Debian Bug report logs -
#1011770
ntfs-3g: CVE-2021-46790 CVE-2022-30783 CVE-2022-30784 CVE-2022-30785 CVE-2022-30786 CVE-2022-30787 CVE-2022-30788 CVE-2022-30789
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Thu, 26 May 2022 13:51:01 UTC
Severity: grave
Tags: security, upstream
Found in version ntfs-3g/1:2021.8.22-3
Fixed in version ntfs-3g/1:2022.5.17-1
Done: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.org>:
Bug#1011770; Package src:ntfs-3g.
(Thu, 26 May 2022 13:51:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.org>.
(Thu, 26 May 2022 13:51:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: ntfs-3g
Version: 1:2021.8.22-3
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Hi,
The following vulnerabilities were published for ntfs-3g.
CVE-2021-46790[0]:
| ntfsck in NTFS-3G through 2021.8.22 has a heap-based buffer overflow
| involving buffer+512*3-2. NOTE: the upstream position is that ntfsck
| is deprecated; however, it is shipped by some Linux distributions.
and
CVE-2022-30783[1], CVE-2022-30784[2], CVE-2022-30785[3],
CVE-2022-30786[4], CVE-2022-30787[5], CVE-2022-30788[6],
CVE-2022-30789[7]:
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-46790
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-46790
[1] https://security-tracker.debian.org/tracker/CVE-2022-30783
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30783
[2] https://security-tracker.debian.org/tracker/CVE-2022-30784
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30784
[3] https://security-tracker.debian.org/tracker/CVE-2022-30785
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30785
[4] https://security-tracker.debian.org/tracker/CVE-2022-30786
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30786
[5] https://security-tracker.debian.org/tracker/CVE-2022-30787
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30787
[6] https://security-tracker.debian.org/tracker/CVE-2022-30788
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30788
[7] https://security-tracker.debian.org/tracker/CVE-2022-30789
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30789
Regards,
Salvatore
Reply sent
to Laszlo Boszormenyi (GCS) <gcs@debian.org>:
You have taken responsibility.
(Thu, 26 May 2022 17:36:20 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Thu, 26 May 2022 17:36:20 GMT) (full text, mbox, link).
Message #10 received at 1011770-close@bugs.debian.org (full text, mbox, reply):
Source: ntfs-3g
Source-Version: 1:2022.5.17-1
Done: Laszlo Boszormenyi (GCS) <gcs@debian.org>
We believe that the bug you reported is fixed in the latest version of
ntfs-3g, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1011770@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <gcs@debian.org> (supplier of updated ntfs-3g package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 26 May 2022 19:04:15 +0200
Source: ntfs-3g
Architecture: source
Version: 1:2022.5.17-1
Distribution: unstable
Urgency: high
Maintainer: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Changed-By: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Closes: 1011770
Changes:
ntfs-3g (1:2022.5.17-1) unstable; urgency=high
.
* New upstream release (closes: #1011770) fixing CVE-2021-46790,
CVE-2022-30783, CVE-2022-30784, CVE-2022-30785, CVE-2022-30786,
CVE-2022-30787, CVE-2022-30788 and CVE-2022-30789: these vulnerabilities
may allow an attacker using a maliciously crafted NTFS-formatted image
file or external storage to potentially execute arbitrary privileged code.
Checksums-Sha1:
fa9b504f3d86f38a2e5efc968edc9e895366baf3 2115 ntfs-3g_2022.5.17-1.dsc
ec9770d142373f2aeedb782b08956bb9a0d3dc7b 900383 ntfs-3g_2022.5.17.orig.tar.gz
1a859197f5efb218b24a7b96920a8d6b225307af 22424 ntfs-3g_2022.5.17-1.debian.tar.xz
Checksums-Sha256:
c721cff46c24be50913896463e243f4fcb8efee10ae27f237580023484a73858 2115 ntfs-3g_2022.5.17-1.dsc
49680b2dd38c472368425923b0178195e24705fc355c78764632e5835000db49 900383 ntfs-3g_2022.5.17.orig.tar.gz
c638aec84d6b26b003166aa21c7a7c354119ed6f7214ca08aa4fac7238d4e0bf 22424 ntfs-3g_2022.5.17-1.debian.tar.xz
Files:
6562fc7f25a983d63b34ac7b65d0a98b 2115 otherosfs optional ntfs-3g_2022.5.17-1.dsc
eb292f78abb219385573427f234eb9bb 900383 otherosfs optional ntfs-3g_2022.5.17.orig.tar.gz
ae3a254ce7d454526312e93f3e72457f 22424 otherosfs optional ntfs-3g_2022.5.17-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEfYh9yLp7u6e4NeO63OMQ54ZMyL8FAmKPt0MACgkQ3OMQ54ZM
yL8v8hAAi7Vgq2YajymRjXU9X61T2dn1QBuFkhoNxg3k3zerjqIGgD1Hg9x5MqGi
+4r1eQ/9tdfvWoNAGHNI6qIrtXvbibkHE8Iea8aJDQ9TbvfzLaUtzhyMfkhkwIa6
kR7cNcRZp7npai27DQpsePdyBAQdmjTH3FQ3D2fOzCCSdrFlm3IePPmq6poqazBp
TVk4XcR2lqIab8pyEWDM/bA31KkggzEINZmh5Fg4B4F/RZ5xFhA+U17u+yIakQfM
JWPNcyz1Hu/EhMUTnH01VC3iV3g+JuRTcYGMipC//pGxPj/r++vkGXWiSw+VWfRH
0mDQrtYO7eOCQI4qFWl/Y9WWz2Jb5MHa9eknswmLy9WbSzK4WM/3Rw0OBvUEF0R6
sPAGcWBUq826cz26pxpNTOzxFaUcHkTwan534Bv850v98eGu30ZtajYOxBGvbTWk
JvkXBzc23XCmCTtptgSWxEaNGjbe+xcwzY8kMt7G03X9PYpG+3FQSEUym2eMqcFZ
VemmhAjuVAjDk0W7Kd4a7S0kIZFRixFQUwS8VjX+dslMunpIb5HvqhZKudrsQ0Z1
9KJx74k0THedg0KDvs3z2eaPswmgSdD5m/DGBV98PyJhHl7NM+G1FkIsmwEWGyYJ
2fCWdZHcEnbmtYkr9tQPAPbokAkuRRWKVTmGtEVKi4sOpAaVx1s=
=bFbK
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Fri May 27 13:12:46 2022;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon