| Summary: | ntfs-3g new security issues CVE-2021-46790, CVE-2022-3078[3-9] | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | critical | ||
| Priority: | Normal | CC: | andrewsfarm, davidwhodgins, nicolas.salguero, sysadmin-bugs |
| Version: | 8 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA8-64-OK | ||
| Source RPM: | ntfs-3g-2021.8.22-1.mga8.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2022-05-26 17:41:17 CEST
David Walser
2022-05-26 17:41:31 CEST
Whiteboard:
(none) =>
MGA8TOO tv looks after this, so assigning to you. Assignee:
bugsquad =>
thierry.vignaud Ubuntu has issued an advisory for one of these issues on May 30: https://ubuntu.com/security/notices/USN-5452-1 Additional information about these issues has been made public: https://www.openwall.com/lists/oss-security/2022/06/07/4 Ubuntu has issued an advisory for this on June 7: https://ubuntu.com/security/notices/USN-5463-1 ntfs-3g-2022.5.17-1.mga9 uploaded for Cauldron by Thierry. Whiteboard:
MGA8TOO =>
(none) Debian has issued an advisory for this on June 10: https://www.debian.org/security/2022/dsa-5160 Fedora has issued an advisory for this today (June 17): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/7JPX6OUCQKZX4PN5DQPVDUFZCOOZUX7Z/ Note that ntfs-3g-system-compression may need rebuilt after updating this: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ECDCISL24TYH4CTDFCUVF24WAKRSYF7F/ openSUSE has issued an advisory for this on August 17: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/CUCIRAD67WWT3IZWCVN25JFFBTDANX5J/ Suggested advisory: ======================== The updated packages fix security vulnerabilities: ntfsck in NTFS-3G through 2021.8.22 has a heap-based buffer overflow involving buffer+512*3-2. (CVE-2021-46790) An invalid return code in fuse_kern_mount enables intercepting of libfuse-lite protocol traffic between NTFS-3G and the kernel in NTFS-3G through 2021.8.22 when using libfuse-lite. (CVE-2022-30783) A crafted NTFS image can cause heap exhaustion in ntfs_get_attribute_value in NTFS-3G through 2021.8.22. (CVE-2022-30784) A file handle created in fuse_lib_opendir, and later used in fuse_lib_readdir, enables arbitrary memory read and write operations in NTFS-3G through 2021.8.22 when using libfuse-lite. (CVE-2022-30785) A crafted NTFS image can cause a heap-based buffer overflow in ntfs_names_full_collate in NTFS-3G through 2021.8.22. (CVE-2022-30786) An integer underflow in fuse_lib_readdir enables arbitrary memory read operations in NTFS-3G through 2021.8.22 when using libfuse-lite. (CVE-2022-30787) A crafted NTFS image can cause a heap-based buffer overflow in ntfs_mft_rec_alloc in NTFS-3G through 2021.8.22. (CVE-2022-30788) A crafted NTFS image can cause a heap-based buffer overflow in ntfs_check_log_client_array in NTFS-3G through 2021.8.22. (CVE-2022-30789) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-46790 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30783 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30784 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30785 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30786 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30787 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30788 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30789 https://www.openwall.com/lists/oss-security/2022/05/26/1 https://www.openwall.com/lists/oss-security/2022/05/26/2 https://ubuntu.com/security/notices/USN-5452-1 https://www.openwall.com/lists/oss-security/2022/06/07/4 https://ubuntu.com/security/notices/USN-5463-1 https://www.debian.org/security/2022/dsa-5160 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/7JPX6OUCQKZX4PN5DQPVDUFZCOOZUX7Z/ https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/CUCIRAD67WWT3IZWCVN25JFFBTDANX5J/ ======================== Updated packages in core/updates_testing: ======================== lib(64)ntfs-3g89-2021.8.22-1.1.mga8 lib(64)ntfs-3g-devel-2021.8.22-1.1.mga8 ntfs-3g-2021.8.22-1.1.mga8 from SRPM: ntfs-3g-2021.8.22-1.1.mga8.src.rpm CC:
(none) =>
nicolas.salguero No installation issues. Using a memory card that had been formatted to ntsc in a non-Mageia device, I was able to copy video files to it with Dolphin, play it with VLC, then delete some with Dolphin. Placing the memory card in the non-Mageia device, I was able to play the video files I had just written. I do not know how to check, if necessary, for the potential issue brought up in Comment 8. Since I do not have a Windows 10 system, I do not have a Windows 10 "system-compressed" file to read, nor have I found a way to get one elsewhere. Giving this a tentative OK anyway, but holding back the validation until someone can guide me if further testing is needed. CC:
(none) =>
andrewsfarm With no objections, I'm sending this on. Validating. Advisory in Comment 10. CC:
(none) =>
sysadmin-bugs
Dave Hodgins
2022-10-23 23:17:39 CEST
CC:
(none) =>
davidwhodgins An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0385.html Status:
ASSIGNED =>
RESOLVED |