Package: release.debian.org Severity: normal Tags: bookworm User: release.debian....@packages.debian.org Usertags: pu Control: affects -1 + src:ntfs-3g
Hi RMs, [ Reason ] A use-after-free security issue was found. It is not a severe one, so no DSA will be released. But it would be good to have it fixed. [ Impact ] Almost nothing, as this bug is hard to trigger and would be challenging to exploit. [ Tests ] Only compilation is tested as I don't have systems where I can test its usage for this distribution. [ Risks ] The fix itself is also very straightforward and does not alter normal working in any way. [ Checklist ] [x] *all* changes are documents in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in bullseye [x] the issue is verified as fixed in unstable Thanks for considering, Laszlo/GCS
diff -Nru ntfs-3g-2022.10.3/debian/changelog ntfs-3g-2022.10.3/debian/changelog --- ntfs-3g-2022.10.3/debian/changelog 2022-10-31 15:14:06.000000000 +0100 +++ ntfs-3g-2022.10.3/debian/changelog 2024-06-23 14:34:22.000000000 +0200 @@ -1,3 +1,9 @@ +ntfs-3g (1:2022.10.3-1+deb12u1) bookworm; urgency=medium + + * Fix use-after-free in 'ntfs_uppercase_mbs' (CVE-2023-52890). + + -- Laszlo Boszormenyi (GCS) <g...@debian.org> Sun, 23 Jun 2024 14:34:22 +0200 + ntfs-3g (1:2022.10.3-1) unstable; urgency=high * New upstream release: diff -Nru ntfs-3g-2022.10.3/debian/patches/0001-Fix_use-after-free_in_ntfs_uppercase_mbs.patch ntfs-3g-2022.10.3/debian/patches/0001-Fix_use-after-free_in_ntfs_uppercase_mbs.patch --- ntfs-3g-2022.10.3/debian/patches/0001-Fix_use-after-free_in_ntfs_uppercase_mbs.patch 1970-01-01 01:00:00.000000000 +0100 +++ ntfs-3g-2022.10.3/debian/patches/0001-Fix_use-after-free_in_ntfs_uppercase_mbs.patch 2024-06-23 13:59:41.000000000 +0200 @@ -0,0 +1,34 @@ +From 75dcdc2cf37478fad6c0e3427403d198b554951d Mon Sep 17 00:00:00 2001 +From: Erik Larsson <e...@tuxera.com> +Date: Tue, 13 Jun 2023 17:47:15 +0300 +Subject: [PATCH] unistr.c: Fix use-after-free in 'ntfs_uppercase_mbs'. + +If 'utf8_to_unicode' throws an error due to an invalid UTF-8 sequence, +then 'n' will be less than 0 and the loop will terminate without storing +anything in '*t'. After the loop the uppercase string's allocation is +freed, however after it is freed it is unconditionally accessed through +'*t', which points into the freed allocation, for the purpose of NULL- +terminating the string. This leads to a use-after-free. +Fixed by only NULL-terminating the string when no error has been thrown. + +Thanks for Jeffrey Bencteux for reporting this issue: +https://github.com/tuxera/ntfs-3g/issues/84 +--- + libntfs-3g/unistr.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/libntfs-3g/unistr.c b/libntfs-3g/unistr.c +index 5854b3b7..db8ddf42 100644 +--- a/libntfs-3g/unistr.c ++++ b/libntfs-3g/unistr.c +@@ -1189,8 +1189,9 @@ char *ntfs_uppercase_mbs(const char *low, + free(upp); + upp = (char*)NULL; + errno = EILSEQ; ++ } else { ++ *t = 0; + } +- *t = 0; + } + return (upp); + } diff -Nru ntfs-3g-2022.10.3/debian/patches/series ntfs-3g-2022.10.3/debian/patches/series --- ntfs-3g-2022.10.3/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 +++ ntfs-3g-2022.10.3/debian/patches/series 2024-06-23 14:11:42.000000000 +0200 @@ -0,0 +1 @@ +0001-Fix_use-after-free_in_ntfs_uppercase_mbs.patch
