Package: release.debian.org
User: release.debian....@packages.debian.org
Usertags: unblock
Hi Release Team,
Please unblock ntfs-3g 2016.2.22AR.1-4 as it fixes CVE-2017-0358.
The debdiff is attached for your convenience.
Thanks,
Laszlo/GCS
diff -Nru ntfs-3g-2016.2.22AR.1/debian/changelog ntfs-3g-2016.2.22AR.1/debian/changelog
--- ntfs-3g-2016.2.22AR.1/debian/changelog 2016-04-21 18:48:50.000000000 +0000
+++ ntfs-3g-2016.2.22AR.1/debian/changelog 2017-02-01 06:23:28.000000000 +0000
@@ -1,3 +1,10 @@
+ntfs-3g (1:2016.2.22AR.1-4) unstable; urgency=high
+
+ * Fix CVE-2017-0358: modprobe influence vulnerability via environment
+ variables.
+
+ -- Laszlo Boszormenyi (GCS) <g...@debian.org> Wed, 01 Feb 2017 06:23:28 +0000
+
ntfs-3g (1:2016.2.22AR.1-3) unstable; urgency=low
* Really fix ELIBBAD errno on kFreeBSD (closes: #821838).
diff -Nru ntfs-3g-2016.2.22AR.1/debian/patches/0003-CVE-2017-0358.patch ntfs-3g-2016.2.22AR.1/debian/patches/0003-CVE-2017-0358.patch
--- ntfs-3g-2016.2.22AR.1/debian/patches/0003-CVE-2017-0358.patch 1970-01-01 00:00:00.000000000 +0000
+++ ntfs-3g-2016.2.22AR.1/debian/patches/0003-CVE-2017-0358.patch 2017-02-01 06:23:28.000000000 +0000
@@ -0,0 +1,36 @@
+--- ntfs-3g/src/lowntfs-3g.c.ref 2016-12-31 08:56:59.011749600 +0100
++++ ntfs-3g/src/lowntfs-3g.c 2017-01-05 14:41:52.041473700 +0100
+@@ -4291,13 +4291,14 @@
+ struct stat st;
+ pid_t pid;
+ const char *cmd = "/sbin/modprobe";
++ char *env = (char*)NULL;
+ struct timespec req = { 0, 100000000 }; /* 100 msec */
+ fuse_fstype fstype;
+
+ if (!stat(cmd, &st) && !geteuid()) {
+ pid = fork();
+ if (!pid) {
+- execl(cmd, cmd, "fuse", NULL);
++ execle(cmd, cmd, "fuse", NULL, &env);
+ _exit(1);
+ } else if (pid != -1)
+ waitpid(pid, NULL, 0);
+--- ntfs-3g/src/ntfs-3g.c.ref 2016-12-31 08:56:59.022518700 +0100
++++ ntfs-3g/src/ntfs-3g.c 2017-01-05 15:45:45.912499400 +0100
+@@ -3885,13 +3885,14 @@
+ struct stat st;
+ pid_t pid;
+ const char *cmd = "/sbin/modprobe";
++ char *env = (char*)NULL;
+ struct timespec req = { 0, 100000000 }; /* 100 msec */
+ fuse_fstype fstype;
+
+ if (!stat(cmd, &st) && !geteuid()) {
+ pid = fork();
+ if (!pid) {
+- execl(cmd, cmd, "fuse", NULL);
++ execle(cmd, cmd, "fuse", NULL, &env);
+ _exit(1);
+ } else if (pid != -1)
+ waitpid(pid, NULL, 0);
diff -Nru ntfs-3g-2016.2.22AR.1/debian/patches/series ntfs-3g-2016.2.22AR.1/debian/patches/series
--- ntfs-3g-2016.2.22AR.1/debian/patches/series 2016-04-20 15:51:16.000000000 +0000
+++ ntfs-3g-2016.2.22AR.1/debian/patches/series 2017-02-01 06:23:28.000000000 +0000
@@ -1,2 +1,3 @@
0001-link-with-gpg-error.patch
0002-kFreeBSD_ELIBBAD.patch
+0003-CVE-2017-0358.patch