Debian Linux Security Advisory 3268-2 - The patch applied for ntfs-3g to fix CVE-2015-3202 in DSA 3268-1 was incomplete. This update corrects that problem.
b7c69f8cfa29936d006258e0fcdb514c6417d0b4c458b336646174bb2c202b63
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
- -------------------------------------------------------------------------
Debian Security Advisory DSA-3268-2 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
May 26, 2015 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : ntfs-3g
CVE ID : CVE-2015-3202
Debian Bug : 786475
The patch applied for ntfs-3g to fix CVE-2015-3202 in DSA 3268-1 was
incomplete. This update corrects that problem. For reference the
original advisory text follows.
Tavis Ormandy discovered that NTFS-3G, a read-write NTFS driver for
FUSE, does not scrub the environment before executing mount or umount
with elevated privileges. A local user can take advantage of this flaw
to overwrite arbitrary files and gain elevated privileges by accessing
debugging features via the environment that would not normally be safe
for unprivileged users.
For the oldstable distribution (wheezy), this problem has been fixed in
version 1:2012.1.15AR.5-2.1+deb7u2. Note that this issue does not affect
the binary packages distributed in Debian in wheezy as ntfs-3g does not
use the embedded fuse-lite library.
For the stable distribution (jessie), this problem has been fixed in
version 1:2014.2.15AR.2-1+deb8u2.
For the unstable distribution (sid), this problem has been fixed in
version 1:2014.2.15AR.3-3.
We recommend that you upgrade your ntfs-3g packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJVZM0HAAoJEAVMuPMTQ89EJggP/0zWLrGHeQuWaOanEo/zBdKq
R6Er4/Apz1tlduUYz7whFuZTM4jZYjo9G15laoZefB+4ntzmSiCZMp+9KuPf8oN5
90rOU6/Pw91e8BxEiTIQ+V9QLAwdu84NMuuNFxBnqSWg55q/FzBbup0pnz/rJupi
XvJkcSeEmx9rPOhHET/xMMu1jCDD+L/j14+ekcfyBx/Gvw8HxYiHHFMSoOvDIG17
1nU3BOu7CjOrvu4rsUpEYVUYIOSjq86SToZcBb8MJ2yPhNh+hqr76qx14REpPV2t
CYUCGb2nU0Vwix/IGsKzYUZJeFVjdNuNNWP0qxP2sF0EZWihYBCPYJstfdgbFAM5
XrYTS9O7MwMNn3D5Ac2Z0IPFr4/jq2JhzVSJ16/8ZOo6DY6xCjFy/ysErCkD+Qu6
DMNKvmT+Q3h3T+eEEKSpfcZFXT3peg0obATvsTGONn2so4OYGk0NT4V9Mybq+D3L
qbdB0DDsbjmG3csHchYeoPIy7wYuw2JChkViZAcolXtn4ClQdOhZxqDGRzYDrLcc
YnoWP4hvac9EFUs7NHZ+fYXUGCgc8F5oTqZ2DmPiMXg8f0tWBDWMnznumhc5skip
l9IqI4kmU+Ik7KsbHOaRpItgnup88Mpw5FxgWDxOQEUET6jtEwhZohRN4rMbyWep
iUKNmJ4HnoBJVgX3810+
=O+Kf
-----END PGP SIGNATURE-----