diff options
author | Repository QA checks <repo-qa-checks@gentoo.org> | 2017-02-19 12:22:33 +0000 |
---|---|---|
committer | Repository QA checks <repo-qa-checks@gentoo.org> | 2017-02-19 12:22:33 +0000 |
commit | ed547ca5505c44d7bcbaa79944165fab0200036f (patch) | |
tree | 5c8e313d371148c1ad268673c4eb105c4c1044f5 /metadata/glsa/glsa-201702-10.xml | |
parent | Merge updates from master (diff) | |
parent | Add GLSA 201702-10 (diff) | |
download | gentoo-ed547ca5505c44d7bcbaa79944165fab0200036f.tar.gz gentoo-ed547ca5505c44d7bcbaa79944165fab0200036f.tar.bz2 gentoo-ed547ca5505c44d7bcbaa79944165fab0200036f.zip |
Merge commit '339d7358de2d4ba24e576718c165414ed6e8b275'
Diffstat (limited to 'metadata/glsa/glsa-201702-10.xml')
-rw-r--r-- | metadata/glsa/glsa-201702-10.xml | 58 |
1 files changed, 58 insertions, 0 deletions
diff --git a/metadata/glsa/glsa-201702-10.xml b/metadata/glsa/glsa-201702-10.xml new file mode 100644 index 000000000000..fb897b8ac259 --- /dev/null +++ b/metadata/glsa/glsa-201702-10.xml @@ -0,0 +1,58 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="201702-10"> + <title>NTFS-3G: Privilege escalation</title> + <synopsis>A vulnerability in NTFS-3G allows local users to gain root + privileges. + </synopsis> + <product type="ebuild">ntfs-3g</product> + <announced>2017-02-19</announced> + <revised>2017-02-19: 1</revised> + <bug>607912</bug> + <access>local</access> + <affected> + <package name="sys-fs/ntfs3g" auto="yes" arch="*"> + <unaffected range="ge">2016.2.22-r2</unaffected> + <vulnerable range="lt">2016.2.22-r2</vulnerable> + </package> + </affected> + <background> + <p>NTFS-3G is a stable, full-featured, read-write NTFS driver for various + operating systems. + </p> + </background> + <description> + <p>The NTFS-3G driver does not properly clear environment variables before + invoking mount or umount. + </p> + + <p>This flaw is similar to the vulnerability described in + “GLSA-201701-19” and “GLSA-201603-04” referenced below but is now + implemented in the NTFS-3G driver itself. + </p> + </description> + <impact type="normal"> + <p>A local user could gain root privileges.</p> + </impact> + <workaround> + <p>There is no known workaround at this time. However, on Gentoo when the + “suid” USE flag is not set (which is the default) an attacker cannot + exploit the flaw. + </p> + </workaround> + <resolution> + <p>All NTFS-3G users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=sys-fs/ntfs3g-2016.2.22-r2" + </code> + </resolution> + <references> + <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-0358">CVE-2017-0358</uri> + <uri link="https://security.gentoo.org/glsa/201603-04">GLSA-201603-04</uri> + <uri link="https://security.gentoo.org/glsa/201701-19">GLSA-201701-19</uri> + </references> + <metadata tag="requester" timestamp="2017-02-04T11:49:00Z">whissi</metadata> + <metadata tag="submitter" timestamp="2017-02-19T12:03:15Z">whissi</metadata> +</glsa> |