Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 842222 (CVE-2021-46790) - <sys-fs/ntfs3g-2021.8.22-r4: heap buffer overflow in ntfsck
Summary: <sys-fs/ntfs3g-2021.8.22-r4: heap buffer overflow in ntfsck
Status: RESOLVED FIXED
Alias: CVE-2021-46790
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://github.com/tuxera/ntfs-3g/iss...
Whiteboard: B4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2022-05-02 19:33 UTC by John Helmert III
Modified: 2022-05-03 01:11 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-05-02 19:33:29 UTC 
CVE-2021-46790:

ntfsck in NTFS-3G through 2021.8.22 has a heap-based buffer overflow involving buffer+512*3-2. NOTE: the upstream position is that ntfsck is deprecated; however, it is shipped by some Linux distributions.
Comment 1 Larry the Git Cow gentoo-dev 2022-05-02 21:18:02 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5d92ff672b56bffd9333062940964bb79e228ead

commit 5d92ff672b56bffd9333062940964bb79e228ead
Author:     Mike Gilbert <floppym@gentoo.org>
AuthorDate: 2022-05-02 21:16:13 +0000
Commit:     Mike Gilbert <floppym@gentoo.org>
CommitDate: 2022-05-02 21:16:13 +0000

    sys-fs/ntfs3g: disable "quarantined" utilities
    
    Upstream doesn't really support these programs. If someone really needs
    them, we can restore them behind a masked USE flag.
    
    Bug: https://bugs.gentoo.org/842222
    Signed-off-by: Mike Gilbert <floppym@gentoo.org>

 sys-fs/ntfs3g/{ntfs3g-2021.8.22-r3.ebuild => ntfs3g-2021.8.22-r4.ebuild} | 1 -
 1 file changed, 1 deletion(-)
Comment 2 Mike Gilbert gentoo-dev 2022-05-02 21:18:52 UTC 
The offending code has been dropped with a straight-to-stable revbump.
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-05-03 01:11:12 UTC 
All done, thanks!