Updated ntfs-3g packages fix security vulnerability
Publication date: 23 Oct 2022Modification date: 23 Oct 2022
Type: security
Affected Mageia releases : 8
CVE: CVE-2021-46790 , CVE-2022-30783 , CVE-2022-30784 , CVE-2022-30785 , CVE-2022-30786 , CVE-2022-30787 , CVE-2022-30788 , CVE-2022-30789
Description
ntfsck in NTFS-3G through 2021.8.22 has a heap-based buffer overflow
involving buffer+512*3-2. (CVE-2021-46790)
An invalid return code in fuse_kern_mount enables intercepting of
libfuse-lite protocol traffic between NTFS-3G and the kernel in NTFS-3G
through 2021.8.22 when using libfuse-lite. (CVE-2022-30783)
A crafted NTFS image can cause heap exhaustion in ntfs_get_attribute_value
in NTFS-3G through 2021.8.22. (CVE-2022-30784)
A file handle created in fuse_lib_opendir, and later used in
fuse_lib_readdir, enables arbitrary memory read and write operations in
NTFS-3G through 2021.8.22 when using libfuse-lite. (CVE-2022-30785)
A crafted NTFS image can cause a heap-based buffer overflow in
ntfs_names_full_collate in NTFS-3G through 2021.8.22. (CVE-2022-30786)
An integer underflow in fuse_lib_readdir enables arbitrary memory read
operations in NTFS-3G through 2021.8.22 when using libfuse-lite.
(CVE-2022-30787)
A crafted NTFS image can cause a heap-based buffer overflow in
ntfs_mft_rec_alloc in NTFS-3G through 2021.8.22. (CVE-2022-30788)
A crafted NTFS image can cause a heap-based buffer overflow
in ntfs_check_log_client_array in NTFS-3G through 2021.8.22.
(CVE-2022-30789)
References
- https://bugs.mageia.org/show_bug.cgi?id=30479
- https://www.openwall.com/lists/oss-security/2022/05/26/1
- https://www.openwall.com/lists/oss-security/2022/05/26/2
- https://ubuntu.com/security/notices/USN-5452-1
- https://www.openwall.com/lists/oss-security/2022/06/07/4
- https://ubuntu.com/security/notices/USN-5463-1
- https://www.debian.org/security/2022/dsa-5160
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/7JPX6OUCQKZX4PN5DQPVDUFZCOOZUX7Z/
- https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/CUCIRAD67WWT3IZWCVN25JFFBTDANX5J/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-46790
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30783
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30784
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30785
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30786
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30787
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30788
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30789
SRPMS
8/core
- ntfs-3g-2021.8.22-1.1.mga8