Your message dated Sat, 09 Nov 2024 10:51:02 +0000
with message-id
<b0a29248bc631362ed06a8879f93b8cdae5414d0.ca...@adam-barratt.org.uk>
and subject line Closing bugs released with 12.8
has caused the Debian Bug report #1074126,
regarding bookworm-pu: ntfs-3g/1:2022.10.3-1+deb12u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1074126: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1074126
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian....@packages.debian.org
Usertags: pu
Control: affects -1 + src:ntfs-3g
Hi RMs,
[ Reason ]
A use-after-free security issue was found. It is not a severe one, so
no DSA will be released. But it would be good to have it fixed.
[ Impact ]
Almost nothing, as this bug is hard to trigger and would be
challenging to exploit.
[ Tests ]
Only compilation is tested as I don't have systems where I can test
its usage for this distribution.
[ Risks ]
The fix itself is also very straightforward and does not alter normal
working in any way.
[ Checklist ]
[x] *all* changes are documents in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in bullseye
[x] the issue is verified as fixed in unstable
Thanks for considering,
Laszlo/GCS
diff -Nru ntfs-3g-2022.10.3/debian/changelog ntfs-3g-2022.10.3/debian/changelog
--- ntfs-3g-2022.10.3/debian/changelog 2022-10-31 15:14:06.000000000 +0100
+++ ntfs-3g-2022.10.3/debian/changelog 2024-06-23 14:34:22.000000000 +0200
@@ -1,3 +1,9 @@
+ntfs-3g (1:2022.10.3-1+deb12u1) bookworm; urgency=medium
+
+ * Fix use-after-free in 'ntfs_uppercase_mbs' (CVE-2023-52890).
+
+ -- Laszlo Boszormenyi (GCS) <g...@debian.org> Sun, 23 Jun 2024 14:34:22 +0200
+
ntfs-3g (1:2022.10.3-1) unstable; urgency=high
* New upstream release:
diff -Nru ntfs-3g-2022.10.3/debian/patches/0001-Fix_use-after-free_in_ntfs_uppercase_mbs.patch ntfs-3g-2022.10.3/debian/patches/0001-Fix_use-after-free_in_ntfs_uppercase_mbs.patch
--- ntfs-3g-2022.10.3/debian/patches/0001-Fix_use-after-free_in_ntfs_uppercase_mbs.patch 1970-01-01 01:00:00.000000000 +0100
+++ ntfs-3g-2022.10.3/debian/patches/0001-Fix_use-after-free_in_ntfs_uppercase_mbs.patch 2024-06-23 13:59:41.000000000 +0200
@@ -0,0 +1,34 @@
+From 75dcdc2cf37478fad6c0e3427403d198b554951d Mon Sep 17 00:00:00 2001
+From: Erik Larsson <e...@tuxera.com>
+Date: Tue, 13 Jun 2023 17:47:15 +0300
+Subject: [PATCH] unistr.c: Fix use-after-free in 'ntfs_uppercase_mbs'.
+
+If 'utf8_to_unicode' throws an error due to an invalid UTF-8 sequence,
+then 'n' will be less than 0 and the loop will terminate without storing
+anything in '*t'. After the loop the uppercase string's allocation is
+freed, however after it is freed it is unconditionally accessed through
+'*t', which points into the freed allocation, for the purpose of NULL-
+terminating the string. This leads to a use-after-free.
+Fixed by only NULL-terminating the string when no error has been thrown.
+
+Thanks for Jeffrey Bencteux for reporting this issue:
+https://github.com/tuxera/ntfs-3g/issues/84
+---
+ libntfs-3g/unistr.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/libntfs-3g/unistr.c b/libntfs-3g/unistr.c
+index 5854b3b7..db8ddf42 100644
+--- a/libntfs-3g/unistr.c
++++ b/libntfs-3g/unistr.c
+@@ -1189,8 +1189,9 @@ char *ntfs_uppercase_mbs(const char *low,
+ free(upp);
+ upp = (char*)NULL;
+ errno = EILSEQ;
++ } else {
++ *t = 0;
+ }
+- *t = 0;
+ }
+ return (upp);
+ }
diff -Nru ntfs-3g-2022.10.3/debian/patches/series ntfs-3g-2022.10.3/debian/patches/series
--- ntfs-3g-2022.10.3/debian/patches/series 1970-01-01 01:00:00.000000000 +0100
+++ ntfs-3g-2022.10.3/debian/patches/series 2024-06-23 14:11:42.000000000 +0200
@@ -0,0 +1 @@
+0001-Fix_use-after-free_in_ntfs_uppercase_mbs.patch
--- End Message ---
--- Begin Message ---
Source: release.debian.org
Version: 12.8
Hi,
Each of the updates tracked by these bugs was included in today's 12.8
bookworm point release.
Regards,
Adam
--- End Message ---
