<= Back

AOSA-2017-0027: Update NTFS-3G

March 4, 2017

Please update your ntfs-3g package to version 2016.2.22-1.

A security vulnerability assigned with CVE-2017-0358 was addressed in NTFS-3G.

*Jann Horn, Project Zero (Google) discovered that ntfs-3g, a read-write NTFS driver for FUSE does not not scrub the environment before executing modprobe to load the fuse module. This influence the behavior of modprobe (MODPROBE_OPTIONS environment variable, --config and --dirname options) potentially allowing for local root privilege escalation if ntfs-3g is installed setuid. This is the case for Debian, Ubuntu and probably Gentoo. *

Relevant documentation:

Copyleft 2011–2024, Members of the Community   |   Site Language