[SECURITY] [DLA 815-1] ntfs-3g security update

2017-02-0217:39:12

lists.debian.org

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

7.2 High

CVSS2

Access Vector

LOCAL

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

0.001 Low

EPSS

Percentile

46.7%

JSON

Package : ntfs-3g
Version : 1:2012.1.15AR.5-2.1+deb7u3
CVE ID : CVE-2017-0358

Jann Horn of Google Project Zero discovered that NTFS-3G, a read-write
NTFS driver for FUSE, does not scrub the environment before executing
modprobe with elevated privileges. A local user can take advantage of
this flaw for local root privilege escalation.

For Debian 7 "Wheezy", these problems have been fixed in version
1:2012.1.15AR.5-2.1+deb7u3.

We recommend that you upgrade your ntfs-3g packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

OSVersionArchitecturePackageVersionFilename
Debian8armhfntfs-3g-udeb< 1:2014.2.15AR.2-1+deb8u3ntfs-3g-udeb_1:2014.2.15AR.2-1+deb8u3_armhf.deb
Debian8allntfs-3g< 1:2014.2.15AR.2-1+deb8u3ntfs-3g_1:2014.2.15AR.2-1+deb8u3_all.deb
Debian8kfreebsd-amd64ntfs-3g-dev< 1:2014.2.15AR.2-1+deb8u3ntfs-3g-dev_1:2014.2.15AR.2-1+deb8u3_kfreebsd-amd64.deb
Debian7i386ntfs-3g-dbg< 1:2012.1.15AR.5-2.1+deb7u3ntfs-3g-dbg_1:2012.1.15AR.5-2.1+deb7u3_i386.deb
Debian7armelntfs-3g-udeb< 1:2012.1.15AR.5-2.1+deb7u3ntfs-3g-udeb_1:2012.1.15AR.5-2.1+deb7u3_armel.deb
Debian7armhfntfs-3g< 1:2012.1.15AR.5-2.1+deb7u3ntfs-3g_1:2012.1.15AR.5-2.1+deb7u3_armhf.deb
Debian8armelntfs-3g< 1:2014.2.15AR.2-1+deb8u3ntfs-3g_1:2014.2.15AR.2-1+deb8u3_armel.deb
Debian8i386ntfs-3g< 1:2014.2.15AR.2-1+deb8u3ntfs-3g_1:2014.2.15AR.2-1+deb8u3_i386.deb
Debian8i386ntfs-3g-dbg< 1:2014.2.15AR.2-1+deb8u3ntfs-3g-dbg_1:2014.2.15AR.2-1+deb8u3_i386.deb
Debian8mipsntfs-3g-dbg< 1:2014.2.15AR.2-1+deb8u3ntfs-3g-dbg_1:2014.2.15AR.2-1+deb8u3_mips.deb

OS	Version	Architecture	Package	Version	Filename
Debian	8	armhf	ntfs-3g-udeb	< 1:2014.2.15AR.2-1+deb8u3	ntfs-3g-udeb_1:2014.2.15AR.2-1+deb8u3_armhf.deb
Debian	8	all	ntfs-3g	< 1:2014.2.15AR.2-1+deb8u3	ntfs-3g_1:2014.2.15AR.2-1+deb8u3_all.deb
Debian	8	kfreebsd-amd64	ntfs-3g-dev	< 1:2014.2.15AR.2-1+deb8u3	ntfs-3g-dev_1:2014.2.15AR.2-1+deb8u3_kfreebsd-amd64.deb
Debian	7	i386	ntfs-3g-dbg	< 1:2012.1.15AR.5-2.1+deb7u3	ntfs-3g-dbg_1:2012.1.15AR.5-2.1+deb7u3_i386.deb
Debian	7	armel	ntfs-3g-udeb	< 1:2012.1.15AR.5-2.1+deb7u3	ntfs-3g-udeb_1:2012.1.15AR.5-2.1+deb7u3_armel.deb
Debian	7	armhf	ntfs-3g	< 1:2012.1.15AR.5-2.1+deb7u3	ntfs-3g_1:2012.1.15AR.5-2.1+deb7u3_armhf.deb
Debian	8	armel	ntfs-3g	< 1:2014.2.15AR.2-1+deb8u3	ntfs-3g_1:2014.2.15AR.2-1+deb8u3_armel.deb
Debian	8	i386	ntfs-3g	< 1:2014.2.15AR.2-1+deb8u3	ntfs-3g_1:2014.2.15AR.2-1+deb8u3_i386.deb
Debian	8	i386	ntfs-3g-dbg	< 1:2014.2.15AR.2-1+deb8u3	ntfs-3g-dbg_1:2014.2.15AR.2-1+deb8u3_i386.deb
Debian	8	mips	ntfs-3g-dbg	< 1:2014.2.15AR.2-1+deb8u3	ntfs-3g-dbg_1:2014.2.15AR.2-1+deb8u3_mips.deb