[Buildroot] [PATCH] ntfs-3g: add security fix for CVE-2017-0358

Peter Korsgaard peter at korsgaard.com
Tue Feb 14 10:18:27 UTC 2017


>>>>> "Peter" == Peter Korsgaard <peter at korsgaard.com> writes:

 > Jann Horn, Project Zero (Google) discovered that ntfs-3g, a read-write
 > NTFS driver for FUSE does not not scrub the environment before
 > executing modprobe to load the fuse module. This influence the behavior
 > of modprobe (MODPROBE_OPTIONS environment variable, --config and
 > --dirname options) potentially allowing for local root privilege
 > escalation if ntfs-3g is installed setuid.

 > Notice that Buildroot does NOT install netfs-3g setuid root, but custom
 > permission tables might be used, causing it to vulnerable to the above.

 > ntfs-3g does not seem to have a publicly available version control system
 > and no new releases have been made, so instead grab the patch from Debian.

 > Signed-off-by: Peter Korsgaard <peter at korsgaard.com>

Committed, thanks.

-- 
Bye, Peter Korsgaard



More information about the buildroot mailing list