[Buildroot] [PATCH] ntfs-3g: add security fix for CVE-2017-0358
Peter Korsgaard
peter at korsgaard.com
Tue Feb 14 10:18:27 UTC 2017
>>>>> "Peter" == Peter Korsgaard <peter at korsgaard.com> writes:
> Jann Horn, Project Zero (Google) discovered that ntfs-3g, a read-write
> NTFS driver for FUSE does not not scrub the environment before
> executing modprobe to load the fuse module. This influence the behavior
> of modprobe (MODPROBE_OPTIONS environment variable, --config and
> --dirname options) potentially allowing for local root privilege
> escalation if ntfs-3g is installed setuid.
> Notice that Buildroot does NOT install netfs-3g setuid root, but custom
> permission tables might be used, causing it to vulnerable to the above.
> ntfs-3g does not seem to have a publicly available version control system
> and no new releases have been made, so instead grab the patch from Debian.
> Signed-off-by: Peter Korsgaard <peter at korsgaard.com>
Committed, thanks.
--
Bye, Peter Korsgaard
More information about the buildroot
mailing list