2021-39263) - <sys-fs/ntfs3g-2021.8.22: Multiple vulnerabilities
Summary: <sys-fs/ntfs3g-2021.8.22: Multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2021-33285, CVE-2021-33286, CVE-2021-33287, CVE-2021-33289, CVE-2021-35266, CVE-2021-35267, CVE-2021-35268, CVE-2021-35269, CVE-2021-39251, CVE-2021-39252, CVE-2021-39253, CVE-2021-39254, CVE-2021-39255, CVE-2021-39256, CVE-2021-39257, CVE-2021-39258, CVE-2021-39259, CVE-2021-39260, CVE-2021-39261, CVE-2021-39262, CVE-2021-39263
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major
Assignee: Gentoo Security
URL:
Whiteboard: B1 [glsa+]
Keywords:
Depends on: 818703
Blocks:
  Show dependency tree
 
Reported: 2021-08-30 19:41 UTC by Sam James
Modified: 2023-01-11 05:26 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-08-30 19:41:03 UTC
From https://www.openwall.com/lists/oss-security/2021/08/30/1:

```
Security vulnerabilities were identified in the open source NTFS-3G and NTFSPROGS software. These vulnerabilities were confirmed and resolved. To our knowledge, these vulnerabilities have not been exploited.

These vulnerabilities may allow an attacker using a maliciously crafted NTFS-formatted image file or external storage to potentially execute arbitrary privileged code, if the attacker has either local access and the ntfs-3g binary is setuid root, or if the attacker has physical access to an external port to a computer which is configured to run the ntfs-3g binary or one of the ntfsprogs tools when the external storage is plugged into the computer. These vulnerabilities result from incorrect validation of some of the NTFS metadata that could potentially cause buffer overflows, which could be exploited by an attacker. Common ways for attackers to gain physical access to a machine is through social engineering or an evil maid attack on an unattended computer.

We recommend installing and applying the update with the security fixes, and advise to follow security guidance and frameworks such as NIST for assessing and improving an organization’s abilities to prevent, detect, and respond to security threats and cyber attacks.

AFFECTED PRODUCTS: All previous versions of open source NTFS-3G and NTFSPROGS.

WORKAROUND: None

SOLUTION: Upgrade to 2021.8.22

PROJECT URL: https://github.com/tuxera/ntfs-3g

ADVISORY ID: NTFS3G-SA-2021-0001

ISSUE DATE: 2021-08-30

SEVERITY: Moderate

CVEs: CVE-2021-33285, CVE-2021-35269, CVE-2021-35268, CVE-2021-33289, CVE-2021-33286, CVE-2021-35266, CVE-2021-33287, CVE-2021-35267, CVE-2021-39251, CVE-2021-39252, CVE-2021-39253, CVE-2021-39254, CVE-2021-39255, CVE-2021-39256, CVE-2021-39257, CVE-2021-39258, CVE-2021-39259, CVE-2021-39260, CVE-2021-39261, CVE-2021-39262, CVE-2021-39263

CVSS SCORE: 3.9-6.7

ACKNOWLEDGMENT: Jeremy Galindo, Akshay Ajayan, Kyle Zeng and Fish Wang for reporting these vulnerabilities.
```
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-08-30 19:41:39 UTC
Please bump to 2021.8.22.
Comment 2 Larry the Git Cow gentoo-dev 2021-08-31 08:19:25 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cf72416b29d1fc39f978044b7da63d909d90bd24

commit cf72416b29d1fc39f978044b7da63d909d90bd24
Author:     Lars Wendler <polynomial-c@gentoo.org>
AuthorDate: 2021-08-31 08:18:56 +0000
Commit:     Lars Wendler <polynomial-c@gentoo.org>
CommitDate: 2021-08-31 08:19:19 +0000

    sys-fs/ntfs3g: Security bump to version 2021.8.22
    
    Bug: https://bugs.gentoo.org/811156
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>

 sys-fs/ntfs3g/Manifest                |  1 +
 sys-fs/ntfs3g/ntfs3g-2021.8.22.ebuild | 82 +++++++++++++++++++++++++++++++++++
 2 files changed, 83 insertions(+)
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-10-29 12:47:38 UTC
Please cleanup
Comment 4 Larry the Git Cow gentoo-dev 2021-11-05 23:12:28 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=357980f40f7aceb19e2075010806752fda92b22c

commit 357980f40f7aceb19e2075010806752fda92b22c
Author:     Mike Gilbert <floppym@gentoo.org>
AuthorDate: 2021-11-05 23:11:59 +0000
Commit:     Mike Gilbert <floppym@gentoo.org>
CommitDate: 2021-11-05 23:11:59 +0000

    sys-fs/ntfs3g: drop 2017.3.23.5-r1
    
    Bug: https://bugs.gentoo.org/811156
    Signed-off-by: Mike Gilbert <floppym@gentoo.org>

 sys-fs/ntfs3g/Manifest                     |  1 -
 sys-fs/ntfs3g/ntfs3g-2017.3.23.5-r1.ebuild | 79 ------------------------------
 2 files changed, 80 deletions(-)
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-11-22 16:43:26 UTC
GLSA request filed
Comment 6 Larry the Git Cow gentoo-dev 2023-01-11 05:22:49 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=0b323c3c4c76d17342e03e1b9c0abd5a2e564341

commit 0b323c3c4c76d17342e03e1b9c0abd5a2e564341
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2023-01-11 05:15:14 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2023-01-11 05:22:03 +0000

    [ GLSA 202301-01 ] NTFS-3G: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/811156
    Bug: https://bugs.gentoo.org/847598
    Bug: https://bugs.gentoo.org/878885
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202301-01.xml | 72 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 72 insertions(+)
Comment 7 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-01-11 05:26:10 UTC
GLSA released, all done!