Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2015.1374.2 ntfs-3g security update 27 May 2015 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: ntfs-3g Publisher: Debian Operating System: Debian GNU/Linux 8 Debian GNU/Linux 7 Impact/Access: Increased Privileges -- Existing Account Overwrite Arbitrary Files -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2015-3202 Reference: ESB-2015.1365 Original Bulletin: http://www.debian.org/security/2015/dsa-3268 Revision History: May 27 2015: The patch applied for ntfs-3g to fix CVE-2015-3202 in DSA 3268-1 was incomplete May 25 2015: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-3268-2 security@debian.org http://www.debian.org/security/ Salvatore Bonaccorso May 26, 2015 http://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : ntfs-3g CVE ID : CVE-2015-3202 Debian Bug : 786475 The patch applied for ntfs-3g to fix CVE-2015-3202 in DSA 3268-1 was incomplete. This update corrects that problem. For reference the original advisory text follows. Tavis Ormandy discovered that NTFS-3G, a read-write NTFS driver for FUSE, does not scrub the environment before executing mount or umount with elevated privileges. A local user can take advantage of this flaw to overwrite arbitrary files and gain elevated privileges by accessing debugging features via the environment that would not normally be safe for unprivileged users. For the oldstable distribution (wheezy), this problem has been fixed in version 1:2012.1.15AR.5-2.1+deb7u2. Note that this issue does not affect the binary packages distributed in Debian in wheezy as ntfs-3g does not use the embedded fuse-lite library. For the stable distribution (jessie), this problem has been fixed in version 1:2014.2.15AR.2-1+deb8u2. For the unstable distribution (sid), this problem has been fixed in version 1:2014.2.15AR.3-3. We recommend that you upgrade your ntfs-3g packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJVZM0HAAoJEAVMuPMTQ89EJggP/0zWLrGHeQuWaOanEo/zBdKq R6Er4/Apz1tlduUYz7whFuZTM4jZYjo9G15laoZefB+4ntzmSiCZMp+9KuPf8oN5 90rOU6/Pw91e8BxEiTIQ+V9QLAwdu84NMuuNFxBnqSWg55q/FzBbup0pnz/rJupi XvJkcSeEmx9rPOhHET/xMMu1jCDD+L/j14+ekcfyBx/Gvw8HxYiHHFMSoOvDIG17 1nU3BOu7CjOrvu4rsUpEYVUYIOSjq86SToZcBb8MJ2yPhNh+hqr76qx14REpPV2t CYUCGb2nU0Vwix/IGsKzYUZJeFVjdNuNNWP0qxP2sF0EZWihYBCPYJstfdgbFAM5 XrYTS9O7MwMNn3D5Ac2Z0IPFr4/jq2JhzVSJ16/8ZOo6DY6xCjFy/ysErCkD+Qu6 DMNKvmT+Q3h3T+eEEKSpfcZFXT3peg0obATvsTGONn2so4OYGk0NT4V9Mybq+D3L qbdB0DDsbjmG3csHchYeoPIy7wYuw2JChkViZAcolXtn4ClQdOhZxqDGRzYDrLcc YnoWP4hvac9EFUs7NHZ+fYXUGCgc8F5oTqZ2DmPiMXg8f0tWBDWMnznumhc5skip l9IqI4kmU+Ik7KsbHOaRpItgnup88Mpw5FxgWDxOQEUET6jtEwhZohRN4rMbyWep iUKNmJ4HnoBJVgX3810+ =O+Kf - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVWUVWxLndAQH1ShLAQKZ0A//VPMm1wbwR154Azsj9ZmnliCDpF3ZIfbB sS9pJAmZOfV9KvZkVLpMmGG7UQB1thPolXm6tB3jO5QyrJ8Z7EtpAtk4d5ezckwW 7Qf3dsaw0AiwBbMlwrSlviMBQFQsx9hggIiIzN58VdxBrsp7vzFnelw0FDOOGP38 KxBJy9AZ8nCt6otlkxrMMQvaS5yDjB4JP7Xd8p/bYKKusanKGQgw/Y85oEXXmG7F ae6+QPPUpHaGWGLi4YA0Hjw8wTBhC3tF5V1RCFXBF6aULkYuq6nqUdCDyByqdmSu dTcN2hDUBrKduYtTTVpkyUjZvSteHW5SU0no+fOkluaNm5EnNnLoqpgl8YZL3y5Z iSbvWgQTUlMUxHYT3kJvD4+w0Ac8kw2ijz3MlRvU45tYF+83vu/ZB8yOMw1kfgax 4/kS25jmFfn8IX0p29ZByOx2AekcCj05ESgepFINOkEBMtJoza4ernSEqUh78H/C K7tYMvgufe3aErQLuuUxOb9+CxdSjMKQKfy+EOyxSsl+nJHP4uYd6WmMeIznnP3M UEpQ2Cw5Cl2yRjojmsKrfAEg1RAVKCJaN4gDcGtrk3v6kC/zWQh/WLMV9tNPkhgV yj8qK7vDvh++fCuz8K2HB5wdoccK2bxBRguYvkaGUmC8O8etOYprRU0V+aZcID58 Ipm5AUTmVtw= =4A4D -----END PGP SIGNATURE-----