Bug 30479 - ntfs-3g new security issues CVE-2021-46790, CVE-2022-3078[3-9]
Summary: ntfs-3g new security issues CVE-2021-46790, CVE-2022-3078[3-9]
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2022-05-26 17:41 CEST by David Walser
Modified: 2022-10-24 00:49 CEST (History)
4 users (show)

See Also:
Source RPM: ntfs-3g-2021.8.22-1.mga8.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2022-05-26 17:41:17 CEST
NTFS-3G has issued advisories today (May 26):
https://www.openwall.com/lists/oss-security/2022/05/26/1
https://www.openwall.com/lists/oss-security/2022/05/26/2

The issues are fixed upstream in 2022.5.17.

Mageia 8 is also affected.
David Walser 2022-05-26 17:41:31 CEST

Whiteboard: (none) => MGA8TOO
Status comment: (none) => Fixed upstream in 2022.5.17

Comment 1 Lewis Smith 2022-05-26 20:09:52 CEST
tv looks after this, so assigning to you.

Assignee: bugsquad => thierry.vignaud

Comment 2 David Walser 2022-05-31 22:42:21 CEST
Ubuntu has issued an advisory for one of these issues on May 30:
https://ubuntu.com/security/notices/USN-5452-1
Comment 3 David Walser 2022-06-08 18:24:42 CEST
Additional information about these issues has been made public:
https://www.openwall.com/lists/oss-security/2022/06/07/4
Comment 4 David Walser 2022-06-08 18:49:16 CEST
Ubuntu has issued an advisory for this on June 7:
https://ubuntu.com/security/notices/USN-5463-1
Comment 5 David Walser 2022-06-10 16:59:12 CEST
ntfs-3g-2022.5.17-1.mga9 uploaded for Cauldron by Thierry.

Whiteboard: MGA8TOO => (none)
Version: Cauldron => 8

Comment 6 David Walser 2022-06-12 00:30:10 CEST
Debian has issued an advisory for this on June 10:
https://www.debian.org/security/2022/dsa-5160
Comment 7 David Walser 2022-06-17 16:38:09 CEST
Fedora has issued an advisory for this today (June 17):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/7JPX6OUCQKZX4PN5DQPVDUFZCOOZUX7Z/
Comment 8 David Walser 2022-06-18 16:57:08 CEST
Note that ntfs-3g-system-compression may need rebuilt after updating this:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ECDCISL24TYH4CTDFCUVF24WAKRSYF7F/
Comment 9 David Walser 2022-08-18 17:09:26 CEST
openSUSE has issued an advisory for this on August 17:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/CUCIRAD67WWT3IZWCVN25JFFBTDANX5J/
Comment 10 Nicolas Salguero 2022-10-19 15:11:24 CEST
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

ntfsck in NTFS-3G through 2021.8.22 has a heap-based buffer overflow involving buffer+512*3-2. (CVE-2021-46790)

An invalid return code in fuse_kern_mount enables intercepting of libfuse-lite protocol traffic between NTFS-3G and the kernel in NTFS-3G through 2021.8.22 when using libfuse-lite. (CVE-2022-30783)

A crafted NTFS image can cause heap exhaustion in ntfs_get_attribute_value in NTFS-3G through 2021.8.22. (CVE-2022-30784)

A file handle created in fuse_lib_opendir, and later used in fuse_lib_readdir, enables arbitrary memory read and write operations in NTFS-3G through 2021.8.22 when using libfuse-lite. (CVE-2022-30785)

A crafted NTFS image can cause a heap-based buffer overflow in ntfs_names_full_collate in NTFS-3G through 2021.8.22. (CVE-2022-30786)

An integer underflow in fuse_lib_readdir enables arbitrary memory read operations in NTFS-3G through 2021.8.22 when using libfuse-lite. (CVE-2022-30787)

A crafted NTFS image can cause a heap-based buffer overflow in ntfs_mft_rec_alloc in NTFS-3G through 2021.8.22. (CVE-2022-30788)

A crafted NTFS image can cause a heap-based buffer overflow in ntfs_check_log_client_array in NTFS-3G through 2021.8.22. (CVE-2022-30789)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-46790
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30783
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30784
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30785
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30786
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30787
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30788
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30789
https://www.openwall.com/lists/oss-security/2022/05/26/1
https://www.openwall.com/lists/oss-security/2022/05/26/2
https://ubuntu.com/security/notices/USN-5452-1
https://www.openwall.com/lists/oss-security/2022/06/07/4
https://ubuntu.com/security/notices/USN-5463-1
https://www.debian.org/security/2022/dsa-5160
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/7JPX6OUCQKZX4PN5DQPVDUFZCOOZUX7Z/
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/CUCIRAD67WWT3IZWCVN25JFFBTDANX5J/
========================

Updated packages in core/updates_testing:
========================
lib(64)ntfs-3g89-2021.8.22-1.1.mga8
lib(64)ntfs-3g-devel-2021.8.22-1.1.mga8
ntfs-3g-2021.8.22-1.1.mga8

from SRPM:
ntfs-3g-2021.8.22-1.1.mga8.src.rpm

CC: (none) => nicolas.salguero
Status comment: Fixed upstream in 2022.5.17 => (none)
Source RPM: ntfs-3g-2021.8.22-11.mga9.src.rpm => ntfs-3g-2021.8.22-1.mga8.src.rpm
Assignee: thierry.vignaud => qa-bugs
Status: NEW => ASSIGNED

Comment 11 Thomas Andrews 2022-10-20 03:02:52 CEST
No installation issues.

Using a memory card that had been formatted to ntsc in a non-Mageia device, I was able to copy video files to it with Dolphin, play it with VLC, then delete some with Dolphin. Placing the memory card in the non-Mageia device, I was able to play the video files I had just written.

I do not know how to check, if necessary, for the potential issue brought up in Comment 8. Since I do not have a Windows 10 system, I do not have a Windows 10 "system-compressed" file to read, nor have I found a way to get one elsewhere. 

Giving this a tentative OK anyway, but holding back the validation until someone can guide me if further testing is needed.

CC: (none) => andrewsfarm
Whiteboard: (none) => MGA8-64-OK

Comment 12 Thomas Andrews 2022-10-22 02:45:35 CEST
With no objections, I'm sending this on.

Validating. Advisory in Comment 10.

CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2022-10-23 23:17:39 CEST

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 13 Mageia Robot 2022-10-24 00:49:52 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0385.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.