On 2021-10-19 11:09 a.m., Armin Kuster wrote:
>
>
> On 10/18/21 9:59 PM, Chen Qi wrote:
>> This upgrade revolves a bunch of CVEs. See more details in:
>>
https://github.com/tuxera/ntfs-3g/security/advisories/GHSA-q759-8j5v-q5jp.
> Seems reasonable to me.
>
> -armin
I"m tempted to agree but I don't know enough about how ntfs-36 is
used. I think we need more information and a more detailed commit
log explaining why we think that the uprev is okay.
Qi,
Does it provide a library and header files that developers use?
Debian has a patch that we could make use of:
https://security-tracker.debian.org/tracker/CVE-2021-35266
$ apt-get source ntfs-3g
$ fd security.patch
ntfs-3g-2017.3.23AR.3/debian/patches/aug2021-security.patch
$ diffstat `fd aug`
include/ntfs-3g/attrib.h | 1
include/ntfs-3g/index.h | 4 +
include/ntfs-3g/volume.h | 5 ++
libntfs-3g/acls.c | 4 +
libntfs-3g/attrib.c | 332
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++------
libntfs-3g/bootsect.c | 8 +++
libntfs-3g/compress.c | 22 +++++++++-
libntfs-3g/dir.c | 109
+++++++++++++++++++-------------------------------
libntfs-3g/index.c | 183
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-------------------
libntfs-3g/inode.c | 24 ++++++-----
libntfs-3g/lcnalloc.c | 15 ++++--
libntfs-3g/mft.c | 70 +++++++++++++++++++++++++++++++-
libntfs-3g/volume.c | 81 ++++++++++++++++++++++++++++---------
ntfsprogs/ntfscp.c | 3 -
ntfsprogs/ntfsfix.c | 17 ++++++-
src/lowntfs-3g.c | 384
+++++++++++++++++++++++++++++++++++++++++-----------------------------------------------------------------------------------------------------------------------------------------
src/ntfs-3g.c | 23 ++++++----
17 files changed, 818 insertions(+), 467 deletions(-)
compared to the diff of the uprev:
$ git diff 2017.3.23..2021.8.22 | diffstat | tail -1
69 files changed, 3220 insertions(+), 705 deletions(-)
../Randy
>>
>> These CVEs cannot be reolved one by one. Upgrading the package
>> is the only reasonable way.
>>
>> Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
>> ---
>> ...-ntfsprogs_2017.3.23.bb => ntfs-3g-ntfsprogs_2021.8.22.bb} | 4 ++--
>> 1 file changed, 2 insertions(+), 2 deletions(-)
>> rename meta-filesystems/recipes-filesystems/ntfs-3g-ntfsprogs/{ntfs-3g-ntfsprogs_2017.3.23.bb => ntfs-3g-ntfsprogs_2021.8.22.bb} (92%)
>>
>> diff --git a/meta-filesystems/recipes-filesystems/ntfs-3g-ntfsprogs/ntfs-3g-ntfsprogs_2017.3.23.bb b/meta-filesystems/recipes-filesystems/ntfs-3g-ntfsprogs/ntfs-3g-ntfsprogs_2021.8.22.bb
>> similarity index 92%
>> rename from meta-filesystems/recipes-filesystems/ntfs-3g-ntfsprogs/ntfs-3g-ntfsprogs_2017.3.23.bb
>> rename to meta-filesystems/recipes-filesystems/ntfs-3g-ntfsprogs/ntfs-3g-ntfsprogs_2021.8.22.bb
>> index 6f5cb6cee..19b2d6ca2 100644
>> --- a/meta-filesystems/recipes-filesystems/ntfs-3g-ntfsprogs/ntfs-3g-ntfsprogs_2017.3.23.bb
>> +++ b/meta-filesystems/recipes-filesystems/ntfs-3g-ntfsprogs/ntfs-3g-ntfsprogs_2021.8.22.bb
>> @@ -10,8 +10,8 @@ SRC_URI = "
http://tuxera.com/opensource/ntfs-3g_ntfsprogs-${PV}.tgz \
>>
file://0001-libntfs-3g-Makefile.am-fix-install-failed-while-host.patch \
>> "
>> S = "${WORKDIR}/ntfs-3g_ntfsprogs-${PV}"
>> -SRC_URI[md5sum] = "d97474ae1954f772c6d2fa386a6f462c"
>> -SRC_URI[sha256sum] = "3e5a021d7b761261836dcb305370af299793eedbded731df3d6943802e1262d5"
>> +SRC_URI[md5sum] = "90da343e78877d388eb34cefae6799ae"
>> +SRC_URI[sha256sum] = "55b883aa05d94b2ec746ef3966cb41e66bed6db99f22ddd41d1b8b94bb202efb"
>>
>> UPSTREAM_CHECK_URI = "
https://www.tuxera.com/community/open-source-ntfs-3g/"
>> UPSTREAM_CHECK_REGEX = "ntfs-3g_ntfsprogs-(?P<pver>\d+(\.\d+)+)\.tgz"
>>
>>
>>
>
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#93467):
https://lists.openembedded.org/g/openembedded-devel/message/93467
> Mute This Topic:
https://lists.openembedded.org/mt/86433129/3616765
> Group Owner: openembedded-devel+owner@lists.openembedded.org
> Unsubscribe:
https://lists.openembedded.org/g/openembedded-devel/unsub [randy.macleod@windriver.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
--
# Randy MacLeod
# Wind River Linux