Bug 31056

Summary: ntfs-3g new security issue CVE-2022-40284
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, davidwhodgins, mageia, nicolas.salguero, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: ntfs-3g-2021.8.22-1.1.mga8.src.rpm CVE: CVE-2022-40284
Status comment:

Description David Walser 2022-10-31 14:52:48 CET 
Upstream has issued an advisory today (October 31):
https://www.openwall.com/lists/oss-security/2022/10/31/2

The issue is fixed upstream in 2022.10.3:
https://github.com/tuxera/ntfs-3g/releases/tag/2022.10.3

Mageia 8 is also affected.
David Walser 2022-10-31 14:53:02 CET

Status comment: (none) => Fixed upstream in 2022.10.3
Whiteboard: (none) => MGA8TOO

Comment 1 Lewis Smith 2022-10-31 18:35:57 CET 
Assigning to Thierry: although this is not officially your baby, you have mostly maintained it.

Assignee: bugsquad => thierry.vignaud

Comment 2 David Walser 2022-11-02 21:41:05 CET 
Ubuntu has issued an advisory for this today (November 2):
https://ubuntu.com/security/notices/USN-5711-1
Comment 3 Nicolas Salguero 2022-11-03 10:23:12 CET 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

NTFS-3G could be made to crash or run programs as an administrator if it mounted a specially crafted disk. (CVE-2022-40284)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40284
https://www.openwall.com/lists/oss-security/2022/10/31/2
https://github.com/tuxera/ntfs-3g/releases/tag/2022.10.3
https://ubuntu.com/security/notices/USN-5711-1
========================

Updated packages in core/updates_testing:
========================
lib(64)ntfs-3g89-2021.8.22-1.2.mga8
lib(64)ntfs-3g-devel-2021.8.22-1.2.mga8
ntfs-3g-2021.8.22-1.2.mga8

from SRPM:
ntfs-3g-2021.8.22-1.2.mga8.src.rpm

Whiteboard: MGA8TOO => (none)
CC: (none) => nicolas.salguero
Source RPM: ntfs-3g-2022.5.17-1.mga9.src.rpm => ntfs-3g-2021.8.22-1.1.mga8.src.rpm
Version: Cauldron => 8
Status comment: Fixed upstream in 2022.10.3 => (none)
CVE: (none) => CVE-2022-40284
Status: NEW => ASSIGNED
Assignee: thierry.vignaud => qa-bugs

Comment 4 PC LX 2022-11-03 12:41:44 CET 
Installed and tested without issues.

Tested with only a few NTFS partitions created by Windows 10.
Only use NTFS from inside Windows 10 virtual machines and from Mageia to access those NTFS partitions so my testing is limited.
No regressions noticed.


System: Mageia 8, x86_64, AMD Ryzen 5 5600G with Radeon Graphics.


$ uname -a
Linux jupiter 5.19.16-desktop-1.mga8 #1 SMP PREEMPT_DYNAMIC Sat Oct 15 18:19:46 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -qa | grep ntfs-3g
ntfs-3g-2021.8.22-1.2.mga8
ntfs-3g-system-compression-1.0-1.2.mga8
lib64ntfs-3g89-2021.8.22-1.2.mga8
$ ps xva | grep ntfs
   9637 ?        Ss     0:00      0    36  9539  2352  0.0 /sbin/mount.ntfs /dev/dm-7p3 /media/windows -o ro,nosuid,nodev,noexec,discard,umask=000
   9716 ?        Ss     0:00      0    36  9535  2308  0.0 /sbin/mount.ntfs /dev/dm-7p4 /mnt/tmp -o ro,nosuid,nodev,noexec,discard,umask=000
  10074 pts/0    S+     0:00      0   102  9061   776  0.0 grep --color ntfs

CC: (none) => mageia

Comment 5 Thomas Andrews 2022-11-03 19:27:24 CET 
No installation issues. Tested with a usb flash drive formatted in ntfs by an ATSC converter/PVR device. I was able to save videos, delete videos, play videos on this drive.

Between the two of us, testing should be sufficient. OKing and validating. Advisory in Comment 3.

CC: (none) => andrewsfarm, sysadmin-bugs
Whiteboard: (none) => MGA8-64-OK
Keywords: (none) => validated_update

Dave Hodgins 2022-11-04 16:45:26 CET

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 6 Mageia Robot 2022-11-04 22:17:18 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0408.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED