Your message dated Sat, 31 Aug 2024 12:30:55 +0100
with message-id
<27c418b1a49ffc566f1b9635359e59f6a742be26.ca...@adam-barratt.org.uk>
and subject line Closing bugs for 11.11
has caused the Debian Bug report #1074125,
regarding bullseye-pu: ntfs-3g/1:2017.3.23AR.3-4+deb11u4
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1074125: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1074125
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian....@packages.debian.org
Usertags: pu
Control: affects -1 + src:ntfs-3g
Hi RMs,
[ Reason ]
A use-after-free security issue was found. It is not a severe one, so
no DSA will be released. But it would be good to have it fixed.
[ Impact ]
Almost nothing, as this bug is hard to trigger and would be
challenging to exploit.
[ Tests ]
Only compilation is tested as I don't have systems where I can test
its usage for this distribution.
[ Risks ]
The fix itself is also very straightforward and does not alter normal
working in any way.
[ Checklist ]
[x] *all* changes are documents in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in bullseye
[x] the issue is verified as fixed in unstable
Thanks for considering,
Laszlo/GCS
diff -Nru ntfs-3g-2017.3.23AR.3/debian/changelog ntfs-3g-2017.3.23AR.3/debian/changelog
--- ntfs-3g-2017.3.23AR.3/debian/changelog 2022-11-02 22:46:28.000000000 +0100
+++ ntfs-3g-2017.3.23AR.3/debian/changelog 2024-06-23 14:34:20.000000000 +0200
@@ -1,3 +1,9 @@
+ntfs-3g (1:2017.3.23AR.3-4+deb11u4) bullseye; urgency=medium
+
+ * Fix use-after-free in 'ntfs_uppercase_mbs' (CVE-2023-52890).
+
+ -- Laszlo Boszormenyi (GCS) <g...@debian.org> Sun, 23 Jun 2024 14:34:20 +0200
+
ntfs-3g (1:2017.3.23AR.3-4+deb11u3) bullseye-security; urgency=high
* Non-maintainer upload by the Security Team.
diff -Nru ntfs-3g-2017.3.23AR.3/debian/patches/0017-Fix_use-after-free_in_ntfs_uppercase_mbs.patch ntfs-3g-2017.3.23AR.3/debian/patches/0017-Fix_use-after-free_in_ntfs_uppercase_mbs.patch
--- ntfs-3g-2017.3.23AR.3/debian/patches/0017-Fix_use-after-free_in_ntfs_uppercase_mbs.patch 1970-01-01 01:00:00.000000000 +0100
+++ ntfs-3g-2017.3.23AR.3/debian/patches/0017-Fix_use-after-free_in_ntfs_uppercase_mbs.patch 2024-06-23 14:00:20.000000000 +0200
@@ -0,0 +1,34 @@
+From 75dcdc2cf37478fad6c0e3427403d198b554951d Mon Sep 17 00:00:00 2001
+From: Erik Larsson <e...@tuxera.com>
+Date: Tue, 13 Jun 2023 17:47:15 +0300
+Subject: [PATCH] unistr.c: Fix use-after-free in 'ntfs_uppercase_mbs'.
+
+If 'utf8_to_unicode' throws an error due to an invalid UTF-8 sequence,
+then 'n' will be less than 0 and the loop will terminate without storing
+anything in '*t'. After the loop the uppercase string's allocation is
+freed, however after it is freed it is unconditionally accessed through
+'*t', which points into the freed allocation, for the purpose of NULL-
+terminating the string. This leads to a use-after-free.
+Fixed by only NULL-terminating the string when no error has been thrown.
+
+Thanks for Jeffrey Bencteux for reporting this issue:
+https://github.com/tuxera/ntfs-3g/issues/84
+---
+ libntfs-3g/unistr.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/libntfs-3g/unistr.c b/libntfs-3g/unistr.c
+index 5854b3b7..db8ddf42 100644
+--- a/libntfs-3g/unistr.c
++++ b/libntfs-3g/unistr.c
+@@ -1189,8 +1189,9 @@ char *ntfs_uppercase_mbs(const char *low,
+ free(upp);
+ upp = (char*)NULL;
+ errno = EILSEQ;
++ } else {
++ *t = 0;
+ }
+- *t = 0;
+ }
+ return (upp);
+ }
diff -Nru ntfs-3g-2017.3.23AR.3/debian/patches/series ntfs-3g-2017.3.23AR.3/debian/patches/series
--- ntfs-3g-2017.3.23AR.3/debian/patches/series 2022-11-02 22:46:28.000000000 +0100
+++ ntfs-3g-2017.3.23AR.3/debian/patches/series 2024-06-23 14:00:58.000000000 +0200
@@ -14,3 +14,4 @@
0014-Hardened-the-checking-of-directory-offset-requested-.patch
0015-Rejected-zero-sized-runs.patch
0016-Avoided-merging-runlists-with-no-runs.patch
+0017-Fix_use-after-free_in_ntfs_uppercase_mbs.patch
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 11.11
Hi,
Each of these bugs relates to an update including in today's final
bullseye 11.11 point release.
Regards,
Adam
--- End Message ---
