#1011770 ntfs-3g: CVE-2021-46790 CVE-2022-30783 CVE-2022-30784 CVE-2022-30785 CVE-2022-30786 CVE-2022-30787 CVE-2022-30788 CVE-2022-30789 #1011770
- Package:
- src:ntfs-3g
- Source:
- ntfs-3g
- Submitter:
- Salvatore Bonaccorso
- Date:
- 2022-06-18 10:33:04 UTC
- Severity:
- grave
- Tags:
Hi, The following vulnerabilities were published for ntfs-3g. CVE-2021-46790[0]: | ntfsck in NTFS-3G through 2021.8.22 has a heap-based buffer overflow | involving buffer+512*3-2. NOTE: the upstream position is that ntfsck | is deprecated; however, it is shipped by some Linux distributions. and CVE-2022-30783[1], CVE-2022-30784[2], CVE-2022-30785[3], CVE-2022-30786[4], CVE-2022-30787[5], CVE-2022-30788[6], CVE-2022-30789[7]: If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-46790 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-46790 [1] https://security-tracker.debian.org/tracker/CVE-2022-30783 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30783 [2] https://security-tracker.debian.org/tracker/CVE-2022-30784 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30784 [3] https://security-tracker.debian.org/tracker/CVE-2022-30785 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30785 [4] https://security-tracker.debian.org/tracker/CVE-2022-30786 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30786 [5] https://security-tracker.debian.org/tracker/CVE-2022-30787 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30787 [6] https://security-tracker.debian.org/tracker/CVE-2022-30788 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30788 [7] https://security-tracker.debian.org/tracker/CVE-2022-30789 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30789 Regards, Salvatore
We believe that the bug you reported is fixed in the latest version of
ntfs-3g, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1011770@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <gcs@debian.org> (supplier of updated ntfs-3g package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Thu, 26 May 2022 19:04:15 +0200
Source: ntfs-3g
Architecture: source
Version: 1:2022.5.17-1
Distribution: unstable
Urgency: high
Maintainer: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Changed-By: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Closes: 1011770
Changes:
ntfs-3g (1:2022.5.17-1) unstable; urgency=high
.
* New upstream release (closes: #1011770) fixing CVE-2021-46790,
CVE-2022-30783, CVE-2022-30784, CVE-2022-30785, CVE-2022-30786,
CVE-2022-30787, CVE-2022-30788 and CVE-2022-30789: these vulnerabilities
may allow an attacker using a maliciously crafted NTFS-formatted image
file or external storage to potentially execute arbitrary privileged code.
Checksums-Sha1:
fa9b504f3d86f38a2e5efc968edc9e895366baf3 2115 ntfs-3g_2022.5.17-1.dsc
ec9770d142373f2aeedb782b08956bb9a0d3dc7b 900383 ntfs-3g_2022.5.17.orig.tar.gz
1a859197f5efb218b24a7b96920a8d6b225307af 22424 ntfs-3g_2022.5.17-1.debian.tar.xz
Checksums-Sha256:
c721cff46c24be50913896463e243f4fcb8efee10ae27f237580023484a73858 2115 ntfs-3g_2022.5.17-1.dsc
49680b2dd38c472368425923b0178195e24705fc355c78764632e5835000db49 900383 ntfs-3g_2022.5.17.orig.tar.gz
c638aec84d6b26b003166aa21c7a7c354119ed6f7214ca08aa4fac7238d4e0bf 22424 ntfs-3g_2022.5.17-1.debian.tar.xz
Files:
6562fc7f25a983d63b34ac7b65d0a98b 2115 otherosfs optional ntfs-3g_2022.5.17-1.dsc
eb292f78abb219385573427f234eb9bb 900383 otherosfs optional ntfs-3g_2022.5.17.orig.tar.gz
ae3a254ce7d454526312e93f3e72457f 22424 otherosfs optional ntfs-3g_2022.5.17-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEfYh9yLp7u6e4NeO63OMQ54ZMyL8FAmKPt0MACgkQ3OMQ54ZM
yL8v8hAAi7Vgq2YajymRjXU9X61T2dn1QBuFkhoNxg3k3zerjqIGgD1Hg9x5MqGi
+4r1eQ/9tdfvWoNAGHNI6qIrtXvbibkHE8Iea8aJDQ9TbvfzLaUtzhyMfkhkwIa6
kR7cNcRZp7npai27DQpsePdyBAQdmjTH3FQ3D2fOzCCSdrFlm3IePPmq6poqazBp
TVk4XcR2lqIab8pyEWDM/bA31KkggzEINZmh5Fg4B4F/RZ5xFhA+U17u+yIakQfM
JWPNcyz1Hu/EhMUTnH01VC3iV3g+JuRTcYGMipC//pGxPj/r++vkGXWiSw+VWfRH
0mDQrtYO7eOCQI4qFWl/Y9WWz2Jb5MHa9eknswmLy9WbSzK4WM/3Rw0OBvUEF0R6
sPAGcWBUq826cz26pxpNTOzxFaUcHkTwan534Bv850v98eGu30ZtajYOxBGvbTWk
JvkXBzc23XCmCTtptgSWxEaNGjbe+xcwzY8kMt7G03X9PYpG+3FQSEUym2eMqcFZ
VemmhAjuVAjDk0W7Kd4a7S0kIZFRixFQUwS8VjX+dslMunpIb5HvqhZKudrsQ0Z1
9KJx74k0THedg0KDvs3z2eaPswmgSdD5m/DGBV98PyJhHl7NM+G1FkIsmwEWGyYJ
2fCWdZHcEnbmtYkr9tQPAPbokAkuRRWKVTmGtEVKi4sOpAaVx1s=
=bFbK
-----END PGP SIGNATURE-----
We believe that the bug you reported is fixed in the latest version of
ntfs-3g, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1011770@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated ntfs-3g package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Thu, 09 Jun 2022 14:43:42 +0200
Source: ntfs-3g
Architecture: source
Version: 1:2017.3.23AR.3-3+deb10u2
Distribution: buster-security
Urgency: high
Maintainer: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 1011770
Changes:
ntfs-3g (1:2017.3.23AR.3-3+deb10u2) buster-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Fix multiple issues (Closes: #1011770)
- Used a default usn when the former one cannot be retrieved
(CVE-2022-30788)
- Made sure there is no null character in an attribute name
(CVE-2022-30786)
- Avoided allocating and reading an attribute beyond its full size
(CVE-2022-30784)
- Made sure the client log data does not overflow from restart page
(CVE-2022-30789)
- Made sure there is no null character in an attribute name (bis)
(CVE-2022-30786)
- Fixed possible out-of-buffer condition in ntfsck (CVE-2021-46790)
- Fixed operation on little endian data (CVE-2022-30788)
- Returned an error code when the --help or --version options are
used (CVE-2022-30783)
- Hardened the checking of directory offset requested by a readdir
(CVE-2022-30785, CVE-2022-30787)
Checksums-Sha1:
48fa15b9053ed56157ea81014d7e06c36350af21 2363 ntfs-3g_2017.3.23AR.3-3+deb10u2.dsc
4451d8e31a3031f53547b9c7f27d6e3c317c3594 39240 ntfs-3g_2017.3.23AR.3-3+deb10u2.debian.tar.xz
Checksums-Sha256:
dfa1a20bae7bcbc69f776e094853c324b1bd031bf1f9d44f33429ae516dffcdd 2363 ntfs-3g_2017.3.23AR.3-3+deb10u2.dsc
faf80a26cc3c6e3a61310e07864fd9c7425f5714064dda4a5ea519044b726956 39240 ntfs-3g_2017.3.23AR.3-3+deb10u2.debian.tar.xz
Files:
de8184b16c9b30a1d4e44190ed9f59a5 2363 otherosfs optional ntfs-3g_2017.3.23AR.3-3+deb10u2.dsc
6f26c3ba043bd8d6f6650ec05cb2d420 39240 otherosfs optional ntfs-3g_2017.3.23AR.3-3+deb10u2.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmKh62xfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EOrcP/04Qqq2xVN80SNop6agjBB9P6OcgCkPf
7qDAFnWajhsX5Pv7jzwIeg+x5giuyeDnFDhmFUag4BJ3KZf1LZJJRcB7dBa7DKYI
bYT/ubW9Z2uWYLCy6Z9DhaqdT98vv0TeQgTvpiiRJ7bfCT6Ttjx8xbvmMAU1DkY4
jo+rwyqZbA/qgeoS/smE5SWSnGnfNCyUhEHFDHq37jGJH/fkvjsnUsbVzPbjsCFI
4xSJhOhjHyLASM9UlJ27N7jgr0Fg1NLpSbs28RYEv0GFqZk3Qo9FLQPLgmvb+nU1
D1B5UdoMDUmAy42QyfOmZb4Iv5ZdwrNg6f0ok9mRCLViYELnEpop5vzO+1OrP66w
VxSaH93Dc/pcwZxZd5I0rsE8HhkU+hgP4hasNiixIg01O+EOzx9J0lOqRehdGm31
LaHFWJjLU5BH6yaZ+23C6YPt3KG1IguhZCxM8XABBGaXsJEkt//2ZuNxOKh2Y35s
4twPplXC2kc38dHYHMvmJofrEVnMzRZmxS/XedwMMCPRWQv8iDR4QLRgyu2J0XoC
qkhx7nLrxVNUi/kL4JtWQZj+nrVOMQe8GJCCSOACm8N7Azpv6xDwdinfeu8PFA3b
o3zo2B86LD9IJ5Ac7dk3qxKDKzuy7ayYGBoIswT5zkksYGRjEn/uo9W5U3yVVbVj
bJrlXTKPOzgC
=oZ37
-----END PGP SIGNATURE-----
We believe that the bug you reported is fixed in the latest version of
ntfs-3g, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1011770@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated ntfs-3g package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Wed, 08 Jun 2022 22:42:53 +0200
Source: ntfs-3g
Architecture: source
Version: 1:2017.3.23AR.3-4+deb11u2
Distribution: bullseye-security
Urgency: high
Maintainer: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 1011770
Changes:
ntfs-3g (1:2017.3.23AR.3-4+deb11u2) bullseye-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Fix multiple issues (Closes: #1011770)
- Used a default usn when the former one cannot be retrieved
(CVE-2022-30788)
- Made sure there is no null character in an attribute name
(CVE-2022-30786)
- Avoided allocating and reading an attribute beyond its full size
(CVE-2022-30784)
- Made sure the client log data does not overflow from restart page
(CVE-2022-30789)
- Made sure there is no null character in an attribute name (bis)
(CVE-2022-30786)
- Fixed possible out-of-buffer condition in ntfsck (CVE-2021-46790)
- Fixed operation on little endian data (CVE-2022-30788)
- Returned an error code when the --help or --version options are
used (CVE-2022-30783)
- Hardened the checking of directory offset requested by a readdir
(CVE-2022-30785, CVE-2022-30787)
Checksums-Sha1:
33c9217875ac113fdd4c5c3cb1508da390a83484 2369 ntfs-3g_2017.3.23AR.3-4+deb11u2.dsc
c38c9017df2fd55f9bbec2457bea5cf2a7625f3b 39220 ntfs-3g_2017.3.23AR.3-4+deb11u2.debian.tar.xz
Checksums-Sha256:
86f4c8342b10ac24fd1e0627fde0d0fab6150ea3e2f1d2da98060af5294bcd0d 2369 ntfs-3g_2017.3.23AR.3-4+deb11u2.dsc
2e7dec50b40735354d4621e54a35f19130ff2df91f4e8630c450f4e9481bd88d 39220 ntfs-3g_2017.3.23AR.3-4+deb11u2.debian.tar.xz
Files:
29263ddf93811f1ebedc788cc97b61d1 2369 otherosfs optional ntfs-3g_2017.3.23AR.3-4+deb11u2.dsc
bad6fc45608aed3431d08c8f90b03b21 39220 otherosfs optional ntfs-3g_2017.3.23AR.3-4+deb11u2.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmKhCzlfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EMW0P/R9KnjQPfnx+DW/AY8zsMRFSZUqIQjb8
F5S+ZlcmV4nLAVK8OYKjb86BKUxORHQ4OMPt1OfUJBIuR0vRaX1DCROi9P+ZzYT2
AyR09mUSggURqJmFbVn/y1BW9G3Odn3X/jIFeBMXtswr6KdaxF2Xs2J74pYvKnlX
TcrXjxCARYJPukxOZvP0qSM6w/3qUQR4Dy5yAOt+zN26AKS+GuowC64Wpr8SsbS6
O3oww3ZeAh/6iIz/KjUQwsboQtpZyfUfBTHlM3yrixpa+umxDpe5ok2fhy6CJOF1
ATS41DxKHIuUEjnqUbpInLxt98phaCZkrapYFQTKMtXK1JK3rViijd4rHt222ht4
AIf0F7qSIZjCgqfMVPdq8hrmVIDfpFP+zE8qWrTFMAiMT6+/KcLJ/Zvl/z+C+s7X
2rFaxnAxwLXRRm/xq9/fR/0NC6uqN2rY1eLgH2SZrjTYSJc5R3kasr4DVlARl4cO
CtfNN1I49dR8Z5qY7qDYYuy8VUV0M4oulqAlSBgtxcJvSwaHRFVLc32pS9XyGnP6
eKugoErz0ZCG0VHhmQiKaFckuS9UbywR4aehNlZoT2Q6uGSwnzyz7pjMG/Jw8yN1
74ri2uQSSN15+kRsuTCKXRqLrQ+iAf9KqWhV8dqmck9Vpa+l5jqJRiIMipNwDgFh
Vh82LXc++nsW
=8B2m
-----END PGP SIGNATURE-----