SUSE 5147 Published by

A ntfs-3g_ntfsprogs security update has been released for openSUSE Leap 15.3.



openSUSE-SU-2021:2971-1: important: Security update for ntfs-3g_ntfsprogs


openSUSE Security Update: Security update for ntfs-3g_ntfsprogs
______________________________________________________________________________

Announcement ID: openSUSE-SU-2021:2971-1
Rating: important
References: #1189720
Cross-References: CVE-2019-9755 CVE-2021-33285 CVE-2021-33286
CVE-2021-33287 CVE-2021-33289 CVE-2021-35266
CVE-2021-35267 CVE-2021-35268 CVE-2021-35269
CVE-2021-39251 CVE-2021-39252 CVE-2021-39253
CVE-2021-39255 CVE-2021-39256 CVE-2021-39257
CVE-2021-39258 CVE-2021-39259 CVE-2021-39260
CVE-2021-39261 CVE-2021-39262 CVE-2021-39263

CVSS scores:
CVE-2019-9755 (NVD) : 7 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
CVE-2019-9755 (SUSE): 5.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Affected Products:
openSUSE Leap 15.3
______________________________________________________________________________

An update that fixes 21 vulnerabilities is now available.

Description:

This update for ntfs-3g_ntfsprogs fixes the following issues:

Update to version 2021.8.22 (bsc#1189720):

* Fixed compile error when building with libfuse < 2.8.0
* Fixed obsolete macros in configure.ac
* Signalled support of UTIME_OMIT to external libfuse2
* Fixed an improper macro usage in ntfscp.c
* Updated the repository change in the README
* Fixed vulnerability threats caused by maliciously tampered NTFS
partitions
* Security fixes: CVE-2021-33285, CVE-2021-33286, CVE-2021-33287,
CVE-2021-33289, CVE-2021-35266, CVE-2021-35267, CVE-2021-35268,
CVE-2021-35269, CVE-2021-39251, CVE-2021-39252, CVE-2021-39253,
CVE_2021-39254, CVE-2021-39255, CVE-2021-39256, CVE-2021-39257,
CVE-2021-39258, CVE-2021-39259, CVE-2021-39260, CVE-2021-39261,
CVE-2021-39262, CVE-2021-39263.

- Library soversion is now 89

* Changes in version 2017.3.23
* Delegated processing of special reparse points to external plugins
* Allowed kernel cacheing by lowntfs-3g when not using Posix ACLs
* Enabled fallback to read-only mount when the volume is hibernated
* Made a full check for whether an extended attribute is allowed
* Moved secaudit and usermap to ntfsprogs (now ntfssecaudit and
ntfsusermap)
* Enabled encoding broken UTF-16 into broken UTF-8
* Autoconfigured selecting vs
* Allowed using the full library API on systems without extended
attributes support
* Fixed DISABLE_PLUGINS as the condition for not using plugins
* Corrected validation of multi sector transfer protected records
* Denied creating/removing files from $Extend
* Returned the size of locale encoded target as the size of symlinks

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.3:

zypper in -t patch openSUSE-SLE-15.3-2021-2971=1


Package List:

- openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64):

libntfs-3g-devel-2021.8.22-3.8.1
libntfs-3g87-2021.8.22-3.8.1
libntfs-3g87-debuginfo-2021.8.22-3.8.1
ntfs-3g-2021.8.22-3.8.1
ntfs-3g-debuginfo-2021.8.22-3.8.1
ntfs-3g_ntfsprogs-debuginfo-2021.8.22-3.8.1
ntfs-3g_ntfsprogs-debugsource-2021.8.22-3.8.1
ntfsprogs-2021.8.22-3.8.1
ntfsprogs-debuginfo-2021.8.22-3.8.1
ntfsprogs-extra-2021.8.22-3.8.1
ntfsprogs-extra-debuginfo-2021.8.22-3.8.1

References:

  https://www.suse.com/security/cve/CVE-2019-9755.html
  https://www.suse.com/security/cve/CVE-2021-33285.html
  https://www.suse.com/security/cve/CVE-2021-33286.html
  https://www.suse.com/security/cve/CVE-2021-33287.html
  https://www.suse.com/security/cve/CVE-2021-33289.html
  https://www.suse.com/security/cve/CVE-2021-35266.html
  https://www.suse.com/security/cve/CVE-2021-35267.html
  https://www.suse.com/security/cve/CVE-2021-35268.html
  https://www.suse.com/security/cve/CVE-2021-35269.html
  https://www.suse.com/security/cve/CVE-2021-39251.html
  https://www.suse.com/security/cve/CVE-2021-39252.html
  https://www.suse.com/security/cve/CVE-2021-39253.html
  https://www.suse.com/security/cve/CVE-2021-39255.html
  https://www.suse.com/security/cve/CVE-2021-39256.html
  https://www.suse.com/security/cve/CVE-2021-39257.html
  https://www.suse.com/security/cve/CVE-2021-39258.html
  https://www.suse.com/security/cve/CVE-2021-39259.html
  https://www.suse.com/security/cve/CVE-2021-39260.html
  https://www.suse.com/security/cve/CVE-2021-39261.html
  https://www.suse.com/security/cve/CVE-2021-39262.html
  https://www.suse.com/security/cve/CVE-2021-39263.html
  https://bugzilla.suse.com/1189720