* [Buildroot] [git commit branch/2016.11.x] ntfs-3g: add security fix for CVE-2017-0358
@ 2017-02-16 8:10 Peter Korsgaard
0 siblings, 0 replies; only message in thread
From: Peter Korsgaard @ 2017-02-16 8:10 UTC (permalink / raw)
To: buildroot
commit: https://git.buildroot.net/buildroot/commit/?id=f2da4a526ff8d62ff45e3024f5fed28f03aab30b
branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/2016.11.x
Jann Horn, Project Zero (Google) discovered that ntfs-3g, a read-write
NTFS driver for FUSE does not not scrub the environment before
executing modprobe to load the fuse module. This influence the behavior
of modprobe (MODPROBE_OPTIONS environment variable, --config and
--dirname options) potentially allowing for local root privilege
escalation if ntfs-3g is installed setuid.
Notice that Buildroot does NOT install netfs-3g setuid root, but custom
permission tables might be used, causing it to vulnerable to the above.
ntfs-3g does not seem to have a publicly available version control system
and no new releases have been made, so instead grab the patch from Debian.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 6f971f354c14a8948477a0936668b8baae8ec86e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
package/ntfs-3g/ntfs-3g.hash | 1 +
package/ntfs-3g/ntfs-3g.mk | 1 +
2 files changed, 2 insertions(+)
diff --git a/package/ntfs-3g/ntfs-3g.hash b/package/ntfs-3g/ntfs-3g.hash
index 4875cc4..eaa3d98 100644
--- a/package/ntfs-3g/ntfs-3g.hash
+++ b/package/ntfs-3g/ntfs-3g.hash
@@ -1,2 +1,3 @@
# Locally calculated
sha256 d7b72c05e4b3493e6095be789a760c9f5f2b141812d5b885f3190c98802f1ea0 ntfs-3g_ntfsprogs-2016.2.22.tgz
+sha256 43deadaeade489934b0b45e2ed8aa5f853ad0364fbde7ad144211b80132ea041 0003-CVE-2017-0358.patch
diff --git a/package/ntfs-3g/ntfs-3g.mk b/package/ntfs-3g/ntfs-3g.mk
index b59e335..6e1a8f9 100644
--- a/package/ntfs-3g/ntfs-3g.mk
+++ b/package/ntfs-3g/ntfs-3g.mk
@@ -7,6 +7,7 @@
NTFS_3G_VERSION = 2016.2.22
NTFS_3G_SOURCE = ntfs-3g_ntfsprogs-$(NTFS_3G_VERSION).tgz
NTFS_3G_SITE = http://tuxera.com/opensource
+NTFS_3G_PATCH = https://sources.debian.net/data/main/n/ntfs-3g/1:2016.2.22AR.1-4/debian/patches/0003-CVE-2017-0358.patch
NTFS_3G_CONF_OPTS = --disable-ldconfig
NTFS_3G_INSTALL_STAGING = YES
NTFS_3G_DEPENDENCIES = host-pkgconf
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2017-02-16 8:10 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-02-16 8:10 [Buildroot] [git commit branch/2016.11.x] ntfs-3g: add security fix for CVE-2017-0358 Peter Korsgaard
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.