https://bugzilla.redhat.com/show_bug.cgi?id=2093305
Bug ID: 2093305 Summary: CVE-2022-30783 ntfs-3g: invalid return code in fuse_kern_mount enables intercepting of libfuse-lite protocol traffic Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team@redhat.com Reporter: gsuckevi@redhat.com CC: ddepaula@redhat.com, epel-packagers-sig@lists.fedoraproject.org, jferlan@redhat.com, kparal@redhat.com, ngompa13@gmail.com, rjones@redhat.com, spotrh@gmail.com, virt-maint@redhat.com Target Milestone: --- Classification: Other
An invalid return code in fuse_kern_mount enables intercepting of libfuse-lite protocol traffic between NTFS-3G and the kernel in NTFS-3G through 2021.8.22 when using libfuse-lite.
References: https://github.com/tuxera/ntfs-3g/security/advisories/GHSA-6mv4-4v73-xw58 https://github.com/tuxera/ntfs-3g/releases
https://bugzilla.redhat.com/show_bug.cgi?id=2093305
Guilherme de Almeida Suckevicz gsuckevi@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |2093310, 2093309, 2093308, | |2093306, 2093307
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=2093306 [Bug 2093306] CVE-2022-30783 ntfs-3g: invalid return code in fuse_kern_mount enables intercepting of libfuse-lite protocol traffic [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2093307 [Bug 2093307] CVE-2022-30783 ntfs-3g: invalid return code in fuse_kern_mount enables intercepting of libfuse-lite protocol traffic [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=2093308 [Bug 2093308] CVE-2022-30783 ntfs-3g-system-compression: ntfs-3g: invalid return code in fuse_kern_mount enables intercepting of libfuse-lite protocol traffic [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=2093309 [Bug 2093309] CVE-2022-30783 ntfs2btrfs: ntfs-3g: invalid return code in fuse_kern_mount enables intercepting of libfuse-lite protocol traffic [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2093310 [Bug 2093310] CVE-2022-30783 ntfs-3g-system-compression: ntfs-3g: invalid return code in fuse_kern_mount enables intercepting of libfuse-lite protocol traffic [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2093305
--- Comment #1 from Guilherme de Almeida Suckevicz gsuckevi@redhat.com --- Created ntfs-3g tracking bugs for this issue:
Affects: epel-all [bug 2093307] Affects: fedora-all [bug 2093306]
Created ntfs-3g-system-compression tracking bugs for this issue:
Affects: epel-all [bug 2093308] Affects: fedora-all [bug 2093310]
Created ntfs2btrfs tracking bugs for this issue:
Affects: fedora-all [bug 2093309]
https://bugzilla.redhat.com/show_bug.cgi?id=2093305
Guilherme de Almeida Suckevicz gsuckevi@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |2093356
https://bugzilla.redhat.com/show_bug.cgi?id=2093305 Bug 2093305 depends on bug 2093306, which changed state.
Bug 2093306 Summary: CVE-2022-30783 ntfs-3g: invalid return code in fuse_kern_mount enables intercepting of libfuse-lite protocol traffic [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2093306
What |Removed |Added ---------------------------------------------------------------------------- Status|ON_QA |CLOSED Resolution|--- |ERRATA
https://bugzilla.redhat.com/show_bug.cgi?id=2093305 Bug 2093305 depends on bug 2093310, which changed state.
Bug 2093310 Summary: CVE-2022-30783 ntfs-3g-system-compression: ntfs-3g: invalid return code in fuse_kern_mount enables intercepting of libfuse-lite protocol traffic [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2093310
What |Removed |Added ---------------------------------------------------------------------------- Status|ON_QA |CLOSED Resolution|--- |ERRATA
https://bugzilla.redhat.com/show_bug.cgi?id=2093305 Bug 2093305 depends on bug 2093307, which changed state.
Bug 2093307 Summary: CVE-2022-30783 ntfs-3g: invalid return code in fuse_kern_mount enables intercepting of libfuse-lite protocol traffic [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=2093307
What |Removed |Added ---------------------------------------------------------------------------- Status|ON_QA |CLOSED Resolution|--- |ERRATA
https://bugzilla.redhat.com/show_bug.cgi?id=2093305
Guilherme de Almeida Suckevicz gsuckevi@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Fixed In Version| |ntfs-3g 2022.5.17
https://bugzilla.redhat.com/show_bug.cgi?id=2093305
--- Doc Text *updated* by Guilherme de Almeida Suckevicz gsuckevi@redhat.com --- A vulnerability was found in NTFS-3G. An invalid return code in fuse_kern_mount allows libfuse-lite protocol traffic between NTFS-3G and the kernel to be intercepted.
epel-packagers-sig@lists.stg.fedoraproject.org