commit bce7c9439f8c76c8b666196a4ca630121e36e4ef Author: Danny Rawlins <monster.romster@gmail.com> Date: Mon Feb 13 08:41:45 2017 +1100 [notify] ntfs-3g: CVE-2017-0358 modprobe influence vulnerability via environment variables diff --git a/ntfs-3g/.md5sum b/ntfs-3g/.md5sum index c117b48..1af6f1d 100644 --- a/ntfs-3g/.md5sum +++ b/ntfs-3g/.md5sum @@ -1 +1,2 @@ +0631dbc17722d13b1a6ce5427e064356 CVE-2017-0358.patch ccbe8672d0f757bd0c975b50aa4c512e ntfs-3g_ntfsprogs-2016.2.22.tgz diff --git a/ntfs-3g/CVE-2017-0358.patch b/ntfs-3g/CVE-2017-0358.patch new file mode 100644 index 0000000..1e409d7 --- /dev/null +++ b/ntfs-3g/CVE-2017-0358.patch @@ -0,0 +1,38 @@ +http://seclists.org/oss-sec/2017/q1/259 +CVE-2017-0358 ntfs-3g: modprobe influence vulnerability via environment variables +--- ntfs-3g/src/lowntfs-3g.c 2016-12-31 08:56:59.011749600 +0100 ++++ ntfs-3g/src/lowntfs-3g.c 2017-01-05 14:41:52.041473700 +0100 +@@ -3827,13 +3827,14 @@ + struct stat st; + pid_t pid; + const char *cmd = "/sbin/modprobe"; ++ char *env = (char*)NULL; + struct timespec req = { 0, 100000000 }; /* 100 msec */ + fuse_fstype fstype; + + if (!stat(cmd, &st) && !geteuid()) { + pid = fork(); + if (!pid) { +- execl(cmd, cmd, "fuse", NULL); ++ execle(cmd, cmd, "fuse", NULL, &env); + _exit(1); + } else if (pid != -1) + waitpid(pid, NULL, 0); +--- ntfs-3g/src/ntfs-3g.c 2017-02-04 23:30:23.825889593 +0100 ++++ ntfs-3g/src/nfts-3g.c 2017-02-04 23:30:42.572542756 +0100 +@@ -3612,13 +3612,14 @@ + struct stat st; + pid_t pid; + const char *cmd = "/sbin/modprobe"; ++ char *env = (char*)NULL; + struct timespec req = { 0, 100000000 }; /* 100 msec */ + fuse_fstype fstype; + + if (!stat(cmd, &st) && !geteuid()) { + pid = fork(); + if (!pid) { +- execl(cmd, cmd, "fuse", NULL); ++ execle(cmd, cmd, "fuse", NULL, &env); + _exit(1); + } else if (pid != -1) + waitpid(pid, NULL, 0); diff --git a/ntfs-3g/Pkgfile b/ntfs-3g/Pkgfile index d80a384..268ad0d 100644 --- a/ntfs-3g/Pkgfile +++ b/ntfs-3g/Pkgfile @@ -1,17 +1,19 @@ # Description: Freely available NTFS driver with read and write support. -# URL: http://www.tuxera.com/community/ntfs-3g-download/ +# URL: https://www.tuxera.com/community/ntfs-3g-download/ # Maintainer: Danny Rawlins, crux at romster dot me -# Packager: Danny Rawlins, crux at romster dot me # Depends on: fuse name=ntfs-3g version=2016.2.22 -release=3 -source=(http://tuxera.com/opensource/ntfs-3g_ntfsprogs-$version.tgz) +release=4 +source=(https://tuxera.com/opensource/ntfs-3g_ntfsprogs-$version.tgz + CVE-2017-0358.patch) build() { cd ntfs-3g_ntfsprogs-$version + patch -p1 -i $SRC/CVE-2017-0358.patch + install -d $PKG/lib ./configure \