Bug 1199978 - (CVE-2022-30783) VUL-0: CVE-2022-30783,CVE-2022-30784,CVE-2022-30785,CVE-2022-30786,CVE-2022-30787,CVE-2022-30788,CVE-2022-30789: ntfs-3g_ntfsprogs: 2022.5.17 release
(CVE-2022-30783)
VUL-0: CVE-2022-30783,CVE-2022-30784,CVE-2022-30785,CVE-2022-30786,CVE-2022-3...
Status: IN_PROGRESS
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Michael Gorse
Security Team bot
https://smash.suse.de/issue/333109/
CVSSv3.1:SUSE:CVE-2022-30783:6.7:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-05-27 12:11 UTC by Carlos López
Modified: 2022-08-17 19:16 UTC (History)
1 user (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Carlos López 2022-05-27 12:11:33 UTC
Multiple security issues have been fixed in ntfs-3g version 2022.5.17:
 - CVE-2022-30783: An invalid return code in fuse_kern_mount enables intercepting of libfuse-lite protocol traffic between NTFS-3G and the kernel when using libfuse-lite.
 - CVE-2022-30784: A crafted NTFS image can cause heap exhaustion in ntfs_get_attribute_value.
 - CVE-2022-30785: A file handle created in fuse_lib_opendir, and later used in fuse_lib_readdir, enables arbitrary memory read and write operations when using libfuse-lite.
 - CVE-2022-30786: A crafted NTFS image can cause a heap-based buffer overflow in ntfs_names_full_collate.
 - CVE-2022-30787: An integer underflow in fuse_lib_readdir enables arbitrary memory read operations when using libfuse-lite.
 - CVE-2022-30788: A crafted NTFS image can cause a heap-based buffer overflow in ntfs_mft_rec_alloc.
 - CVE-2022-30789: A crafted NTFS image can cause a heap-based buffer overflow in ntfs_check_log_client_array.

Patches:
https://github.com/tuxera/ntfs-3g/compare/2021.8.22...2022.5.17
Comment 1 Carlos López 2022-05-27 12:12:20 UTC
(In reply to Carlos López from comment #0)
> Patches:
> https://github.com/tuxera/ntfs-3g/compare/2021.8.22...2022.5.17

These should also fix CVE-2021-46790 (bsc#1199139)
Comment 3 OBSbugzilla Bot 2022-05-29 20:40:04 UTC
This is an autogenerated message for OBS integration:
This bug (1199978) was mentioned in
https://build.opensuse.org/request/show/979742 Factory / ntfs-3g_ntfsprogs
Comment 6 Swamp Workflow Management 2022-08-17 19:15:26 UTC
SUSE-SU-2022:2835-1: An update that fixes 8 vulnerabilities is now available.

Category: security (important)
Bug References: 1199978
CVE References: CVE-2021-46790,CVE-2022-30783,CVE-2022-30784,CVE-2022-30785,CVE-2022-30786,CVE-2022-30787,CVE-2022-30788,CVE-2022-30789
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    ntfs-3g_ntfsprogs-2022.5.17-150000.3.11.1
openSUSE Leap 15.3 (src):    ntfs-3g_ntfsprogs-2022.5.17-150000.3.11.1
SUSE Linux Enterprise Workstation Extension 15-SP4 (src):    ntfs-3g_ntfsprogs-2022.5.17-150000.3.11.1
SUSE Linux Enterprise Workstation Extension 15-SP3 (src):    ntfs-3g_ntfsprogs-2022.5.17-150000.3.11.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 7 Swamp Workflow Management 2022-08-17 19:16:06 UTC
SUSE-SU-2022:2836-1: An update that fixes 8 vulnerabilities is now available.

Category: security (important)
Bug References: 1199978
CVE References: CVE-2021-46790,CVE-2022-30783,CVE-2022-30784,CVE-2022-30785,CVE-2022-30786,CVE-2022-30787,CVE-2022-30788,CVE-2022-30789
JIRA References: 
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP5 (src):    ntfs-3g_ntfsprogs-2022.5.17-5.12.1
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    ntfs-3g_ntfsprogs-2022.5.17-5.12.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.