From 6f971f354c14a8948477a0936668b8baae8ec86e Mon Sep 17 00:00:00 2001 From: Peter Korsgaard Date: Mon, 13 Feb 2017 23:51:10 +0100 Subject: ntfs-3g: add security fix for CVE-2017-0358 Jann Horn, Project Zero (Google) discovered that ntfs-3g, a read-write NTFS driver for FUSE does not not scrub the environment before executing modprobe to load the fuse module. This influence the behavior of modprobe (MODPROBE_OPTIONS environment variable, --config and --dirname options) potentially allowing for local root privilege escalation if ntfs-3g is installed setuid. Notice that Buildroot does NOT install netfs-3g setuid root, but custom permission tables might be used, causing it to vulnerable to the above. ntfs-3g does not seem to have a publicly available version control system and no new releases have been made, so instead grab the patch from Debian. Signed-off-by: Peter Korsgaard --- package/ntfs-3g/ntfs-3g.hash | 1 + package/ntfs-3g/ntfs-3g.mk | 1 + 2 files changed, 2 insertions(+) diff --git a/package/ntfs-3g/ntfs-3g.hash b/package/ntfs-3g/ntfs-3g.hash index 4875cc47b..eaa3d9871 100644 --- a/package/ntfs-3g/ntfs-3g.hash +++ b/package/ntfs-3g/ntfs-3g.hash @@ -1,2 +1,3 @@ # Locally calculated sha256 d7b72c05e4b3493e6095be789a760c9f5f2b141812d5b885f3190c98802f1ea0 ntfs-3g_ntfsprogs-2016.2.22.tgz +sha256 43deadaeade489934b0b45e2ed8aa5f853ad0364fbde7ad144211b80132ea041 0003-CVE-2017-0358.patch diff --git a/package/ntfs-3g/ntfs-3g.mk b/package/ntfs-3g/ntfs-3g.mk index b59e335bc..6e1a8f946 100644 --- a/package/ntfs-3g/ntfs-3g.mk +++ b/package/ntfs-3g/ntfs-3g.mk @@ -7,6 +7,7 @@ NTFS_3G_VERSION = 2016.2.22 NTFS_3G_SOURCE = ntfs-3g_ntfsprogs-$(NTFS_3G_VERSION).tgz NTFS_3G_SITE = http://tuxera.com/opensource +NTFS_3G_PATCH = https://sources.debian.net/data/main/n/ntfs-3g/1:2016.2.22AR.1-4/debian/patches/0003-CVE-2017-0358.patch NTFS_3G_CONF_OPTS = --disable-ldconfig NTFS_3G_INSTALL_STAGING = YES NTFS_3G_DEPENDENCIES = host-pkgconf -- cgit v1.2.3