|Category:||Debian Local Security Checks|
|Title:||Debian Security Advisory DSA 3268-1 (ntfs-3g - security update)|
|Summary:||Tavis Ormandy discovered that NTFS-3G, a read-write NTFS driver for;FUSE, does not scrub the environment before executing mount or umount;with elevated privileges. A local user can take advantage of this flaw;to overwrite arbitrary files and gain elevated privileges by accessing;debugging features via the environment that would not normally be safe;for unprivileged users.|
Tavis Ormandy discovered that NTFS-3G, a read-write NTFS driver for
FUSE, does not scrub the environment before executing mount or umount
with elevated privileges. A local user can take advantage of this flaw
to overwrite arbitrary files and gain elevated privileges by accessing
debugging features via the environment that would not normally be safe
for unprivileged users.
ntfs-3g on Debian Linux
For the oldstable distribution (wheezy), this problem has been fixed in
version 1:2012.1.15AR.5-2.1+deb7u1. Note that this issue does not affect
the binary packages distributed in Debian in wheezy as ntfs-3g does not
use the embedded fuse-lite library.
For the stable distribution (jessie), this problem has been fixed in
For the testing distribution (stretch) and the unstable distribution
(sid), this problem will be fixed soon.
We recommend that you upgrade your ntfs-3g packages.
Common Vulnerability Exposure (CVE) ID: CVE-2015-3202|
BugTraq ID: 74765
Debian Security Information: DSA-3266 (Google Search)
Debian Security Information: DSA-3268 (Google Search)
SuSE Security Announcement: openSUSE-SU-2015:0997 (Google Search)
SuSE Security Announcement: openSUSE-SU-2015:1003 (Google Search)
|Copyright||Copyright (c) 2015 Greenbone Networks GmbH http://greenbone.net|
|This is only one of 97459 vulnerability tests in our test suite. Find out more about running a complete security audit.|
To run a free test of this vulnerability against your system, register below.