Upstream has issued an advisory today (October 31): https://www.openwall.com/lists/oss-security/2022/10/31/2 The issue is fixed upstream in 2022.10.3: https://github.com/tuxera/ntfs-3g/releases/tag/2022.10.3 Mageia 8 is also affected.
Status comment: (none) => Fixed upstream in 2022.10.3Whiteboard: (none) => MGA8TOO
Assigning to Thierry: although this is not officially your baby, you have mostly maintained it.
Assignee: bugsquad => thierry.vignaud
Ubuntu has issued an advisory for this today (November 2): https://ubuntu.com/security/notices/USN-5711-1
Suggested advisory: ======================== The updated packages fix a security vulnerability: NTFS-3G could be made to crash or run programs as an administrator if it mounted a specially crafted disk. (CVE-2022-40284) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40284 https://www.openwall.com/lists/oss-security/2022/10/31/2 https://github.com/tuxera/ntfs-3g/releases/tag/2022.10.3 https://ubuntu.com/security/notices/USN-5711-1 ======================== Updated packages in core/updates_testing: ======================== lib(64)ntfs-3g89-2021.8.22-1.2.mga8 lib(64)ntfs-3g-devel-2021.8.22-1.2.mga8 ntfs-3g-2021.8.22-1.2.mga8 from SRPM: ntfs-3g-2021.8.22-1.2.mga8.src.rpm
Whiteboard: MGA8TOO => (none)CC: (none) => nicolas.salgueroSource RPM: ntfs-3g-2022.5.17-1.mga9.src.rpm => ntfs-3g-2021.8.22-1.1.mga8.src.rpmVersion: Cauldron => 8Status comment: Fixed upstream in 2022.10.3 => (none)CVE: (none) => CVE-2022-40284Status: NEW => ASSIGNEDAssignee: thierry.vignaud => qa-bugs
Installed and tested without issues. Tested with only a few NTFS partitions created by Windows 10. Only use NTFS from inside Windows 10 virtual machines and from Mageia to access those NTFS partitions so my testing is limited. No regressions noticed. System: Mageia 8, x86_64, AMD Ryzen 5 5600G with Radeon Graphics. $ uname -a Linux jupiter 5.19.16-desktop-1.mga8 #1 SMP PREEMPT_DYNAMIC Sat Oct 15 18:19:46 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux $ rpm -qa | grep ntfs-3g ntfs-3g-2021.8.22-1.2.mga8 ntfs-3g-system-compression-1.0-1.2.mga8 lib64ntfs-3g89-2021.8.22-1.2.mga8 $ ps xva | grep ntfs 9637 ? Ss 0:00 0 36 9539 2352 0.0 /sbin/mount.ntfs /dev/dm-7p3 /media/windows -o ro,nosuid,nodev,noexec,discard,umask=000 9716 ? Ss 0:00 0 36 9535 2308 0.0 /sbin/mount.ntfs /dev/dm-7p4 /mnt/tmp -o ro,nosuid,nodev,noexec,discard,umask=000 10074 pts/0 S+ 0:00 0 102 9061 776 0.0 grep --color ntfs
CC: (none) => mageia
No installation issues. Tested with a usb flash drive formatted in ntfs by an ATSC converter/PVR device. I was able to save videos, delete videos, play videos on this drive. Between the two of us, testing should be sufficient. OKing and validating. Advisory in Comment 3.
CC: (none) => andrewsfarm, sysadmin-bugsWhiteboard: (none) => MGA8-64-OKKeywords: (none) => validated_update
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0408.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED