AOSA-2017-0027: Update NTFS-3G
March 4, 2017
Please update your ntfs-3g
package to version 2016.2.22-1
.
A security vulnerability assigned with CVE-2017-0358 was addressed in NTFS-3G.
*Jann Horn, Project Zero (Google) discovered that ntfs-3g, a read-write NTFS driver for FUSE does not not scrub the environment before executing modprobe to load the fuse module. This influence the behavior of modprobe (MODPROBE_OPTIONS environment variable, --config and --dirname options) potentially allowing for local root privilege escalation if ntfs-3g is installed setuid. This is the case for Debian, Ubuntu and probably Gentoo. *
Relevant documentation: