ports/contrib (3.2): [notify] ntfs-3g: CVE-2017-0358 modprobe influence vulnerability via environment variables

crux at crux.nu crux at crux.nu
Sun Feb 12 21:42:40 UTC 2017


commit bce7c9439f8c76c8b666196a4ca630121e36e4ef
Author: Danny Rawlins <monster.romster at gmail.com>
Date:   Mon Feb 13 08:41:45 2017 +1100

    [notify] ntfs-3g: CVE-2017-0358 modprobe influence vulnerability via environment variables

diff --git a/ntfs-3g/.md5sum b/ntfs-3g/.md5sum
index c117b48..1af6f1d 100644
--- a/ntfs-3g/.md5sum
+++ b/ntfs-3g/.md5sum
@@ -1 +1,2 @@
+0631dbc17722d13b1a6ce5427e064356  CVE-2017-0358.patch
 ccbe8672d0f757bd0c975b50aa4c512e  ntfs-3g_ntfsprogs-2016.2.22.tgz
diff --git a/ntfs-3g/CVE-2017-0358.patch b/ntfs-3g/CVE-2017-0358.patch
new file mode 100644
index 0000000..1e409d7
--- /dev/null
+++ b/ntfs-3g/CVE-2017-0358.patch
@@ -0,0 +1,38 @@
+http://seclists.org/oss-sec/2017/q1/259
+CVE-2017-0358 ntfs-3g: modprobe influence vulnerability via environment variables
+--- ntfs-3g/src/lowntfs-3g.c	2016-12-31 08:56:59.011749600 +0100
++++ ntfs-3g/src/lowntfs-3g.c	2017-01-05 14:41:52.041473700 +0100
+@@ -3827,13 +3827,14 @@
+ 	struct stat st;
+ 	pid_t pid;
+ 	const char *cmd = "/sbin/modprobe";
++	char *env = (char*)NULL;
+ 	struct timespec req = { 0, 100000000 };   /* 100 msec */
+ 	fuse_fstype fstype;
+         
+ 	if (!stat(cmd, &st) && !geteuid()) {
+ 		pid = fork();
+ 		if (!pid) {
+-			execl(cmd, cmd, "fuse", NULL);
++			execle(cmd, cmd, "fuse", NULL, &env);
+ 			_exit(1);
+ 		} else if (pid != -1)
+ 			waitpid(pid, NULL, 0);
+--- ntfs-3g/src/ntfs-3g.c	2017-02-04 23:30:23.825889593 +0100
++++ ntfs-3g/src/nfts-3g.c	2017-02-04 23:30:42.572542756 +0100
+@@ -3612,13 +3612,14 @@
+ 	struct stat st;
+ 	pid_t pid;
+ 	const char *cmd = "/sbin/modprobe";
++	char *env = (char*)NULL;
+ 	struct timespec req = { 0, 100000000 };   /* 100 msec */
+ 	fuse_fstype fstype;
+ 	
+ 	if (!stat(cmd, &st) && !geteuid()) {
+ 		pid = fork();
+ 		if (!pid) {
+-			execl(cmd, cmd, "fuse", NULL);
++			execle(cmd, cmd, "fuse", NULL, &env);
+ 			_exit(1);
+ 		} else if (pid != -1)
+ 			waitpid(pid, NULL, 0);
diff --git a/ntfs-3g/Pkgfile b/ntfs-3g/Pkgfile
index d80a384..268ad0d 100644
--- a/ntfs-3g/Pkgfile
+++ b/ntfs-3g/Pkgfile
@@ -1,17 +1,19 @@
 # Description: Freely available NTFS driver with read and write support.
-# URL: http://www.tuxera.com/community/ntfs-3g-download/
+# URL: https://www.tuxera.com/community/ntfs-3g-download/
 # Maintainer: Danny Rawlins, crux at romster dot me
-# Packager: Danny Rawlins, crux at romster dot me
 # Depends on: fuse
 
 name=ntfs-3g
 version=2016.2.22
-release=3
-source=(http://tuxera.com/opensource/ntfs-3g_ntfsprogs-$version.tgz)
+release=4
+source=(https://tuxera.com/opensource/ntfs-3g_ntfsprogs-$version.tgz
+	CVE-2017-0358.patch)
 
 build() {
 	cd ntfs-3g_ntfsprogs-$version
 
+	patch -p1 -i $SRC/CVE-2017-0358.patch
+
 	install -d $PKG/lib
 
 	./configure \



More information about the CRUX mailing list