[SECURITY] [DSA 3268-1] ntfs-3g security update

2015-05-2205:57:02

lists.debian.org

3.6 Low

CVSS2

Access Vector

LOCAL

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:L/AC:L/Au:N/C:N/I:P/A:P

JSON

Debian Security Advisory DSA-3268-1 [email protected]
http://www.debian.org/security/ Salvatore Bonaccorso
May 22, 2015 http://www.debian.org/security/faq

Package : ntfs-3g
CVE ID : CVE-2015-3202
Debian Bug : 786475

Tavis Ormandy discovered that NTFS-3G, a read-write NTFS driver for
FUSE, does not scrub the environment before executing mount or umount
with elevated privileges. A local user can take advantage of this flaw
to overwrite arbitrary files and gain elevated privileges by accessing
debugging features via the environment that would not normally be safe
for unprivileged users.

For the oldstable distribution (wheezy), this problem has been fixed in
version 1:2012.1.15AR.5-2.1+deb7u1. Note that this issue does not affect
the binary packages distributed in Debian in wheezy as ntfs-3g does not
use the embedded fuse-lite library.

For the stable distribution (jessie), this problem has been fixed in
version 1:2014.2.15AR.2-1+deb8u1.

For the testing distribution (stretch) and the unstable distribution
(sid), this problem will be fixed soon.

We recommend that you upgrade your ntfs-3g packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: [email protected]

OSVersionArchitecturePackageVersionFilename
Debian8powerpcntfs-3g< 2014.2.15AR.2-1+deb8u2ntfs-3g_2014.2.15AR.2-1+deb8u2_powerpc.deb
Debian8mipsellibfuse2< 2.9.3-15+deb8u1libfuse2_2.9.3-15+deb8u1_mipsel.deb
Debian7mipselfuse< 2.9.0-2+deb7u2fuse_2.9.0-2+deb7u2_mipsel.deb
Debian7s390xntfs-3g-dbg< 2012.1.15AR.5-2.1+deb7u2ntfs-3g-dbg_2012.1.15AR.5-2.1+deb7u2_s390x.deb
Debian8amd64ntfs-3g-udeb< 2014.2.15AR.2-1+deb8u2ntfs-3g-udeb_2014.2.15AR.2-1+deb8u2_amd64.deb
Debian7allfuse< 2.9.0-2+deb7u2fuse_2.9.0-2+deb7u2_all.deb
Debian7mipsfuse< 2.9.0-2+deb7u2fuse_2.9.0-2+deb7u2_mips.deb
Debian8powerpcntfs-3g-dbg< 2014.2.15AR.2-1+deb8u2ntfs-3g-dbg_2014.2.15AR.2-1+deb8u2_powerpc.deb
Debian7sparcntfs-3g-dbg< 2012.1.15AR.5-2.1+deb7u1ntfs-3g-dbg_2012.1.15AR.5-2.1+deb7u1_sparc.deb
Debian8powerpcfuse-dbg< 2.9.3-15+deb8u1fuse-dbg_2.9.3-15+deb8u1_powerpc.deb

OS	Version	Architecture	Package	Version	Filename
Debian	8	powerpc	ntfs-3g	< 2014.2.15AR.2-1+deb8u2	ntfs-3g_2014.2.15AR.2-1+deb8u2_powerpc.deb
Debian	8	mipsel	libfuse2	< 2.9.3-15+deb8u1	libfuse2_2.9.3-15+deb8u1_mipsel.deb
Debian	7	mipsel	fuse	< 2.9.0-2+deb7u2	fuse_2.9.0-2+deb7u2_mipsel.deb
Debian	7	s390x	ntfs-3g-dbg	< 2012.1.15AR.5-2.1+deb7u2	ntfs-3g-dbg_2012.1.15AR.5-2.1+deb7u2_s390x.deb
Debian	8	amd64	ntfs-3g-udeb	< 2014.2.15AR.2-1+deb8u2	ntfs-3g-udeb_2014.2.15AR.2-1+deb8u2_amd64.deb
Debian	7	all	fuse	< 2.9.0-2+deb7u2	fuse_2.9.0-2+deb7u2_all.deb
Debian	7	mips	fuse	< 2.9.0-2+deb7u2	fuse_2.9.0-2+deb7u2_mips.deb
Debian	8	powerpc	ntfs-3g-dbg	< 2014.2.15AR.2-1+deb8u2	ntfs-3g-dbg_2014.2.15AR.2-1+deb8u2_powerpc.deb
Debian	7	sparc	ntfs-3g-dbg	< 2012.1.15AR.5-2.1+deb7u1	ntfs-3g-dbg_2012.1.15AR.5-2.1+deb7u1_sparc.deb
Debian	8	powerpc	fuse-dbg	< 2.9.3-15+deb8u1	fuse-dbg_2.9.3-15+deb8u1_powerpc.deb