-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-3268-2 security@xxxxxxxxxx http://www.debian.org/security/ Salvatore Bonaccorso May 26, 2015 http://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : ntfs-3g CVE ID : CVE-2015-3202 Debian Bug : 786475 The patch applied for ntfs-3g to fix CVE-2015-3202 in DSA 3268-1 was incomplete. This update corrects that problem. For reference the original advisory text follows. Tavis Ormandy discovered that NTFS-3G, a read-write NTFS driver for FUSE, does not scrub the environment before executing mount or umount with elevated privileges. A local user can take advantage of this flaw to overwrite arbitrary files and gain elevated privileges by accessing debugging features via the environment that would not normally be safe for unprivileged users. For the oldstable distribution (wheezy), this problem has been fixed in version 1:2012.1.15AR.5-2.1+deb7u2. Note that this issue does not affect the binary packages distributed in Debian in wheezy as ntfs-3g does not use the embedded fuse-lite library. For the stable distribution (jessie), this problem has been fixed in version 1:2014.2.15AR.2-1+deb8u2. For the unstable distribution (sid), this problem has been fixed in version 1:2014.2.15AR.3-3. We recommend that you upgrade your ntfs-3g packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@xxxxxxxxxxxxxxxx -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJVZM0HAAoJEAVMuPMTQ89EJggP/0zWLrGHeQuWaOanEo/zBdKq R6Er4/Apz1tlduUYz7whFuZTM4jZYjo9G15laoZefB+4ntzmSiCZMp+9KuPf8oN5 90rOU6/Pw91e8BxEiTIQ+V9QLAwdu84NMuuNFxBnqSWg55q/FzBbup0pnz/rJupi XvJkcSeEmx9rPOhHET/xMMu1jCDD+L/j14+ekcfyBx/Gvw8HxYiHHFMSoOvDIG17 1nU3BOu7CjOrvu4rsUpEYVUYIOSjq86SToZcBb8MJ2yPhNh+hqr76qx14REpPV2t CYUCGb2nU0Vwix/IGsKzYUZJeFVjdNuNNWP0qxP2sF0EZWihYBCPYJstfdgbFAM5 XrYTS9O7MwMNn3D5Ac2Z0IPFr4/jq2JhzVSJ16/8ZOo6DY6xCjFy/ysErCkD+Qu6 DMNKvmT+Q3h3T+eEEKSpfcZFXT3peg0obATvsTGONn2so4OYGk0NT4V9Mybq+D3L qbdB0DDsbjmG3csHchYeoPIy7wYuw2JChkViZAcolXtn4ClQdOhZxqDGRzYDrLcc YnoWP4hvac9EFUs7NHZ+fYXUGCgc8F5oTqZ2DmPiMXg8f0tWBDWMnznumhc5skip l9IqI4kmU+Ik7KsbHOaRpItgnup88Mpw5FxgWDxOQEUET6jtEwhZohRN4rMbyWep iUKNmJ4HnoBJVgX3810+ =O+Kf -----END PGP SIGNATURE-----
