1. Forum
  2. Usenet
  3. LINUX.DEBIAN.ANNOUNCE.SEC

  • [SECURITY] [DSA 3268-2] ntfs-3g security update

    From Salvatore Bonaccorso@1:229/2 to All on Tue May 26 21:50:02 2015
    From: [email protected]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA512

    - ------------------------------------------------------------------------- Debian Security Advisory DSA-3268-2 [email protected] http://www.debian.org/security/ Salvatore Bonaccorso
    May 26, 2015 http://www.debian.org/security/faq
    - -------------------------------------------------------------------------

    Package : ntfs-3g
    CVE ID : CVE-2015-3202
    Debian Bug : 786475

    The patch applied for ntfs-3g to fix CVE-2015-3202 in DSA 3268-1 was incomplete. This update corrects that problem. For reference the
    original advisory text follows.

    Tavis Ormandy discovered that NTFS-3G, a read-write NTFS driver for
    FUSE, does not scrub the environment before executing mount or umount
    with elevated privileges. A local user can take advantage of this flaw
    to overwrite arbitrary files and gain elevated privileges by accessing debugging features via the environment that would not normally be safe
    for unprivileged users.

    For the oldstable distribution (wheezy), this problem has been fixed in
    version 1:2012.1.15AR.5-2.1+deb7u2. Note that this issue does not affect
    the binary packages distributed in Debian in wheezy as ntfs-3g does not
    use the embedded fuse-lite library.

    For the stable distribution (jessie), this problem has been fixed in
    version 1:2014.2.15AR.2-1+deb8u2.

    For the unstable distribution (sid), this problem has been fixed in
    version 1:2014.2.15AR.3-3.

    We recommend that you upgrade your ntfs-3g packages.

    Further information about Debian Security Advisories, how to apply
    these updates to your system and frequently asked questions can be
    found at: https://www.debian.org/security/

    Mailing list: [email protected]
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1

    iQIcBAEBCgAGBQJVZM0HAAoJEAVMuPMTQ89EJggP/0zWLrGHeQuWaOanEo/zBdKq R6Er4/Apz1tlduUYz7whFuZTM4jZYjo9G15laoZefB+4ntzmSiCZMp+9KuPf8oN5 90rOU6/Pw91e8BxEiTIQ+V9QLAwdu84NMuuNFxBnqSWg55q/FzBbup0pnz/rJupi XvJkcSeEmx9rPOhHET/xMMu1jCDD+L/j14+ekcfyBx/Gvw8HxYiHHFMSoOvDIG17 1nU3BOu7CjOrvu4rsUpEYVUYIOSjq86SToZcBb8MJ2yPhNh+hqr76qx14REpPV2t CYUCGb2nU0Vwix/IGsKzYUZJeFVjdNuNNWP0qxP2sF0EZWihYBCPYJstfdgbFAM5 XrYTS9O7MwMNn3D5Ac2Z0IPFr4/jq2JhzVSJ16/8ZOo6DY6xCjFy/ysErCkD+Qu6 DMNKvmT+Q3h3T+eEEKSpfcZFXT3peg0obATvsTGONn2so4OYGk0NT4V9Mybq+D3L qbdB0DDsbjmG3csHchYeoPIy7wYuw2JChkViZAcolXtn4ClQdOhZxqDGRzYDrLcc YnoWP4hvac9EFUs7NHZ+fYXUGCgc8F5oTqZ2DmPiMXg8f0tWBDWMnznumhc5skip l9IqI4kmU+Ik7KsbHOaRpItgnup88Mpw5FxgWDxOQEUET6jtEwhZohRN4rMbyWep iUKNmJ4HnoBJVgX3810+
    =O+Kf
    -----END PGP SIGNATURE-----


    --
    To UNSUBSCRIBE, email to [email protected]
    with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: https://lists.debian.org/[email protected]

    --- SoupGate-Win32 v1.05
    * Origin: you cannot sedate... all the things you hate (1:229/2)